An Empirical Study of the Framework Impact on the Security of JavaScript Web Applications

\textitBackground: JavaScript frameworks are widely used to create client-side and server-side parts of contemporary web applications. Vulnerabilities like cross-site scripting introduce significant risks in web applications.\\ \textitAim: The goal of our study is to understand how the security features of a framework impact the security of the applications written using that framework.\\ \textitMethod: In this paper, we present four locations in an application, relative to the framework being used, where a mitigation can be applied. We perform an empirical study of JavaScript applications that use the three most common template engines: Jade/Pug, EJS, and Angular. Using automated and manual analysis of each group of applications, we identify the number of projects vulnerable to cross-site scripting, and the number of vulnerabilities in each project, based on the framework used.\\ \textitResults: We analyze the results to compare the number of vulnerable projects to the mitigation locations used in each framework and perform statistical analysis of confounding variables.\\ \textitConclusions: The location of the mitigation impacts the application's security posture, with mitigations placed within the framework resulting in more secure applications.

[1]  Ali Mesbah,et al.  An Empirical Study of Client-Side JavaScript Bugs , 2013, 2013 ACM / IEEE International Symposium on Empirical Software Engineering and Measurement.

[2]  Hung Dang,et al.  Auto-patching DOM-based XSS at scale , 2015, ESEC/SIGSOFT FSE.

[3]  Dawn Xiaodong Song,et al.  A Systematic Analysis of XSS Sanitization in Web Application Frameworks , 2011, ESORICS.

[4]  Jay Ligatti,et al.  Defining code-injection attacks , 2012, POPL '12.

[5]  Wouter Joosen,et al.  You are what you include: large-scale evaluation of remote javascript inclusions , 2012, CCS.

[6]  Guodong Li,et al.  SymJS: automatic symbolic testing of JavaScript web applications , 2014, SIGSOFT FSE.

[7]  Sotiris P. Christodoulou,et al.  Comparative evaluation of javascript frameworks , 2012, WWW.

[8]  Pekka Abrahamsson,et al.  Making Sense out of a Jungle of JavaScript Frameworks: towards a Practitioner-friendly Comparative Analysis , 2013, PROFES.

[9]  W. J. Hadden,et al.  A Comparison of , 1971 .

[10]  S Vishnu Analysis in a Pipeline , 2015 .

[11]  Frank Tip,et al.  A framework for automated testing of javascript web applications , 2011, 2011 33rd International Conference on Software Engineering (ICSE).

[12]  Haining Wang,et al.  Characterizing insecure javascript practices on the web , 2009, WWW '09.

[13]  Steve Hanna,et al.  A Symbolic Execution Framework for JavaScript , 2010, 2010 IEEE Symposium on Security and Privacy.

[14]  Prateek Saxena,et al.  An Empirical Analysis of XSS Sanitization in Web Application Frameworks , 2011 .

[15]  Zhendong Su,et al.  Server interface descriptions for automated testing of JavaScript web applications , 2013, ESEC/FSE 2013.

[16]  Ali Mesbah,et al.  Detecting Inconsistencies in JavaScript MVC Applications , 2015, 2015 IEEE/ACM 37th IEEE International Conference on Software Engineering.

[17]  Ben Hardekopf,et al.  JSAI: a static analysis platform for JavaScript , 2014, SIGSOFT FSE.

[18]  Úlfar Erlingsson,et al.  Automated Analysis of Security-Critical JavaScript APIs , 2011, 2011 IEEE Symposium on Security and Privacy.