Taxonomy for JavaScript Attacks

Thumbnail Image
Nourijelyani, Mohammad
Attacks , Security , JavaScript , Taxonomy
In the ubiquity era, each user has multiple devices; hence an attractive model is to have applications that execute in a client’s web browser instead of developing a native application for each device. JavaScript is the language of the browser and the power available in these devices has motivated developers to move functionality to the client side. This raises the question of securing JavaScript applications since code executed on the browser is visible in plain text to potential adversaries. To identify the context in which JavaScript attacks take place, we discuss different styles of software architecture and conclude that the architecture relevant to our study is client/server with a monolithic, event driven client where a significant amount of the application’s logic sits on the client side. We discuss threat modeling methodologies and explain how this thesis fits into the attack extraction phase of threat modeling and we define a taxonomy for JavaScript attacks. We have collected a set of man in the middle attacks for JavaScript where the attacker actively eavesdrops on the connection. We have also included man at the end, or White Box, attacks where the attacker has control over both the execution platform and the software implementation. These attacks have been used in conventional programming languages and we have adapted them to JavaScript. White Box attacks have become significant in web applications due to the move of sensitive functionality to the client side and have especially been the concern of digital rights management.
External DOI