Static Analysis of JavaScript Web Applications in the Wild via Practical DOM Modeling (T)

Abstract

We present SAFEWapp, an open-source static analysis framework for JavaScript web applications. It provides a faithful (partial) model of web application execution environments of various browsers, based on empirical data from the main web pages of the 9,465 most popular websites. A main feature of SAFEWapp is the configurability of DOM tree abstraction levels to allow users to adjust a trade-off between analysis performance and precision depending on their applications. We evaluate SAFEWapp on the 5 most popular JavaScript libraries and the main web pages of the 10 most popular websites in terms of analysis performance, precision, and modeling coverage. Additionally, as an application of SAFEWapp, we build a bug detector for JavaScript web applications that uses static analysis results from SAFEWapp. Our bug detector found previously undiscovered bugs including ones from wikipedia.org and amazon.com.