Title: Client- and Server-Side Security Technologies for JavaScript Web Applications
Other Titles: Beveiligingstechnologiën voor webapplicaties in JavaScript
Authors: De Groef, Willem
Issue Date: 22-Dec-2016
Abstract: Building secure web applications is notoriously difficult. The growing importance of JavaScript as a mainstream programming language for web applications, has led to the situation where it is heavily used, both on the client-side in the web browser as on the server-side in JavaScript application server frameworks.
The language allows to easily make programming mistakes and introduce security bugs. In addition, JavaScript web programming relies on a programming model where the application developer can, and often has to, automatically include many pieces of code from external parties. This toxic combination leads to a situation today where security issues are commonly being abused.
Although there are a plethora of ad hoc security solutions for the web browser, client-side attacks are still very common. On the server-side, the situation is even worse, because the available security technologies for JavaScript application frameworks are almost non-existent.
This thesis focuses on the design and implementation of robust client- and server-side security technologies for JavaScript web applications. In this work, we first present a web browser that is capable of enforcing secure information flows on client-side JavaScript applications. This browser can mitigate security and privacy threats by enforcing client-side specified policies. An experimental evaluation provides evidence for compatibility of our browser with sites that make intricate use of JavaScript. We also show that our browser can support powerful, yet compatible policies refining existing security technologies in browsers in a way that is compatible with existing web sites. Second, we present a security technology for server-side JavaScript web applications. This technology supports an easy deployment of web-hardening techniques and custom, fine-grained restrictions on the functionality of third-party libraries and their dependencies, by enforcing the principle of least-privilege. Our performance analysis shows a limited overhead. We analyzed and developed custom policies for a list of reported vulnerabilities to measure the effectiveness of our security technology.
Publication status: published
KU Leuven publication type: TH
Appears in Collections:Informatics Section

Files in This Item:
File Status SizeFormat
thesis_willemdegroef.pdf Published 1201KbAdobe PDFView/Open


All items in Lirias are protected by copyright, with all rights reserved.