Web Application Security

Abstract

In today's world, web applications are used for sharing information and servicing delivery over the Internet. As their use is increasing day by day for critical services, web applications become a popular and valuable target for security attacks. Although a large number of techniques have been developed to fortify web applications and mitigate the attacks towards web applications, there is little effort devoted to drawing connections among these techniques and building a big picture of web application security research. Web applications are important, common distributed systems whose current security relies primarily on server-side mechanisms. Web applications provide access to server functionality through a set of web pages to the end users. These pages often contain script code to be executed dynamically within the client web browser. Most web applications aim to enforce simple, intuitive security policies, such as, for web-based email, disallowing any scripts in entrusted email messages. Even so, web applications are currently subject to a plethora of successful attacks, such as cross-site scripting, cookie theft, session riding, browser hijacking and the recent self-propagating worms in web-based email and social networking sites. This paper makes the end-to-end argument that the client and server must collaborate to achieve security goals, to eliminate common security exploits and to secure the emerging class of rich, cross-domain web applications referred to as Web 2.0.