COMING SOON! PQDT Open is getting a new home!

ProQuest Open Access Dissertations & Theses will remain freely available as part of a new and enhanced search experience at

Questions? Please refer to this FAQ.

Dissertation/Thesis Abstract

Impact of Frameworks on Security of JavaScript Applications
by Peguero, Ksenia, Ph.D., The George Washington University, 2021, 105; 28316526
Abstract (Summary)

With JavaScript being the most popular programming language for at least the last six years, several new JavaScript frameworks are released every year. These frameworks are widely used to create client-side and server-side parts of contemporary web applications, as well as cross-platform desktop applications. At the same time, the security of JavaScript applications leaves much to be desired, as cross-site scripting, remote code execution, authorization bypasses, and other vulnerabilities are reported daily. Since a large part of a contemporary application code base is comprised of the chosen framework (or frameworks), that framework must have a significant impact on the security of the application. Thus, a well designed framework may help developers not only to create applications faster, but also produce more secure applications.

In this dissertation we present our research on studying how the security features of a framework impact the security posture of the applications written using that framework. We propose a categorization of security controls implementation based on the proximity to the development framework, and analyze the security of open source applications that use such JavaScript frameworks with various levels of security controls implementations. To produce complete results, we study all three different classes of JavaScript applications: client-side, server-side, and desktop applications.

First, we focus on a client-side vulnerability - cross-site scripting, or XSS, and how it is mitigated in JavaScript template engines. We examine a special case where an application needs to maintain some HTML markup in user input and research three most common template engines: AngularJS, Jade/Pug, and EJS. We perform an empirical study of open source JavaScript applications that use these three template engines via an automated analysis pipeline that we developed, and then perform manual analysis of each group of applications. We identify the number of applications vulnerable to cross-site scripting, and the number of vulnerabilities in each project, based on the framework used. Then we correlate the results of vulnerable applications to the security controls implementation levels in each of the template engines.

Second, we switch our focus to server-side JavaScript frameworks and another vulnerability – cross-site request forgery vulnerability, or CSRF. CSRF is mostly mitigated in the server-side code with some parts implemented on the client-side. We research CSRF security controls in several popular server-side JavaScript frameworks: Express.js, Koa.js, Hapi.js, Sails.js, and Meteor.js. We then analyze open source applications developed with these frameworks using an open source linter ESLint and custom developed rules for it and identify the percentage of protected applications for each framework. We correlate our results to the implementation levels of security controls in each framework and perform statistical analysis to ensure no other confounding factors are involved.

Furthermore, we compare the results of these two first studies: the XSS mitigations in template engines and the CSRF mitigations in server-side frameworks. Based on our findings, we provide recommendations for developers and framework maintainers on how to create better frameworks that produce secure applications. We also update our initially proposed categorization of security controls implementation to include an additional level.

Third, we study desktop JavaScript applications developed using the Electron framework. In this group of open source applications we analyze several types of vulnerabilities detected using the Electronegativity open source tool and explore mitigations for each of the most common types. We identify the level of mitigation for each vulnerability, and, if the mitigation is part of the framework, we find whether it is configured securely by default. Based on this data, we propose recommendations for hardening the Electron framework so that JavaScript desktop applications have certain security controls built in early on.

However, the updates to the frameworks take a long time. For example, during our work on the third study, only two of the proposed six mitigations were implemented in the Electron framework by its maintainers. Therefore, we develop an IDE plugin for Electron applications called Electrolint, that not only identifies the security issues at development time, but also suggests contextual mitigation to the developer at the appropriate line of code. In this way it removes friction for developers to add the needed security controls to their applications early in the software development life cycle. We verify that Electrolint provides security advice for every defect identified in the open source applications examined in our third study. Lastly, we demonstrate in several applications that the fix provided by Electrolint addresses the security defect and makes these applications protected against the previously successful exploits for the identified vulnerabilities.

Indexing (document details)
Advisor: Cheng, Xiuzhen
Commitee: Choi, Hyeong-Ah, Youssef, Abdou, Zhang, Nan
School: The George Washington University
Department: Computer Science
School Location: United States -- District of Columbia
Source: DAI-B 82/8(E), Dissertation Abstracts International
Subjects: Computer science, Information Technology
Keywords: Framework analysis, JavaScript security, Static analysis, Web frameworks, Web security
Publication Number: 28316526
ISBN: 9798582533276
Copyright © 2021 ProQuest LLC. All rights reserved. Terms and Conditions Privacy Policy Cookie Policy