<Name of Author>

<Student Registration Number>

To Develop an Enhanced Security Method for JavaScript in Web

Applications

Word Count 2400

1. Justification of the Research Proposed

The JavaScript is the largest and widely used for client-side scripting language in the world at the
moment. Most of the web applications are depend on JavaScript to enhance the functionalities
and interactivity of the webpage. The dynamically and inconsistency coding of JavaScript has
cause the web application become more vulnerable, “unexpected code fragments can be injected
into the web sandbox by cross-site scripting attacks.”(Swamy, N et. al. 2014).

The client Facebook, Inc. is one of the largest social networking company which deals with large
amount of users’ information that interacts with JavaScript daily and yet there are no prefect
solutions to solve the security problems like cross-site scripting attacks. A large-scale platform
like Facebook has implemented the JavaScript to increase the functionalities of the website. The
client is trying to achieve a more secure coding for JavaScript to prevent the JavaScript injection
attacks.

Evaluation of the current researches on the methods for security of JavaScript in web application
is needed so that we could learn the best method for the most secure JavaScript and implement
into the web applications. There are several researches that involve the security measure of
JavaScript such as (Swamy, N et. al. 2014), (Misra, S, Cafer, F 2012), (Bodin, M et. al. 2014),
(Chuan Yue, Haining Wang 2013) and they are going to be the evaluation subjects in this
proposed project.

According to Misra, S and Cafer, F (2012), the literature that they published has presented the
measurement method for evaluating the quality of JavaScript codes. The metric is efficient in
 evaluation for quality of JavaScript compare to other well-known metrics. However, the quality
of the JavaScript doesn’t directly affect the security of JavaScript and the literature shows no
sign of works has been done to increase the security of JavaScript.

The research that carried out by Swamy et. al. (2014) had successfully move the unsafe code
which is vulnerable to security attack to a hybrid of dynamically and statically type-safe code but
yet is not tested in a public platform and the construction of the JavaScript is not large enough to
provide the functions in the common JavaScript libraries.

2. The Project Aim

The purpose of this project is to develop enhanced methods for security of JavaScript in web
application in order to prevent injection of unexpected code fragments into the web sandbox by
cross-site scripting attacks.

3. The Project Objective

 Analyse the client’s current JavaScript library and identify the existing weakness on
security in the JavaScript library.
 Review the most up to date literature and journals to find the most current research that
has been carried out on security methods used in JavaScript library.
 Investigate the current security methods that using by other social networking companies
and evaluate the effectiveness of those methods.
 Develop the new security methods of JavaScript that will prevent cross-site scripting
attacks.
 Build a virtual web application similar to the client’s web application for testing the new
method.
 Test the new methods on the virtual web application.
 Evaluate the results of the new method.
 Publish the project results.
4. Practical Outcomes for Client

The project is mainly focus on the security approach for JavaScript by develop an enhanced
methods for security and produce a new JavaScript library to implement into web application.
On the completion of this project the client will be given a new JavaScript library with the new
method of security approach to prevent cross-site scripting attacks and access the users’
confidential information. Moreover, the client will receive all test data and results with a written
report that demonstrates the new security method that will fit into large-scale web application.

5. The Proposed Methodology

In order to achieve the aim of this project, the project objectives will be carried out in the
schedule that well plotted with the Gantt Chart. The project will start by investigating security
methods that the client’s currently use in their JavaScript library and identify the existing
weakness on security in the JavaScript library.

The investigation will begin by interviewing the head of web development department. This will
help the project by understand the current security issues that the client is facing. The
information that provided will be included the methods of hackers’ attack, current security issues
that needed to be solve immediately and the approval of study the current JavaScript library that
client using. The next will be interviewing the web development team members to collect the
information about daily security issues when they using the existing JavaScript library in web
development. The collected data will indicate the common security problems that the members
encounter all time which will narrow down the scope of the project and a clear direction of
which problem to be deal with as a priority. After the approval is given, the study on client’s
JavaScript will begin. This will help to discover the flaws in the current library in used and the
statistic for the usage of each function in JavaScript library. On the other hand, understands the
needs of the client are essential for developing a great method that can fit into the large-scale
platform and fulfil the usability and the user requirement. An analysis report will be produced at
the end of the investigation and shows the data with the user requirements in the written report.

