Gelato

Principal Investigator: Behnaz Hassanshahi

Gelato is client-centric dynamic analysis of web applications. Web applications consist of client side and server side. In modern applications, lots of server-side logic is moving to the client side, which is mostly written in JavaScript using complex libraries. Gelato's main goal is to dynamically analyze the client side with two objectives: 

  • to find client-side vulnerabilities such as DOM-XSS
  • to generate interesting inputs for server-side dynamic analysis.

 

How it works

The inputs to an application determine the coverage of dynamic security analysis techniques. Many inputs to a web application, which consists of a server (e.g., Java EE) and client-side code that runs in a browser, can be generated by exploring (crawling) the client side. Crawling the client side enables client-side analysis, such as DOM-XSS detection or REST fuzzing. The outputs of Gelato include an inferred REST API as well as client and server-side vulnerabilities.

Gelato's new strategies perform state-aware crawling to increase coverage of client-side and server-side dynamic security analyses. Our crawler uses static approximate callgraphs to guide the execution towards program locations of interest. It also introduces state and event prioritisation algorithms to improve efficiency. It refines the statically generated callgraph at runtime to improve precision and recall.

Our challenges

Many existing web application crawling techniques do not analyze JavaScript code. Instead, they rely only on static link extraction from HTML pages. On the other hand, most crawlers that analyze JavaScript code aim to cover many user-defined functionalities -- they are not designed for finding security vulnerabilities.

To deal with the challenges in existing crawling techniques, we have designed a new crawler that interacts with modern client-side web applications using instrumentation-based dynamic analysis. 


Hardware and Software, Engineered to Work Together