Web Application Security Using JSFlow

Abstract

Web applications are often vulnerable to code injection attacks and to attacks through buggy or malicious libraries. Unfortunately, the current protection mechanisms are frequently ad-hoc, as a response to attacks after the fact. This had lead to a plethora of specialized protection mechanisms that are often brittle and insufficient to guarantee security. This extended abstract accompanies a tutorial on web application security using JSFlow, an information-flow aware interpreter for full non-strict ECMA-262(v.5). In contrast to access control, which most current protection mechanisms apply, information-flow control focuses on what applications are allowed to do with the information they access. This removes the inherent trust that access control places on entities that are granted access. Dispensing with this trust is key for the protection to withstand bypassing in the presence of untrustworthy 3rd party code and code injection attacks. Based on two practical attacks against an example web application Hrafn, we demonstrate the power of JSFlow. The attacks model the scenario where the current standards protection mechanism are bypassed or not applicable. By using a simple and natural security policy, we show how both attacks are prevented byJSFlow. Although information-flow control has not been tailor made to preventthis kind of attacks, it offers a uniform line of defense against untrustworthyand malicious code and ensures confidentiality of sensitive data.