Original title:
Detekce kódu v jazyce JavaScript se známými bezpečnostními chybami
Translated title:
Detecting JavaScript Code with Known Vulnerabilites
Authors:
Randýsek, Vojtěch ; Jeřábek, Kamil (referee) ; Polčák, Libor (advisor) Document type: Master’s theses
Year:
2022
Language:
cze Publisher:
Vysoké učení technické v Brně. Fakulta informačních technologií Abstract:
[cze][eng]
Prace se zabyva problematikou detekce zranitelnych JavaScriptovych knihoven a NPM balicku. Na zaklade existujicich studii shrnuje technologicky zaklad platformy Node.js a dale se hloubeji venuje vybranym zranitelnostem systemu NPM a stavajicim ochrannym prostredkum. Bylo vytvoreno rozsireni prohlizece Chrome, ktere ma za cil detekovat a opravit JavaScriptovy kod se znamymi zranitelnostmi na strane weboveho prohlizece. Vytvoreny nastroj byl otestovan pruchodem 50 000 webovymi strankami. Bylo detekovano 8 129 zranitelnych skriptu. Rozsireni bylo publikovano na Chrome Web Store pod nazvem JS Vulnerability Detector .
This thesis deals with the detection of vulnerable JavaScript libraries and NPM packages. Based on existing studies, it summarizes the technological core of the Node.js platform and further focuses on selected vulnerabilities of the NPM system and existing means of protection. A Chrome browser extension able to detect and fix JavaScript code with known vulnerabilities on the web browser had been introduced. The tool was tested in a crawl of 50 000 websites. 8 129 vulnerable scripts were detected. The extension has been published to the Chrome Web Store as JS Vulnerability Detector .
Keywords:
abstract syntax tree; browser extension; Chome; client-side JavaScript; crawl; hash; JavaScript; JSON; Manifest V3; National Vulnerability Database; Node.js; NPM; pushdown automata; Snyk; vulnerability detection; abstraktni syntakticky strom; Chrome; crawl; detekce zranitelnosti; hash; JavaScript; JSON; klientsky JavaScript; Manifest V3; National Vulnerability Database; Node.js; NPM; rozsireni weboveho prohlizece; Snyk
Institution: Brno University of Technology
(web)
Document availability information: Fulltext is available in the Brno University of Technology Digital Library. Original record: http://hdl.handle.net/11012/207802