Treffer: Between Worlds: Securing Mixed JavaScript/ActionScript Multi-party Web Content

—Mixed Flash and JavaScript content has become increasingly prevalent; its purveyance of dynamic features unique to each platform has popularized it for myriad web development projects. Although Flash and JavaScript security has been examined extensively, the security of un-trusted content that combines both has received considerably less attention. This article considers this fusion in detail, outlining several practical sce-narios that threaten the security of web applications. The severity of these attacks warrants the development of new techniques that address the se-curity of Flash-JavaScript content considered as a whole, in contrast to prior solutions that have examined Flash or JavaScript security individually. Toward this end, the article presents FlashJaX, a cross-platform solution that enforces fine-grained, history-based policies that span both Flash and JavaScript. Using in-lined reference monitoring, FlashJaX safely embeds untrusted JavaScript and Flash content in web pages without modifying browser clients or using special plug-ins. The architecture of FlashJaX, its design and implementation, and a detailed security analysis are exposited. Experiments with advertisements from popular ad networks demonstrate that FlashJaX is transparent to policy-compliant advertisement content, yet blocks many common attack vectors that exploit the fusion of these web platforms.