Building Secure Web Applications Using Self-Protecting JavaScript
Typ
Examensarbete för masterexamen
Master Thesis
Master Thesis
Program
Publicerad
2009
Författare
Khan, Danish Anis
Modellbyggare
Tidskriftstitel
ISSN
Volymtitel
Utgivare
Sammanfattning
JavaScript has become an intrinsic part of web applications. But it has a dynamic execution nature i.e. any variable in the context of the program can be re-defined and code can be created and execute it on the fly. Malicious or third party script can be injected in to web pages using XSS vulnerabilities to harm the client machines. This thesis work is an empirical study based on the idea of controlling the execution of JavaScript on client-side by modifying the script in way to make it self-protected without browser modification. In this method, security checks are embedded into the web page; to intercept security relevant API calls on JavaScript. The embedding process can be performed at server-side, client-side (web browser) or proxy between the server and client. In this work, we have deployed all the three different architectures to demonstrate that the self-protecting method can enforce security policies to prevent real XSS attacks. For client-side architecture, we play with Greasemonkey for Firefox browser; and we modified an open source web proxy server (WebScarab) to inject security policies into web pages for proxy-based architecture. Web applications conducted in the study include Facebook web applications, several real world documented XSS vulnerability web sites and a sample security critical web application. The study revealed that in the scenario of Facebook application, browser plug-ins are not appropriate for enforcement of policies because policy code is executed after all code in the page executes that make it is not possible for security enforcement. While, on the other hand, script injection using web proxy server and server-side are applicable solutions to enforce policies on client-side. The script injection has been successfully applied using WebScarab on several web applications. Also, the application-specific policies for web application i.e. payment application has been successfully applied using server-side script injection. These policies prevent clients from XMLHttpRequest based reflective attacks by allowing requests only for allowed list of URL’s. The outcome of this study is a self-protected web application and a web proxy server for script injection.
Beskrivning
Ämne/nyckelord
Programvaruteknik , Software Engineering