Web Application Security using JSFlow
Paper in proceeding, 2015

Web applications are often vulnerable to code injection attacks and to attacksthrough buggy or malicious libraries. Unfortunately, the current protectionmechanisms are frequently ad-hoc, as a response to attacks after the fact. Thishad lead to a plethora of specialized protection mechanisms that are oftenbrittle and insufficient to guarantee security. This extended abstract accompanies a tutorial on web application security usingJSFlow, an information-flow aware interpreter for full non-strict ECMA-262(v.5). In contrast to access control, which most current protection mechanismsapply, information-flow control focuses on what applications are allowed to dowith the information they access. This removes the inherent trust that accesscontrol places on entities that are granted access. Dispensing with this trustis key for the protection to withstand bypassing in the presence ofuntrustworthy 3rd party code and code injection attacks. Based on two practical attacks against an example web application Hrafn, wedemonstrate the power of JSFlow. The attacks model the scenario where thecurrent standards protection mechanism are bypassed or not applicable. By usinga simple and natural security policy, we show how both attacks are prevented byJSFlow. Although information-flow control has not been tailor made to preventthis kind of attacks, it offers a uniform line of defense against untrustworthyand malicious code and ensures confidentiality of sensitive data.

Author

Daniel Hedin

Mälardalens högskola

Andrei Sabelfeld

Chalmers, Computer Science and Engineering (Chalmers), Software Technology (Chalmers)

Proceedings - 17th International Symposium on Symbolic and Numeric Algorithms for Scientific Computing, SYNASC 2015

16-19 7426055

17th International Symposium on Symbolic and Numeric Algorithms for Scientific Computing, SYNASC 2015
Timisoara, Romania,

Subject Categories

Computer Engineering

Areas of Advance

Information and Communication Technology

Roots

Basic sciences

DOI

10.1109/synasc.2015.11

More information

Latest update

4/4/2024 7