Object Capabilities and their Benefits for Web Application Security


Nowadays, more and more applications are built with web technologies like HTML, CSS, and JavaScript, which are then executed in browsers. The web is utilized as an operating system independent application platform. As a consequence, the underlying authorization model changes, which now no longer depends only on operating system accounts and file system permissions. Instead, these accounts are now implemented in the applications themselves, including all of the protective measures and security controls that are required for this. Because of the inherent complexity, flaws in the authorization logic are among the most common security vulnerabilities in web applications. Most applications are built on the concept of the Access-Control List, a security model which decides, who can access what object. This diploma thesis presents the alternative authorization model of Object Capabilities in the context of web applications and how it can be used to prevent certain vulnerability classes. A case study was conducted for this and a prototype of a web application was developed that is based on this model. A security analysis was then performed on the prototype, where it was tested for the ten most common security vulnerabilities found in web applications. Afterwards, the model was evaluated by comparing the fundamental differences between these two concepts. Examples were taken from existing applications that are built upon access-control lists. The results of these analyses are promising, but they also show that extensions in current browsers are required to further improve the security for object capabilities on the web

TU Wien