Visible to the public An Empirical Study of the Framework Impact on the Security of JavaScript Web Applications

TitleAn Empirical Study of the Framework Impact on the Security of JavaScript Web Applications
Publication TypeConference Paper
Year of Publication2018
AuthorsPeguero, Ksenia, Zhang, Nan, Cheng, Xiuzhen
Conference NameCompanion Proceedings of the The Web Conference 2018
PublisherInternational World Wide Web Conferences Steering Committee
Conference LocationRepublic and Canton of Geneva, Switzerland
ISBN Number978-1-4503-5640-4
KeywordsCross Site Scripting, cross-site scripting, framework analysis, Human Behavior, javascript security, pubcrawl, resilience, Scalability, template engines, web frameworks, web security

\textbackslashtextbackslashtextitBackground: JavaScript frameworks are widely used to create client-side and server-side parts of contemporary web applications. Vulnerabilities like cross-site scripting introduce significant risks in web applications.\textbackslashtextbackslash\textbackslashtextbackslash \textbackslashtextbackslashtextitAim: The goal of our study is to understand how the security features of a framework impact the security of the applications written using that framework.\textbackslashtextbackslash\textbackslashtextbackslash \textbackslashtextbackslashtextitMethod: In this paper, we present four locations in an application, relative to the framework being used, where a mitigation can be applied. We perform an empirical study of JavaScript applications that use the three most common template engines: Jade/Pug, EJS, and Angular. Using automated and manual analysis of each group of applications, we identify the number of projects vulnerable to cross-site scripting, and the number of vulnerabilities in each project, based on the framework used.\textbackslashtextbackslash\textbackslashtextbackslash \textbackslashtextbackslashtextitResults: We analyze the results to compare the number of vulnerable projects to the mitigation locations used in each framework and perform statistical analysis of confounding variables.\textbackslashtextbackslash\textbackslashtextbackslash \textbackslashtextbackslashtextitConclusions: The location of the mitigation impacts the application's security posture, with mitigations placed within the framework resulting in more secure applications.

Citation Keypeguero_empirical_2018