Determining server HTTP endpoints - essentially, revealing server's attack surface - is a crucial step of every black-box web security scanner. An indispensable method of doing that is inferring server endpoints from client side, discovering what HTTP requests can be sent from client to server. This is easy for requests triggered by HTML markup elements, such as links and forms, but is difficult for requests sent by JavaScript. Existing approaches to determining requests sent from JavaScript are based on a technique known as dynamic crawling automated interaction with web page elements using a headless browser. Dynamic crawling fails when the code that sends a request is impossible or very hard to trigger with interface interaction. We propose a different approach for finding HTTP requests sent by JS code, which uses static code analysis. While analyzing JavaScript statically is known to be hard and applying existing analyzers to real-world web pages usually does not work, we propose a new lightweight analysis algorithm that can work on pages of real websites, and can discover server endpoints that dynamic crawlers cannot. Evaluation results show that augmenting a black-box scanner with the proposed static analysis may significantly improve server-side endpoint coverage.
