JavaScript applications today are not limited to just client-side web applications and server-side code powered by Node.js.They became the standard for desktop application development with the emergence and popularity...JavaScript applications today are not limited to just client-side web applications and server-side code powered by Node.js.They became the standard for desktop application development with the emergence and popularity of the Electron framework.Combining the features of client-side and server-side applications,the Electron applications possess a completely different security posture.The attacks typical for front-end applications can now be escalated to the back-end attacks,for example,making a cross-site scripting result in a remote code execution on the user’s machine.The goal of our study is to analyze the typical security vulnerabilities of an Electron application,study common mitigation controls,and propose new remediation solutions that are easy to implement for developers.In this study we analyze security vulnerabilities in over a hundred open source Electron applications using automated and manual static analysis.We explore the mitigation controls existing in the Electron framework,and propose changes to the framework that will prevent many of the common vulnerabilities.Based on these results,we develop an IDE plugin for Electron applications that automatically suggests remediations to common security defects within a developer’s work environment,thus shifting the fixing of a vulnerability to earlier in the software development life cycle.We show the effectiveness of the IDE plugin by applying the plugin’s suggestions to the analyzed open source applications and demonstrating that they stop being exploitable after the applied fix.展开更多
With JavaScript being the most popular programming language on the web,several new JavaScript frameworks are released every year.A well designed framework may help developers create secure applications.The goal of our...With JavaScript being the most popular programming language on the web,several new JavaScript frameworks are released every year.A well designed framework may help developers create secure applications.The goal of our study is to understand how framework developers can best protect applications developed using their framework.In this work we studied how cross-site request forgery vulnerability is mitigated in several server-side JavaScript frameworks:Express.js,Koa.js,Hapi.js,Sails.js,and Meteor.js.We then analyzed open source applications developed with these frameworks using open source and custom written tools for automated static analysis and identified the percentage of protected applications for each framework.We correlated our analysis results to the implementation levels of mitigating controls in each framework and performed statistical analysis of our results to ensure no other confounding factors were involved.Based on the received outcomes we provide recommendations for framework developers on how to create frameworks that produce secure applications.展开更多
文摘JavaScript applications today are not limited to just client-side web applications and server-side code powered by Node.js.They became the standard for desktop application development with the emergence and popularity of the Electron framework.Combining the features of client-side and server-side applications,the Electron applications possess a completely different security posture.The attacks typical for front-end applications can now be escalated to the back-end attacks,for example,making a cross-site scripting result in a remote code execution on the user’s machine.The goal of our study is to analyze the typical security vulnerabilities of an Electron application,study common mitigation controls,and propose new remediation solutions that are easy to implement for developers.In this study we analyze security vulnerabilities in over a hundred open source Electron applications using automated and manual static analysis.We explore the mitigation controls existing in the Electron framework,and propose changes to the framework that will prevent many of the common vulnerabilities.Based on these results,we develop an IDE plugin for Electron applications that automatically suggests remediations to common security defects within a developer’s work environment,thus shifting the fixing of a vulnerability to earlier in the software development life cycle.We show the effectiveness of the IDE plugin by applying the plugin’s suggestions to the analyzed open source applications and demonstrating that they stop being exploitable after the applied fix.
文摘With JavaScript being the most popular programming language on the web,several new JavaScript frameworks are released every year.A well designed framework may help developers create secure applications.The goal of our study is to understand how framework developers can best protect applications developed using their framework.In this work we studied how cross-site request forgery vulnerability is mitigated in several server-side JavaScript frameworks:Express.js,Koa.js,Hapi.js,Sails.js,and Meteor.js.We then analyzed open source applications developed with these frameworks using open source and custom written tools for automated static analysis and identified the percentage of protected applications for each framework.We correlated our analysis results to the implementation levels of mitigating controls in each framework and performed statistical analysis of our results to ensure no other confounding factors were involved.Based on the received outcomes we provide recommendations for framework developers on how to create frameworks that produce secure applications.
