CSRF protection in Java']JavaScript frameworks and the security of Java']JavaScript applications

With JavaScript being the most popular programming language on the web, several new JavaScript frameworks are released every year. A well designed framework may help developers create secure applications. The goal of our study is to understand how framework developers can best protect applications developed using their framework. In this work we studied how cross-site request forgery vulnerability is mitigated in several serverside JavaScript frameworks: Express.js, Koa.js, Hapi.js, Sails.js, and Meteor.js. We then analyzed open source applications developed with these frameworks using open source and custom written tools for automated static analysis and identified the percentage of protected applications for each framework. We correlated our analysis results to the implementation levels of mitigating controls in each framework and performed statistical analysis of our results to ensure no other confounding factors were involved. Based on the received outcomes we provide recommendations for framework developers on how to create frameworks that produce secure applications.