Taxonomy for JavaScript Attacks
Loading...
Authors
Nourijelyani, Mohammad
Date
2014-11-26
Type
thesis
Language
eng
Keyword
Attacks , Security , JavaScript , Taxonomy
Alternative Title
Abstract
In the ubiquity era, each user has multiple devices; hence an attractive model is to have applications that execute in a client’s web browser instead of developing a native application for each device. JavaScript is the language of the browser and the power available in these devices has motivated developers to move functionality to the client side. This raises the question of securing JavaScript applications since code executed on the browser is visible in plain text to potential adversaries.
To identify the context in which JavaScript attacks take place, we discuss different styles of software architecture and conclude that the architecture relevant to our study is client/server with a monolithic, event driven client where a significant amount of the application’s logic sits on the client side.
We discuss threat modeling methodologies and explain how this thesis fits into the attack extraction phase of threat modeling and we define a taxonomy for JavaScript attacks.
We have collected a set of man in the middle attacks for JavaScript where the attacker actively eavesdrops on the connection. We have also included man at the end, or White Box, attacks where the attacker has control over both the execution platform and the software implementation. These attacks have been used in conventional programming languages and we have adapted them to JavaScript. White Box attacks have become significant in web applications due to the move of sensitive functionality to the client side and have especially been the concern of digital rights management.
Description
Thesis (Master, Computing) -- Queen's University, 2014-11-24 10:32:21.362
Citation
Publisher
License
This publication is made available by the authority of the copyright owner solely for the purpose of private study and research and may not be copied or reproduced except as permitted by the copyright laws without written authority from the copyright owner.