Gelato
Gelato is a client-centric dynamic analysis tool that analyses the client-side JavaScript code and crawls a web application to identify its attack surface and client and server-side vulnerabilities.
Gelato
Gelato
Gelato is a client-centric dynamic analysis tool that analyses the client-side JavaScript code and crawls a web application to identify its attack surface and client and server-side vulnerabilities.
Project Overview
Principal Investigator: Behnaz Hassanshahi
Gelato is client-centric dynamic analysis of web applications. Web applications consist of client side and server side. In modern applications, lots of server-side logic is moving to the client side, which is mostly written in JavaScript using complex libraries. Gelato's main goal is to dynamically analyze the client side with two objectives:
- to find client-side vulnerabilities such as DOM-XSS
- to generate interesting inputs for server-side dynamic analysis.
How it works
The inputs to an application determine the coverage of dynamic security analysis techniques. Many inputs to a web application, which consists of a server (e.g., Java EE) and client-side code that runs in a browser, can be generated by exploring (crawling) the client side. Crawling the client side enables client-side analysis, such as DOM-XSS detection or REST fuzzing. The outputs of Gelato include an inferred REST API as well as client and server-side vulnerabilities.
Gelato's new strategies perform state-aware crawling to increase coverage of client-side and server-side dynamic security analyses. Our crawler uses static approximate callgraphs to guide the execution towards program locations of interest. It also introduces state and event prioritisation algorithms to improve efficiency. It refines the statically generated callgraph at runtime to improve precision and recall.
Our challenges
Many existing web application crawling techniques do not analyze JavaScript code. Instead, they rely only on static link extraction from HTML pages. On the other hand, most crawlers that analyze JavaScript code aim to cover many user-defined functionalities -- they are not designed for finding security vulnerabilities.
To deal with the challenges in existing crawling techniques, we have designed a new crawler that interacts with modern client-side web applications using instrumentation-based dynamic analysis.
Behnaz Hassanshahi is a Principal Researcher at Oracle Labs Australia. In her current role, Behnaz is leading the open-source project Macaron, an analysis tool for software supply chain security. She is also working on static security analysis of Oracle Cloud Infrastructure.
In her previous project, Behnaz was the technical lead of Gelato, a Dynamic Application Security Testing (DAST) tool that analyses client-side JavaScript applications to find security vulnerabilities both at the client and server side of web applications. Gelato is now used as a product in Oracle. During the past few years, Behnaz has also explored various static and dynamic analysis as well as fuzzing techniques to analyse client-side and server-side JavaScript programs.
This is her second stint at Oracle Labs. When Behnaz worked here in 2015 as an intern in the Java Vulnerability Detection team, she designed an adaptive points-to framework that scales over OpenJDK.
After graduating from Amirkabir University of Technology (Tehran) in 2010 with a Bachelor of Science (Software Engineering), Behnaz did her PhD at the National University of Singapore. While at NUS, she was also awarded the Singapore International Graduate Award, and was a member of the Security Research Group.
Her thesis topic – Characterization, Detection and Exploitation of Injection Attacks in Android – and the security research prepared her well for her work at Oracle.
Behnaz conducts research in the area of program analysis and its intersection with computer security that will improve the security of large complex software.
Education:
* PhD in Computer Science, 2011-2016, National University of Singapore
* BSc in Software Engineering, 2006–2010, Amirkabir University of Technology
Recent and upcoming events:
USENIX Security'25 (PC member)
Software Supply Chain Offensive Research and Ecosystem Defenses (SCORED) 2024 (PC member)
USENIX Security'24 (PC member)
USENIX Security'23 (PC member) and received a Noteworthy Reviewer award
SecDev'22 (Publicity Chair)
ISSTA'22 (PC member)
iMentor, CCS'21 (Panelist)
SCAM'21 - Engineering Track (Program Chair)
ACSAC'21 (PC member)
SCAM'20 (PC member)
ACSAC'20 (PC member)