The literature review will be conducted by finding and reading academic journals, conference
paper that relevant to the security methods in JavaScript. The data gathering will be conducted
by using the quantitative research. The gathered information will be evaluated and identify the
most secure method of security in JavaScript at the moment. This will provide the idea of
combining several methods into one and form an enhanced method or the needs of improvement
in the chosen best security method. A review on the current technologies of web browsers will be
needed as the project is focusing on the web application sector. The review will provide the
information for building the structure of JavaScript around the current technology that using by
the web browsers. Understand the JavaScript engine is important because the execution of the
JavaScript is run by the engine.

An investigation of the current security methods that using by other social networking companies
will be carried out. Interview the head of department and members to gather the information of
the security issues. A review on the JavaScript library will provide the information of the current
library’s security approach and the level of integrity of the library. By the end of investigation,
an analysis report will be generated and state all the factors that affect the security of JavaScript.

After all the data has been gathered, the development of the new security methods of JavaScript
will begin. First, the hypothesis will be constructed as a fundamental idea of the project. An
assumption will be made to provide a hypothetical outcome before the actual development starts.
The development of the new security method in JavaScript, several methods will be included
into the library to prevent cross-site scripting attacks and encapsulation of the user information.
A review of the new method will be conducted to refine the method. This will be independent
reviews to remove the bias. On the completion of the development stage, a new JavaScript
library will be presented with the enhanced security method.

The project will be continued by building the virtual web application which will similar to the
client’s web application for testing. The reason of building a similar environment is because the
client’s web application is a large-scale platform for millions of users to access and stability of
the JavaScript must be achieved to handle large amount of access to the web application. First,
an approval from client will be needed to access the source code of web application. Understand
the source code will help to save time in programming the new virtual web application. The
virtual web application will fully use the JavaScript library that embedded with the new security
method. Lastly, a review of the web application will be carried to determine the stability and
usability of the web application.
 The web application with the new security method of JavaScript library will be ready to test on
local server and web server. This process will be further discussed in the evaluation plan.

The final part of this project will be publishing the research paper. All the research data from
interviews, literature reading, reviews and experimental test will be gathered for evaluate the
finding of the completed project.

6. The Evaluation Plans

In order to evaluate the new enhanced security method of JavaScript in web application,
experiments will be conducted to show a clear difference between the current security approach
used on the literatures, clients and the enhanced method. Most of the test results will be shown in
the form of statistical data. The experiments will be conducted under a controlled environment
which is in a controlled lab and also on a live network.

The lab environment will be set up as similar to the client’s network, and this needed to be as
closely as possible. The database structure will also be designed similar to the client’s database
in order to eliminate the factors that might affect the test results. The experiments will be
conducted several times with different approach of cross-site scripting attacks and also
JavaScript injection attacks. All the approach will be conducted by the selected group of white
hats.

The client’s JavaScript library will be the first to test, by performing cross-site scripting attacks
and JavaScript injection attacks. This will produce a controlled set of data and becoming the
baseline to measure the result of the new enhanced method against. There will be two types of
cross-site scripting attacks which are Non-persistent and Persistent. The experiments will based
on this two types and the general JavaScript injection attacks to gain access of particular user
information.

Then, the experiments will repeat by replacing the client’s JavaScript library to the literature’s
security method of JavaScript library. The second set of statistical data will also contain the test
result of security performance on cross-site scripting attacks (Non-persistent and Persistent) and
 JavaScript injection attacks. At last the new enhanced method produced under the project will
replace the literature’s JavaScript library and continue with the experiments.
The lab experiments will be conducted several times and performed under the exact same
conditions on every occasion to produce an unbiased comparison of all the current methods and
the enhanced new method.

After the comparison between literature’s method, client’s method and the new method has been
done, will then proceed to conduct another experiment for the new method and test on a live
network. Non-persistent and persistent cross-site scripting attacks will be performed and gather
the result of security performance of the new security method that embedded in the JavaScript
library. The last experiment will be using a general JavaScript injection attack on the new
method. All the live network results will compare to the result of new enhanced method which
tested on the lab environment network. The comparison of security performance on the new
method between the live network and lab environment network will be shown clearly, and
indicate the possibility of real-life implementation.

After all the experiments have been done, a survey form will pass to the white hats in order to
gather the feedback about the new method. The information will indicate the elements that
needed to be improved and the weakness of the new method.

The collection of data from all experiments carried out will show the security performance of the
proposed new method against the security performance of the literature’s method and the client’s
method in the form of accurate statistical data.

