CSRF protection in JavaScript frameworks and the security of JavaScript applications

With JavaScript being the most popular programming language on the web, several new JavaScript frameworks are released every year. A well designed framework may help developers create secure applications. The goal of our study is to understand how framework developers can best protect applications d...

Full description

Bibliographic Details
Main Authors: Ksenia Peguero, Xiuzhen Cheng
Format: Article
Language:English
Published: Elsevier 2021-12-01
Series:High-Confidence Computing
Subjects:
Online Access:http://www.sciencedirect.com/science/article/pii/S2667295221000258
Description
Summary:With JavaScript being the most popular programming language on the web, several new JavaScript frameworks are released every year. A well designed framework may help developers create secure applications. The goal of our study is to understand how framework developers can best protect applications developed using their framework. In this work we studied how cross-site request forgery vulnerability is mitigated in several server-side JavaScript frameworks: Express.js, Koa.js, Hapi.js, Sails.js, and Meteor.js. We then analyzed open source applications developed with these frameworks using open source and custom written tools for automated static analysis and identified the percentage of protected applications for each framework. We correlated our analysis results to the implementation levels of mitigating controls in each framework and performed statistical analysis of our results to ensure no other confounding factors were involved. Based on the received outcomes we provide recommendations for framework developers on how to create frameworks that produce secure applications.
ISSN:2667-2952