Web Application Security

The Security of Web Services as Software

by Karen Mercedes

in CrossTalk: The Journal of Defense Software Engineering, September 2007

To help creators of Web services and Service-Oriented Architectures (SOAs) understand and address the security... more To help creators of Web services and Service-Oriented Architectures (SOAs) understand and address the security challenges that confront them, the National Institute of Standards and Technology (NIST) is getting ready to publish a new Special Publication (SP) 800-95, Guide to Secure Web Services. This SP describes Web service security standards and explains how to develop Web services and SOA portals using technologies based on those standards. However, neither SP 800-95 nor the standards it describes address a critical challenge: the security of Web services as software. Without considering software secu- rity, developers cannot create Web services that are truly trustworthy. This article describes both the content of SP 800-95 and highlights its critical omissions in terms of measures needed to produce Web service software that is in and of itself secure.

Protecting Private Web Content from Embedded Scripts

by David Evans

Yuchen Zhou and David Evans
European Symposium on Research in Computer Security (ESORICS 2011)
Lueven, Belguim
12-14 September 2011

Many web pages display personal information provided by users. The goal of this work is to protect that content from... more Many web pages display personal information provided by users. The goal of this work is to protect that content from untrusted scripts that are embedded in host pages. We present a browser modification that provides fine-grained control over what parts of a document are visible to different scripts, and executes untrusted scripts in isolated environments where private information is not accessible. To ease deployment, we present a method for automatically inferring what nodes in a web page contain private content. This paper describes how we modify the Chromium browser to enforce newly defined security policies, presents our automatic policy generation method, and reports on experiments inferring and enforcing privacy policies for a variety of web applications.

Lightweight self-protecting JavaScript

by Phu Phung

SessionShield: Lightweight Protection against Session Hijacking

by Nick Nikiforakis

in the Proceedings of the 3rd International Symposium for Engineering Secure Software and Systems (ESSoS 2011)

The class of Cross-site Scripting (XSS) vulnerabilities is the most prevalent security problem in the field of Web... more The class of Cross-site Scripting (XSS) vulnerabilities is the most prevalent security problem in the field of Web applications. One of the main attack vectors used in connection with XSS is session hijacking via session identifier theft. While session hijacking is a client-side attack, the actual vulnerability resides on the server-side and, thus, has to be handled by the website's operator. In consequence, if the operator fails to address XSS, the application's users are defenseless against session hijacking attacks.

In this paper we present SessionShield, a lightweight client-side protection mechanism against session hijacking that allows users to protect themselves even if a vulnerable website's operator neglects to mitigate existing XSS problems.
SessionShield is based on the observation that session identifier values are not used by legitimate
client-side scripts and, thus, need not to be available to the scripting languages running in the browser. Our system requires no training period and imposes negligible overhead to the browser, therefore, making it ideal for desktop and mobile systems.