Title: Isolating and Restricting Client-Side JavaScript
Other Titles: Isoleren en beperken van JavaScript aan de cliëntzijde
Authors: Van Acker, Steven
Issue Date: 6-Jan-2015
Abstract: In today’s web applications, no one disputes the important role of JavaScript asa client-side programming language. JavaScript can turn the Web into a lively,dynamic and interactive end-user experience. Unfortunately, JavaScript canalso be used to steal sensitive information and abuse powerful functionality. Sloppy input validation can make a web application vulnerable, allowingmalicious JavaScript code to leak into a web application’s JavaScript executionenvironment, where it leads to unintended code execution. An otherwise secure web application may intentionally include JavaScript froma third-party script provider. This script provider may in turn serve untrustedor even malicious JavaScript, leading to the intended execution of untrustedcode. In both the intended and unintended case, untrusted JavaScript ending up inthe JavaScript execution environment of a trusted web application, gains accessto sensitive resources and powerful functionality. Web application securitywould be greatly improved if this untrusted JavaScript could be isolated and itsaccess restricted. In this work, we first investigate ways in which JavaScript code can leak into thebrowser, leading to unintended JavaScript execution. We find that, due to badinput validation, malicious JavaScript code can be injected into a JavaScriptexecution environment through both browser plugins and browser extensions. Next, we review JavaScript sandboxing systems designed to isolate and restrictuntrusted JavaScript code and divide them into three categories, discussingtheir advantages and disadvantages: JavaScript subsets and rewriting systems,JavaScript sandboxing through browser modifications and JavaScript sandboxingsystems without browser modifications. We further research the last twocategories, developing and evaluating a prototype of each.
Publication status: published
KU Leuven publication type: TH
Appears in Collections:Informatics Section

Files in This Item:
File Status SizeFormat
thesis.pdf Published 2809KbAdobe PDFView/Open


All items in Lirias are protected by copyright, with all rights reserved.