An Empirical Study of the Framework Impact on the Security of JavaScript Web Applications

Ksenia Peguero, Nan Zhang, Xiuzhen Cheng
2018 Companion of the The Web Conference 2018 on The Web Conference 2018 - WWW '18  
JavaScript frameworks are widely used to create client-side and server-side parts of contemporary web applications. Vulnerabilities like cross-site scripting introduce significant risks in web applications. Aim: The goal of our study is to understand how the security features of a framework impact the security of the applications written using that framework. Method: In this paper, we present four locations in an application, relative to the framework being used, where a mitigation can be
more » ... d. We perform an empirical study of JavaScript applications that use the three most common template engines: Jade/Pug, EJS, and Angular. Using automated and manual analysis of each group of applications, we identify the number of projects vulnerable to crosssite scripting, and the number of vulnerabilities in each project, based on the framework used. Results: We analyze the results to compare the number of vulnerable projects to the mitigation locations used in each framework and perform statistical analysis of confounding variables. Conclusions: The location of the mitigation impacts the application's security posture, with mitigations placed within the framework resulting in more secure applications. CCS CONCEPTS • Security and privacy → Web application security; • Software and its engineering → Development frameworks and environments; Software defect analysis;
doi:10.1145/3184558.3188736 dblp:conf/www/PegueroZC18 fatcat:e5qketec5zby7mjhxgln7pjnna