This is based on the idea of rendering all legitimate
JavaScripts syntactically incorrect, so that every JavaScript
that is eventually executed by a browser can be concluded to
be malicious. Therefore, the first step for deploying SWAP
is to identify all legitimate script calls in the original Web
application, and to replace each one by a unique identifier, a
script ID. This effort has to be repeated every time a change
is made to the application that alters or adds JavaScript
code. Fortunately, it is easily possible to automate this step.
Generally, in order to locate legitimate scripts in the
original Web application, it is advisable to utilize a similar
mechanism as the JavaScript detection component later
used to identify malicious scripts . This ensures that no legitimate scripts are overseen
and later erroneously reported as malicious. Since we
assume that all legitimate scripts are shipped with the software
and not user-contributed, obviously, this step should
be performed on a fresh installation of the application, without
any user-provided content in the application database.
Note, that in the case where legitimate scripts are stored in
the database, also these scripts must be encoded into script
IDs. For the applications we used for testing, applying simple
bash scripts using grep and sed on the source code
was sufficient to accomplish the task.
There are three requirements for a script ID: First, it
must not contain any valid HTML tags, so that except of
removing the script, the structure of the Web page is preserved.
Second, it must not contain what would be interpreted
as JavaScript by a browser, so that when rendering
a page it is safe to conclude that all script executions
stem from illegitimately injected scripts. Third, the mapping
must be reversible, so that after probing a page for
scripts, the original condition with functional JavaScript
code can be reestablished. For our prototype implementation,
we defined a set of strings that directly indicate
the presence of JavaScript code, such as the script tag