7. Scientific Justification

This project is an experimental project and consist of basic research and quantitative research
which will collect the data from client the measure the methods of JavaScript attacks by the
frequency and the coding template of the attacks and to enhance the security method in
JavaScript library for web application implementation. All the injected codes will be recorded
into the computer during the experiments to ensure the information that provided in the project is
enough and increase the reproducibility of the experiments. The network bandwidth, computer
specification, hosting server specification, location of the server will be included in the project as
 well. The precision of the experiments might be limited as the experiments will be conducted by
using a standard lab computer which will be similar to the household person computer. With the
information provided in this project, the reliability of the experiment will be likely higher. The
criteria to become the tester (white hats) will be the individual who has no access to the database
structure or JavaScript library structure of the client before the experiments conducted to avoid
any bias. This will increase the objectivity of the experiments. All the results will be store in
university’s server which will need the administrator to grant the access to it. No data can be
amended or modify without the permission of the administrator. The administrator will not be
the relative of the researcher in this project to avoid any sorts of conflicts of interest and help to
increase the validity of the results.

8. Ethical Justification

An approval letter will be signed by the client for grant access to the source code of web
application and will only use in the lab for testing purpose. All the data in testing database is
dummy data which will not relate to any individual so that the experiments will not cross The
Data Protection Act. The experiments will be conducted by meeting the requirements of the
Economic and Social Research Council (ESRC) Framework for Research Ethics.

9. References

 Bodin, M, Chargueraud, A, Filaretti, D, Gardner, P, Maffeis, S, Naudziuniene, D, Schmitt, A,

Smith, G, 2014, “A Trusted Mechanised JavaScript Specification”, ACM SIGPLAN Notices;
Jan, 2014, 49 1, p87-p100, 14p.

 Chuan Yue, Haining Wang, 2013, “A Measurement Study of Insecure JavaScript Practices
on the Web”, ACM Transactions on the Web; May2013, Vol. 7 Issue 2, p1-39, 39p

 Misra, S, Cafer, F, 2012, “Estimating Quality of JavaScript”, International Arab Journal of

Information Technology; Nov, 2012, 9 6, p535-p543, 9p

 Swamy, N, Fournet, C, Rastogi, A, Bhargavan, K, Chen, J, Strub, PY, Bierman, G, 2014,

“Gradual Typing Embedded Securely in JavaScript”, ACM SIGPLAN Notices; JAN, 2014, 49
1, p425-p437, 13p
 10. Schedule

ID Task Title Effort Planned Planned Actual Actual Deliverable

(hours) Start Date End Date Start Date End Date
Analyse the client’s current JavaScript library and
1 identify the existing weakness on security in the 50
JavaScript library
1.1 Interview the head of web development department 5 1/12/2014 5/12/2014 Interview notes
1.2 Interview the web development team members 15 1/12/2014 12/12/2014 Interview notes
1.3 Study on client’s current JavaScript library 15 3/12/2014 17/12/2014 Summary report
1.4 Analyse the information gather from interviews 10 17/12/2014 18/12/2014 Refined notes
1.5 Write a report 5 19/12/2014 19/12/2014 Analysis Report
Review the most up to date literature and journals to find
2 the most current research that has been carried out on 100
security methods used in JavaScript library
Find the relevant research papers on security methods in 1/12/2014 19/12/2014 List of selected
2.1 20
JavaScript research papers
1/12/2014 2/01/2015 Important points on the
2.2 Read the research papers 55
research papers
2.3 Write important notes 10 1/12/2014 2/01/2015 Summary notes
2.4 Review the current JavaScript library 10 22/12/2014 2/01/2015 Review Report
2.5 Review the current technologies of web browsers 10 5/01/2015 7/01/2015 Review Report
Analyse all the information and results gather from the 5/01/2015 9/01/2015 Analysis Report
2.6 15
research papers
Investigate the current security methods that using by
3 other social networking companies and evaluate the 50
effectiveness of those methods
3.1 Interview the head of web development department 5 8/12/2014 10/12/2014 Interview notes
3.2 Interview the web development team members 15 15/12/2014 30/12/2014 Interview notes
3.3 Study on the security methods in the JavaScript library 15 22/12/2014 1/01/2015 Summary report
Analyse the information gather from interviews and the 1/01/2015 2/01/2015 Refined notes
3.4 10
summary report
3.5 Write a report 5 5/01/2015 5/01/2015 Analysis Report
Develop the new security methods of JavaScript that will
4 100
prevent cross-site scripting attacks
4.1 Create a hypothesis of the new method 30 12/01/2015 15/01/2015 Printed hypothesis
Develop a new security method on JavaScript that will 15/01/2015 21/01/2015 New method
4.2 35
prevent cross-site scripting attacks
 4.3 Review and refine the new method 15 21/01/2015 26/01/2015 Refined method
Build a virtual web application similar to the client’s web
5 120
application for testing the new method
5.1 Meeting with head of web development department 5 26/01/2015 27/01/2015 Letter of consent
5.2 Study on the client’s code library 35 27/01/2015 3/02/2015 Summary note
Develop the virtual web application with the new security Prototype web
5.3 60
method in the JavaScript library application
28/01/2015 3/02/2015 Database with
5.3.1 Program the database for the web application 15
information stored
29/01/2015 12/02/2015 Backend of the web
5.3.2 Program the backend of the web application 35
application
12/02/2015 18/02/2015 User interface of the
5.3.3 Program the front-end of the web application 10 web application

