Web developers routinely rely on third-party Java-Script libraries such as jQuery to enhance the functionality of their sites. However, if not properly maintained, such dependencies can create attack vectors allowing a site to be compromised. In this paper, we conduct the first comprehensive study of client-side JavaScript library usage and the resulting security implications across the Web. Using data from over 133 k websites, we show that 37% of them include at least one library with a known vulnerability; the time lag behind the newest release of a library is measured in the order of years. In order to better understand why websites use so many vulnerable or outdated libraries, we track causal inclusion relationships and quantify different scenarios. We observe sites including libraries in ad hoc and often transitive ways, which can lead to different versions of the same library being loaded into the same document at the same time. Furthermore, we find that libraries included transitively, or via ad and tracking code, are more likely to be vulnerable. This demonstrates that not only website administrators, but also the dynamic architecture and developers of third-party services are to blame for the Web's poor state of library management. The results of our work underline the need for more thorough approaches to dependency management, code maintenance and third-party code inclusion on the Web.
翻译:网络开发者通常依赖第三方 Java-Script 图书馆,如jQuery 等第三方 Java-Script 图书馆来加强其网站的功能。 但是,如果不适当维护,这种依赖性可能会造成攻击矢量,使网站受到损害。 在本文中,我们首次对客户端 JavaScript 图书馆的使用情况以及由此产生的整个网络的安全影响进行了全面研究。 利用来自133 k 多个网站的数据,我们发现其中37%的图书馆至少包括一个已知易受到伤害的图书馆; 图书馆最新发行的时间滞后是按年顺序衡量的。 为了更好地了解网站为何使用如此多的脆弱或过时的图书馆,我们追踪因果关系并量化不同的情况。 我们观察网站,包括图书馆在内的图书馆,以临时和往往是过渡的方式,可以导致同一图书馆的不同版本同时被装入同一文档。 此外,我们发现图书馆的过渡性、 或通过广告和跟踪代码更易受到伤害。 这表明,不仅网站管理员,而且第三方服务的动态架构和开发者,要怪网络管理中的不良程度。 我们的维护工作结果需要更彻底的网络管理。