Client-side security through JavaScript API wrapping

Abstract

Cross Site Scripting (XSS) allows an attacker to inject malicious code into a webpage. Modern web applications enforce various security measures to mitigate attacks but many of these can be easily circumvented by malicious scripts. In fact, JavaScript has full access to the content of a page, thus any confidential information is potentially compromised whenever an attacker is able to inject a malicious script in a visited webpage. In this thesis we experiment techniques to wrap JavaScript APIs so to control what scripts can do and to mitigate the consequences of XSS attacks. We consider the case study of a login form and we show how to prevent password leakage through JavaScript API wrapping.