Author:

Abstract:

Building secure web applications is notoriously difficult. The growing importance of JavaScript as a mainstream programming language for web applications, has led to the situation where it is heavily used, both on the client-side in the web browser as on the server-side in JavaScript application server frameworks. The language allows to easily make programming mistakes and introduce security bugs. In addition, JavaScript web programming relies on a programming model where the application developer can, and often has to, automatically include many pieces of code from external parties. This toxic combination leads to a situation today where security issues are commonly being abused. Although there are a plethora of ad hoc security solutions for the web browser, client-side attacks are still very common. On the server-side, the situation is even worse, because the available security technologies for JavaScript application frameworks are almost non-existent. This thesis focuses on the design and implementation of robust client- and server-side security technologies for JavaScript web applications. In this work, we first present a web browser that is capable of enforcing secure information flows on client-side JavaScript applications. This browser can mitigate security and privacy threats by enforcing client-side specified policies. An experimental evaluation provides evidence for compatibility of our browser with sites that make intricate use of JavaScript. We also show that our browser can support powerful, yet compatible policies refining existing security technologies in browsers in a way that is compatible with existing web sites. Second, we present a security technology for server-side JavaScript web applications. This technology supports an easy deployment of web-hardening techniques and custom, fine-grained restrictions on the functionality of third-party libraries and their dependencies, by enforcing the principle of least-privilege. Our performance analysis shows a limited overhead. We analyzed and developed custom policies for a list of reported vulnerabilities to measure the effectiveness of our security technology.