JavaScript Sandboxing: Isolating and Restricting Client-Side JavaScript

Acker, Steven Van; Sabelfeld, Andrei

doi:10.1007/978-3-319-43005-8_2

Cited by 6 publications

(2 citation statements)

References 19 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…As future work, we plan to extend Bulwark to add an additional protection layer, i.e., on client-side communication based on JavaScript and the postMessage API. This is important to support modern SDKs making heavy use of these technologies, like the latest versions of the PayPal SDKs, yet challenging given the complexity of sandboxing JavaScript code [3]. On the formal side, we would like to strengthen our definition of "inattentive" participant to cover additional vulnerabilities besides missing invariant checks.…”

Section: Discussionmentioning

confidence: 99%

See 1 more Smart Citation

Bulwark: Holistic and Verified Security Monitoring of Web Protocols

Veronese,

Calzavara,

Compagna

2021

Preprint

View full text Add to dashboard Cite

Modern web applications often rely on third-party services to provide their functionality to users. The secure integration of these services is a non-trivial task, as shown by the large number of attacks against Single Sign On and Cashier-as-a-Service protocols. In this paper we present Bulwark, a new automatic tool which generates formally verified security monitors from applied pi-calculus specifications of web protocols. The security monitors generated by Bulwark offer holistic protection, since they can be readily deployed both at the client side and at the server side, thus ensuring full visibility of the attack surface against web protocols. We evaluate the effectiveness of Bulwark by testing it against a pool of vulnerable web applications that use the OAuth 2.0 protocol or integrate the PayPal payment system.

show abstract

Section: Discussionmentioning

confidence: 99%

“…1, we selected a widely used web protocol, namely OAuth 2.0 in explicit mode, which allows a RP to leverage a TTP for authenticating a user operating a UA. 3 The protocol starts (step 1) with the UA visiting the RP's login page. A login button is provided back that, when clicked, triggers a request to the TTP (steps 2-3).…”

Section: Motivating Examplementioning

confidence: 99%