Principal Investigator: Behnaz Hassanshahi
- to find client-side vulnerabilities such as DOM-XSS
- to generate interesting inputs for server-side dynamic analysis.
How it works
The inputs to an application determine the coverage of dynamic security analysis techniques. Many inputs to a web application, which consists of a server (e.g., Java EE) and client-side code that runs in a browser, can be generated by exploring (crawling) the client side. Crawling the client side enables client-side analysis, such as DOM-XSS detection or REST fuzzing. The outputs of Gelato include an inferred REST API as well as client and server-side vulnerabilities.
Gelato's new strategies perform state-aware crawling to increase coverage of client-side and server-side dynamic security analyses. Our crawler uses static approximate callgraphs to guide the execution towards program locations of interest. It also introduces state and event prioritisation algorithms to improve efficiency. It refines the statically generated callgraph at runtime to improve precision and recall.
To deal with the challenges in existing crawling techniques, we have designed a new crawler that interacts with modern client-side web applications using instrumentation-based dynamic analysis.