Events

Department of Computer Science: MSc Thesis Presentations

Lectures and seminars
Alexander Colb will present their MSc thesis on Tuesday 31 March at 10:30 in A106, CS building
MSc_thesis_CS

When

Where

Computer Science building & Online
meeting room A106

Event language(s)

English

Mapping the Attack Surface Hidden in​ Unauthenticated JavaScript​: An Analysis of Finland’s Critical Infrastructure​

Author: Alexander Colb
Supervisor: Philip Ginzboorg

Abstract: Automated reconnaissance lays out the attack surface of a target before manual testing begins. It is typically conducted by professionals as a first step in a security assessment. A common target for reconnaissance are public web applications, where JavaScript serves as the backbone of all front-end operations. The code of those applications is delivered to the browser as a packaged bundle, which is often public, allowing remote clients to download it without logging in.

We have implemented an automated reconnaissance pipeline to crawl, analyze and process the application code of a set of remote web applications. In the future, these tools could be part of publicly funded attack-surface management solutions offered to organizations. Part of our pipeline is a novel crawler, which finds and fetches JavaScript files from the server statically, i.e., without running any of the extracted application code. On average, our crawler achieved an equal or better JavaScript coverage when compared to the crawlers used in the previous work, which use a headless browser to simulate the actions of a user.

An intentionally vulnerable Single-Page Application was implemented to aid in the development of our pipeline. The application includes several examples of front-end vulnerabilities and has been published in the Open Worldwide Application Security Project (OWASP) Vulnerable Web Applications Directory.

A hundred targets were selected across ten sectors of critical infrastructure within Finland, and ran our pipeline against their web applications. Our analysis uncovered several classes of potential vulnerabilities in many of the target web sites, including information disclosure, open redirection and DOM clobbering. We have reported these findings to the Finnish Transport and Communications Agency (Traficom).

All in all, we have demonstrated a practical way to create an attack-surface map of front-end web applications through static analysis.

Department of Computer Science

We are an internationally-oriented community and home to world-class research in modern computer science.

Read more
  • Updated:
  • Published:
Share
URL copied!