Static Analysis Of Client-Side JavaScript Code To Detect Server-Side Business Logic Vulnerabilities

Sammanfattning: In the real world, web applications are crucial in various domains, from e-commerce to finance and healthcare. However, these applications are not immune to vulnerabilities, particularly in business logic. Detecting such vulnerabilities can be challenging due to the complexity and diversity of application functionality. Consequently, there is a growing need for automated tools and techniques to aid in identifying business logic vulnerabilities. This research study investigates the efficacy of static analysis techniques in detecting server-side business logic vulnerabilities through the analysis of client-side JavaScript code. The study explores various analysis techniques, including code parsing, data flow analysis as detection methods, and their application in identifying potential vulnerabilities. This thesis also identifies common flaws contributing to business logic vulnerabilities, such as insufficient input validation, insecure access controls, and flawed decision-making logic. The effectiveness of static analysis techniques in pinpointing server-side business logic vulnerabilities is evaluated, revealing promising results, particularly in detecting parameter manipulation vulnerabilities. Notably, the study discovered vulnerabilities in two live applications that could lead to severe financial problems, underscoring the real-world implications of these vulnerabilities. However, challenges such as false positives and the need for manual verification are also acknowledged. The study concludes by proposing improvements and future research directions, including exploring advanced techniques like machine learning and natural language processing and integrating dynamic analysis and real-world testing scenarios to enhance the accuracy and efficiency of static analysis. The findings contribute to the understanding of utilizing static analysis techniques for detecting server-side business logic vulnerabilities, offering insights for developing more robust and efficient vulnerability detection tools.