Cloud app security

This page contains information to get you started on challenges provided for the lectures on cloud app security:

If you want to play with JSFlow in the browser you can download an (unreleased) experimental version that runs in Firefox. This version might be unstable, since it is under development. Please do not spread further - there is an official release of JSFlow which will soon include the Firefox extension, Tortoise. If you find bugs we appreciate if you report them to us!

Downlod Tortoise

Please note that due to fast changing internal security models Tortoise is guaranteed to work in newer (or older) versions of Firefox. We develop Tortoise on Firefox 30.

You might be interested in the slides for Tuesday and the original slides for Thursday. If you want to download the source of JSFlow or play around with the online interpreter the head over to

Setup for injection challenges

Before you start you need to download Node.js from The Hrafn app, the ad service and the analytics service are built using the Express web framework. You also need to download the source code for Hrafn and the other services.

Once you are set you should see something like the following if you execute node -v

$ node -v

Just to make sure that you have npm as well

$ npm -v

If you unzip you should get three directories



The server of the main app. Before it can be started the JavaScript libraries it uses must be downloaded and installed. You do this with npm install which should result in something like this
$npm install
passport-local@1.0.0 node_modules/passport-local
└── passport-strategy@1.0.0

passport@0.2.2 node_modules/passport
├── pause@0.0.1
└── passport-strategy@1.0.0

Don't worry - nothing will be installed on the system. It's all downloaded into the directory of the app itself. Once the dependencies have been installed you start the server with node index.js which should give

$ node index.js 
Node app is running on port 5000

indicating that the server is running and bound to port 5000. You can now browse to http://localhost:5000 and get Hrafn; of course since we are not running the ad service or the analytics service those won't work.


The ad service used by Hrafn. Again you need to run npm install before you can run node adserv.js which should give
$ node adserv.js 
Node app is running on port 4999

indicating that the server is running and bound to port 4999.


The analytics service used by Hrafn. Again you need to run npm install before you can run node analytics.js which should give
$ node analytics.js 
Node app is running on port 4888

indicating that the server is running and bound to port 4888.

Putting it all together

Now, if you start all three servers in different console windows you should now be able to play with a working version of Hrafn!

The injection attacks

Your challenge is to implement the three injection attacks we have introduced during the lecture. I realize that it may be the case that not all of you have a strong background in JavaScript or the browser API. For this reason the way the ads, the analytics and Hrafn are implemented to make use of the building blocks you need to perform the attacks. I believe that the code should be self explanatory for a reasonably experienced programmer. If there is something you don't understand ask a friend, me or Google for a solution - Mozilla Developer Network (MDN) has a lot of useful information.

The analytics service injection attack

The simplest attack is the analytics service injection attack, since you are in direct control of the code that the analytics server provides. Create an attack that sends back the credentials to the analytics server.

Files that you are allowed to modify

The ad injection attack

This attack involves creating a new ad that injects code to steal the credential and send it back to the attacker. There are two main challenges. First, with the risk of giving too much information away - note that scripts injected by modifying innerHTML creates a script node but does not automatically execute it. Second, where will you send the stolen credentials? You are not allowed to change the code of the ad server.

Files that you are allowed to modify

Note that the adserver serves the ads in the hrafn/adserv/ads/ directory in a round robin fashion in the order provided by the OS.

The XSS attack

The XSS attack is the most powerful one, since it does not require control of any of the services. In fact, since Hrafn allows you to post anonymously you don't even have to have an account. Find a way to craft a message that you post on Hrafn and that steals the credentials of subsequent logins. Can you make a user automatically post his credentials on Hrafn on login?

Files that you are allowed to modify


Open Web Application Security Project (OWASP) is a non-profit organisation that contains a lot of interesting information on vulnerabilities and protection mechanism. They also create the OWASP Top 10 list that lists the most common vulnerabilities.

For information about Cross Site Scripting (XSS) head over to OWASP also has a cheat sheet on XSS prevention that illustrates well why the current techniques are complex.

On the topic of what the cloud and its benefits are.

A popular science text about the cloud.

On web sandboxes the article by Politz, Guha, Krishnamurthi gives good background with multiple pointers to the sandboxes themselves. It's also a very good article that describes an interesting and impressive endevour to verify the correctness of AdSafe. You can also visit their project page for more information,

Type-Based Verification of Web Sandboxes
Joe Gibbs Politz, Arjun Guha, Shriram Krishnamurthi

On the topic of the dangers of third party scrip inclusion I recommend the article by Nikiforakis et al.

For information on information-flow control I recommend the following article written for the Marktoberdorf summer school 2011 as a starting point. It contains references to many of the standard works on both static and dynamic information-flow control.

A Perspective on Information-Flow Control
Daniel Hedin and Andrei Sabelfeld

For information about dynamic taint tracking I recommend the following technical report by Benjamin Livshits

For information on the fundamentals of dynamic information-flow control I recommend the following two articles

Dynamic vs. Static Flow-Sensitive Security Analysis
Alejandro Russo, Andrei Sabelfeld

For information on how to construct policies in the presence of mutual distrust I recommend, e.g.,

For decentralized policies in the web setting see, e.g.,

A Lattice-based Approach to Mashup Security
Jonas Magaszinius, Aslan Askarov, Andrei Sabelfeld

Work relating to JSFlow

If you are interested in JSFlow and its foundations those are the articles that provide the foundations. This is the same list as on the JSFlow main page.

Value-sensitive Hybrid Information Flow Control for a JavaScript-like Language.
Daniel Hedin, Luciano Bello, and Andrei Sabelfeld
In Proceedings of the IEEE Computer Security Foundations Symposium (CSF) Verona, Italy, July 2015.

JSFlow: Tracking Information Flow in JavaScript and its APIs.
Daniel Hedin, Arnar Birgisson, Luciano Bello, and Andrei Sabelfeld
In Proceedings of the ACM Symposium on Applied Computing (SAC), Gyeongju, Korea, March 2014

Architectures for Inlining Security Monitors in Web Application.
Jonas Magazinius, Daniel Hedin, and Andrei Sabelfeld
In Proceedings of the International Symposium on Engineering Secure Software and Systems (ESSoS), Munich, Germany, February 2014.

Information-flow security for a core of JavaScript.
Daniel Hedin, and Andrei Sabelfeld
In Proceedings of the IEEE Computer Security Foundations Symposium, Harvard University, Cambridge MA, June 25-27, 2012. IEEE Computer Society Press.

Boosting the Permissiveness of Dynamic Information-Flow Tracking by Testing.
Arnar Birgisson, Daniel Hedin, and Andrei Sabelfeld
In Proceedings of the European Symposium on Research in Computer Security (ESORICS), Pisa, Italy, September 2012, LNCS, Springer-Verlag.