App security with JSFlow

Paper in proceeding, 2016

This abstract accompanies a demo of app security using JSFlow [7]. The interested reader is encouraged to try the JSFlow tool [8] and get a full account of the theory and practice behind JSFlow, as detailed in a journal article [9]. The web has transitioned from simple, static pages to full edged applications. When loading a web application, content and scripts may be downloaded from various sources: the 1st party (the application provider), 3rd parties (e.g., library or service providers), as well other users (indirectly, via user generated content). The situation, where either of these sources is untrustworthy or malicious, may lead to attacker controlled code being executed on users' machines. This is particularly problematic, since attacker controlled code allows for complete circumvention of traditional protection mechanisms, and puts the users in the situation, where they cannot trust applications with sensitive information without endangering the con dentiality of the information.