search

Samsung / jalangi2

Dynamic analysis framework for JavaScript
Apache License 2.0
435 stars 119 forks source link

Is there any taint analysis example provided? #116

Closed csujedihy closed 8 years ago

csujedihy commented 8 years ago

I want to do taint analysis using this amazing framework.

jawline commented 8 years ago

Hi,

Not sure if there's an official taint example. I've attached a link to a simple Taint analysis I built using shadow values. Hopefully it's useful.

http://pastebin.com/6P9Z9g1g

and an example that uses it

http://pastebin.com/EwF5nk8R

Good luck, Blake

csujedihy commented 8 years ago

cool, thx!

yihan0512 commented 4 years ago

Not sure if I should reply here. I tried the example above. It cannot handle the cases when a tainted variable is used in for/while/if statements. See below an example:

var frm=document.querySelectorAll("form"); for (var i=0;i<frm.length;i++){ if(frm[i].addEventListener) { frm[i].addEventListener("submit", clk, false); } else { frm[i].attachEvent('onsubmit', clk); } }

if querySelectorAll is marked as taint, the the result of i<frm.length will return {shadow: true}, not true, so the for loop will continue for ever. Similar cases for while and if.