Data flow analysis does not find the bindings between function-call arguments and function definition params

[jndre]

The analysis step that connects function-call arguments and function definition params is not executed. Thus, the data flow analysis does not traverse function calls. This affects both XSRF and DOM-Clobbering detection. I appended my testcase for XSRF detection. The fetch inside unsafe() is not reached according to the results.

website hosted at http://localhost:

<html>
        <body>
                <script>
                        let csrf_src = window.location.hash;
                        fetch("https://" + csrf_src + "/");

                        function unsafe(x){
                                fetch("https://" + x + "/");
                        }

                        unsafe(csrf_src);
                </script>
        </body>
</html>

config.yaml

# 1. which webapps to test?
testbed: 
  ## option 1: test a specifc website
  site: http://localhost
  ## option 2: provide a top-site list (e.g., Alexa, Tranco, etc)
  #sitelist: /input/tranco_Y3JG_unique.csv
  #from_row: 1
  #to_row: 5000


# 2. crawler configuration
crawler:
  # max number of urls to visit
  maxurls: 2
  # time budget for crawling each site in seconds
  sitetimeout: 1800 # 30 mins;
  # browser to use for crawling
  browser:
    name: chrome
    headless: true


# 3. static analysis configuration
staticpass:
  # time budget for static analysis of each site in seconds
  sitetimeout: 10800 # 3 hrs
  # max amount of available memory for static analysis per process
  memory: 32000


# 4. dynamic analysis configuration
dynamicpass:
  # time budget for dynamic analysis of each site in seconds
  sitetimeout: 10800 # 3 hrs
  # which browser to use
  browser:
    name: chrome
    # use remote browserstack browsers or not
    use_browserstack: false
    browserstack_username: xyz
    browserstack_password: xyz
    browserstack_access_key: xyz
    


# 5. choose the vulnerability analysis component to run
# only one component must have the `enable` option as true
general_vuln_analysis:
  # performs a general vulnerability analysis (i.e., more than one vulnerability class)
  # when enabled, other vulnerability-specific components (as configured below) 
  # will not run individually anymore
  enable: false

domclobbering:
  enabled: false
  # enable or disable the passes, useful for large-scale analysis 
  # e.g., first crawl all websites, then analyze them,
  # as opposed to crawling and analyzing sequentially at the same time
  passes:
    crawling: true
    static: true
    static_neo4j: true
    dynamic: true


cs_csrf:
  enabled: true
  passes:
    crawling: true
    static: true
    static_neo4j: true

sink.flows.out:

====================================================
[timestamp] generated on 22/08/2023 09:21:11
====================================================

[*] NavigationURL: http://localhost

----------------------------------------------------
[*] Tags: ['NON-REACH']
[*] NodeId: {'TopExpression': '6', 'CallExpression': '7', 'Argument': '9'}
[*] Location: 5
[*] Function: Fetch
[*] Template: "https://" + x + "/"
[*] Top Expression: fetch("https://" + x + "/")
----------------------------------------------------

----------------------------------------------------
[*] Tags: ['WIN.LOC-READ']
[*] NodeId: {'TopExpression': '22', 'CallExpression': '23', 'Argument': '25'}
[*] Location: 2
[*] Function: Fetch
[*] Template: "https://" + csrf_src + "/"
[*] Top Expression: fetch("https://" + csrf_src + "/")

1:['WIN.LOC-READ'] variable=csrf_src
        0 (loc:1)- let csrf_src = window.location.hash
----------------------------------------------------

[jndre]

As far as I can tell, this block is never executed. Thus, _get_all_call_values_of is never executed. Is it possible that the graph layout changed, and the traversal code must be adapted?

[SoheilKhodayari]

Hi, thanks a lot for your report. It seems that we encountered this issue before and had it fixed on a newer version of JAW, which will be released soon. Until then, I updated the affected file here with the latest version. Let me know if this change fixed the problem.

[jndre]

It's working great now. Thank you very much!