12/02/2015 20/02/2015 Fully functional web

5.4 Review the web application 20
application
6 Test the new methods on the virtual web application 80
16/02/2015 20/02/2015 List of selected white
6.1 Recruit voluntary white hat 20
hats
Perform cross-site scripting attacks on the web application 23/02/2015 26/02/2015 Test result
6.2 30
hosted in local server
Perform cross-site scripting attacks on the virtual web 27/02/2015 5/03/2015 Test result
6.3 30
application hosted in web server
7 Evaluate the results of the new method 50
7.1 Evaluate the test results 10 27/02/2015 6/03/2015 Evaluation report
7.2 Gather the feedback of the white hats 25 2/03/2015 11/03/2015 Feedback notes
7.3 Evaluate the feedback 5 12/03/2015 12/03/2015 Evaluation report
7.4 Write a report on the evaluation of testing results 10 11/03/2015 13/03/2015 Testing report
8 Publish the project results 50
8.1 Write a draft 15 09/03/2015 16/03/2015 Drafted research paper
8.2 Send for review 15 11/03/2015 18/03/2015 Review notes
8.3 Write a final research paper 20 16/03/2015 20/03/2015 Final research paper
Task Task Title Effort W W W W W W W W W W W W W W W W
ID (hours) 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
Analyse the client’s current JavaScript library and identify the
1 50
existing weakness on security in the JavaScript library
1.1 Interview the head of web development department 5 5
1.2 Interview the web development team members 15 5 10
1.3 Study on client’s current JavaScript library 15 5 5 5
1.4 Analyse the information gather from interviews 10 10
1.5 Write a report 5 5
Review the most up to date literature and journals to find the
2 most current research that has been carried out on security 120
methods used in JavaScript library
2.1 Find the relevant research papers on security methods in JavaScript 20 10 5 5
2.2 Read the research papers 50 10 10 5 15 10
2.3 Write important notes 10 2 2 2 2 2
2.4 Review the current JavaScript library 10 5 5
2.5 Review the current technologies of web browsers 10 10
Analyse all the information and results gather from the research
2.6 20 20
papers
Investigate the current security methods that using by other
3 social networking companies and evaluate the effectiveness of 50
those methods
3.1 Interview the head of web development department 5 5
3.2 Interview the web development team members 15 5 5 5
3.3 Study on the security methods in the JavaScript library 15 10 5
Analyse the information gather from interviews and the summary
3.4 10 10
report
3.5 Write a report 5 5
Develop the new security methods of JavaScript that will
4 80
prevent cross-site scripting attacks
4.1 Create a hypothesis of the new method 30 30
Develop a new security method on JavaScript that will prevent
4.2 35 10 25
cross-site scripting attacks
4.3 Review and refine the new method 15 10 5
Build a virtual web application similar to the client’s web
5 120
application for testing the new method
5.1 Meeting with head of web development department 5 5
5.2 Study on the client’s code library 35 10 25
 Develop the virtual web application with the new security
5.3 60
method in the JavaScript library
5.3.1 Program the database for the web application 15 10 5
5.3.2 Program the backend of the web application 35 5 10 20
5.3.3 Program the front-end of the web application 10 5 5
5.4 Review the web application 20 10 10
6 Test the new methods on the virtual web application 80
6.1 Recruit voluntary white hat 20 20
Perform cross-site scripting attacks on the web application hosted
6.2 30 30
in local server
Perform cross-site scripting attacks on the virtual web application
6.3 30 5 25
hosted in web server
7 Evaluate the results of the new method 50
7.1 Evaluate the test results 10 5 5
7.2 Gather the feedback of the white hats 25 10 15
7.3 Evaluate the feedback 5 5
7.4 Write a report on the evaluation of testing results 10 10
8 Publish the project results 50
8.1 Write a draft 15 5 10
8.2 Send for review 15 5 10
8.3 Write a final research paper 20 20
Total Hours Per Week 37 37 37 37 37 35 40 35 35 40 35 35 40 40 40 40