ConfPad

Ever wondered how many times the ads in your website are using document.write? Or if you were writing to the DOM from untrusted sources? Such questions can be answered by dynamically analysing the JavaScript running in your website. Static analysis of JavaScript leads to a lot of false positives and is incredibly hard to do correctly due to features like eval, XHR, etc. Dynamic analysis of JavaScript gives much more accurate results. I will talk about using meta programming APIs such as Proxies, overriding native DOM APIs and inbuilt JS functions, using Immediately Invoked Function Expressions (IIFEs), etc. to carry out your own dynamic analysis, the gotchas involved and how I handled them. Also, I will be demonstrating how to use the open-source proxy module I wrote, which makes it easy to get started on carrying out these kinds of dynamic analysis on real-world web applications.