In this post I’ll talk about library support, converting the calls to HTTP requests, what we’ve got in the end as a result, conclusions we made, and something more.

In the previous post we looked at the basic idea behind the algorithm and even built a small analyzer based on it. In this post I’ll talk a bit more about the principles our algorithm works on, including how it determines function argument values and handles objects like XMLHttpRequest, plus a few notes on the supported operations.

Here in Computer Security Lab we are working on a client-side JavaScript code analysis algorithm for discovering HTTP requests that can be sent by that code to server (AJAX requests). The goal is to then give this information to a web security scanner working in black-box mode (without server source code access). So that the scanner knows which requests are accepted by the server and, therefore, where to insert the attack vectors. We are ourselves making a web security scanner SolidPoint that uses this analysis algorithm. In this post (and in the next couple), I’ll talk about this analysis: why did we start making it, how does it work and what do we get as a result. I’ll also share a link to the analyzer’s source code — we’ve made it public!