← Back to team overview

webapps team mailing list archive

Webapps security auditing


Hi All,

part of the apt-daemon FFE, the security team asked for some
documentation on auditing integration scripts.



Up-to-date documentation for the exact steps required for auditing the
security of contributed webapp scripts. This needs to be written by
someone familiar with the intricacies of how the scripts are integrated
in the browser security model and how the webapps functionality was

I put together a document along those lines that tries to cover a bit of
ground in the area and give some background/guidelines on things to
watch when reviewing an integration script per-se:


Could you please review it and send me any comment? (or modify the
document), I need to expand it a bit w/ some comments on browser
specific stuff (maybe),

Also I quickly setup a (very) dumb script that does some sort of static
analysis/search that could be used as a basis/help. It could/should be
expanded with time and with any functionality necessary (ideally less
dumb than what I put there). The script is *not* meant for being
exhaustive (it cannot) and only emits warning for obvious this to
further inspect,

See attachement,


Alexandre Abreu
Software developer
alexandre.abreu at canonical.com

import sys

def _get_script_name():
    if len(sys.argv) == 2:
        return sys.argv[1]
        return ""
def _exit_with_error(message):
    sys.stderr.write("Error: %s\n" % message)

# list of specific audits performed
# the naming matters (automatic detection of audit functions)

def _perform_webapps_audit_usages_of_eval(content):
    Checks direct usages of eval()
    return content.find('eval') != -1

def _perform_webapps_audit_document_write(content):
    Checks direct usages of document.write
    return content.find('document.write') != -1

def _perform_webapps_audit_innerhtml(content):
    Checks presence of innerHTML accesses
    return content.find('innerHTML') != -1

def _perform_webapps_audit_unicode_presence(content):
    Checks potential presence of unicode
    return content.find('\u') != -1

def _perform_webapps_audit_iframe(content):
    Checks direct usages of iframe
    return content.find('iframe') != -1

def _perform_webapps_audit_xmlhttprequest(content):
    Checks direct usages of XMLHTTPRequest
    return content.find('XMLHTTPRequest') != -1

def _perform_webapps_audit_settimeout(content):
    Checks direct usages of setTimeout function()
    return content.find('setTimeout') != -1

def _perform_webapps_audit_document_location(content):
    Checks direct usages of the 'location' property()
    return content.find('document.location') != -1 or content.find('.location') != -1

def _perform_webapps_audit_document_location(content):
    Checks the presence of base64 or dataurl
    return content.find('"data:') != -1 or content.find('base64') != -1

def _perform_javascript_validation(content):
    import inspect
    audit_functions_prefix = '_perform_webapps_audit_'
    audit_functions = [{'name': member[0], 'function': member[1]}
                       for member in inspect.getmembers(sys.modules[__name__], inspect.isfunction)
                       if member[0].startswith(audit_functions_prefix)]

    for audit_function in audit_functions:
        func = audit_function['function']
        if func(content):
            print "Audit potential issue detected:", audit_function['name'], "performing", inspect.getdoc(audit_function['function'])

def _validate_script(script_name):
    if not script_name or len(script_name) == 0:
    import os
    if not os.path.exists(script_name) or not os.path.isfile(script_name):
        _exit_with_error("Script not found")
    except Exception, e:
        _exit_with_error("Could not validate script (error %s)" % str(e))

if __name__ == "__main__":