Web Application Security using JSFlow
Paper in proceeding, 2015
Web applications are often vulnerable to code injection attacks and to attacksthrough buggy or malicious libraries. Unfortunately, the current protectionmechanisms are frequently ad-hoc, as a response to attacks after the fact. Thishad lead to a plethora of specialized protection mechanisms that are oftenbrittle and insufficient to guarantee security. This extended abstract accompanies a tutorial on web application security usingJSFlow, an information-flow aware interpreter for full non-strict ECMA-262(v.5). In contrast to access control, which most current protection mechanismsapply, information-flow control focuses on what applications are allowed to dowith the information they access. This removes the inherent trust that accesscontrol places on entities that are granted access. Dispensing with this trustis key for the protection to withstand bypassing in the presence ofuntrustworthy 3rd party code and code injection attacks. Based on two practical attacks against an example web application Hrafn, wedemonstrate the power of JSFlow. The attacks model the scenario where thecurrent standards protection mechanism are bypassed or not applicable. By usinga simple and natural security policy, we show how both attacks are prevented byJSFlow. Although information-flow control has not been tailor made to preventthis kind of attacks, it offers a uniform line of defense against untrustworthyand malicious code and ensures confidentiality of sensitive data.