Building Secure Web Applications Using Self-Protecting JavaScript

Examensarbete för masterexamen

Please use this identifier to cite or link to this item: https://hdl.handle.net/20.500.12380/118611
Download file(s):
There are no files associated with this item.
Type: Examensarbete för masterexamen
Master Thesis
Title: Building Secure Web Applications Using Self-Protecting JavaScript
Authors: Khan, Danish Anis
Abstract: JavaScript has become an intrinsic part of web applications. But it has a dynamic execution nature i.e. any variable in the context of the program can be re-defined and code can be created and execute it on the fly. Malicious or third party script can be injected in to web pages using XSS vulnerabilities to harm the client machines. This thesis work is an empirical study based on the idea of controlling the execution of JavaScript on client-side by modifying the script in way to make it self-protected without browser modification. In this method, security checks are embedded into the web page; to intercept security relevant API calls on JavaScript. The embedding process can be performed at server-side, client-side (web browser) or proxy between the server and client. In this work, we have deployed all the three different architectures to demonstrate that the self-protecting method can enforce security policies to prevent real XSS attacks. For client-side architecture, we play with Greasemonkey for Firefox browser; and we modified an open source web proxy server (WebScarab) to inject security policies into web pages for proxy-based architecture. Web applications conducted in the study include Facebook web applications, several real world documented XSS vulnerability web sites and a sample security critical web application. The study revealed that in the scenario of Facebook application, browser plug-ins are not appropriate for enforcement of policies because policy code is executed after all code in the page executes that make it is not possible for security enforcement. While, on the other hand, script injection using web proxy server and server-side are applicable solutions to enforce policies on client-side. The script injection has been successfully applied using WebScarab on several web applications. Also, the application-specific policies for web application i.e. payment application has been successfully applied using server-side script injection. These policies prevent clients from XMLHttpRequest based reflective attacks by allowing requests only for allowed list of URL’s. The outcome of this study is a self-protected web application and a web proxy server for script injection.
Keywords: Programvaruteknik;Software Engineering
Issue Date: 2009
Publisher: Chalmers tekniska högskola / Institutionen för data- och informationsteknik (Chalmers)
Chalmers University of Technology / Department of Computer Science and Engineering (Chalmers)
URI: https://hdl.handle.net/20.500.12380/118611
Collection:Examensarbeten för masterexamen // Master Theses



Items in DSpace are protected by copyright, with all rights reserved, unless otherwise indicated.