Web Application Security

Motivation

Security of Web applications has become increasingly important over the last decade. This is not at all surprising: Web applications are now ubiquitous, spanning the spheres of e-commerce, healthcare, finance, and numerous other areas. More and more Web-based enterprise applications deal with sensitive financial and medical data, which, if compromised, in addition to downtime can mean millions of dollars in damages. It is crucial to protect these applications from malicious attacks. Yet, to date, a great deal of attention has been given to network-level attacks such as port scanning, even though, about 75% of all attacks against Web servers target Web-based applications, according to recent surveys. Traditional defense strategies such as firewalls do not protect against Web application attacks, as these attacks rely solely on HTTP traffic, which is usually allowed to pass through firewalls unhindered. Thus, attackers typically have a direct line to Web applications. Furthermore, traditional vulnerabilities such as buffer overruns, pervasive in applications written in C and C++, that have been the subject of intense for over a decade are now largely superseded by Web applications vulnerabilities such as cross-site scripting, SQL injection, and session riding attacks.

Overall, the current state of application security leaves much to be desired. The 2002 Computer Crime and Security Survey conducted by the Computer Security Institute and the FBI revealed that, on a yearly basis, over half of all databases experience at least one security breach and an average episode results in close to $4 million in losses. A recent penetration testing study performed by the Imperva Application Defense Center included more than 250 Web applications from e-commerce, online banking, enterprise collaboration, and supply chain management sites. Their vulnerability assessment concluded that at least 92% of Web applications are vulnerable to some form of hacker attacks. Security compliance of application vendors is especially important in light of recent U.S. industry regulations such as the Sarbanes-Oxley act pertaining to information security.

Web applications have progressed a great deal in the last decade since their humble beginnings as CGI scripts. Today’s Web applications are sophisticated multi-tier systems that are built on top of complex software stacks. Web applications are also distributed: a Web application typically includes both a server-side component running on top of an application server such as JBoss, as well as a client-side component that usually consists of HTML and JavaScript. Consequently, Web application security touches upon many aspects of systems research. The topic of Web application security has attracted researchers from diverse backgrounds in recent years. In addition to “core security” experts, this includes specialists in programming languages, operating systems, and hardware, as exemplified by the list of seminar attendees. Similarly, the research directions proposed so far range from improving security through Web browser changes to low-level hardware-level support and in-depth analysis of server code. Last but not least, much work remains to be done in social engineering for security as applied to Web applications.

The last several years signified a sea-change in Web application development. We are now in the middle of the “Web 2.0“ revolution, triggered by demand for better, more interactive user experience and enabled by Ajax (asynchronous JavaScript and XML). However, extra functionality of rich-client applications is generating new security concerns. A good example of that is JavaScript worms, which first emerged in 2005 and have grown increasingly popular in the last year or so. JavaScript worms take advantage of the ability of the Web client to programmatically issue server requests through Ajax to propagate malicious payload. Another issue is JavaScript prototype hijacking vulnerabilities that affect a large portion of today’s Ajax applications.

Issues to be raised and seminar objectives

A sea-change is taking place in how Web applications deliver their functionality, which is starting to give end users greater access to richer, more interactive Web services. Underlying this change are three developments: a new generation of richer Web content, such as interactive video, the aggregation of Web functionality from many services, and, finally, the migration of Web application functionality to the client Web browsers, in the form of scripts and other executable content. However, as often happens, these changes are being driven by functionality, with consideration of security included mostly as an afterthought. The objectives of this seminar are two-fold.

OBJECTIVE # 1:

We want to discuss new ideas for making the Web a safer place, where end users can be given guarantees about security, integrity, and availability, as well as about their privacy. We are particularly focused on techniques for the construction of such robust and secure Web applications. Recently, there have been numerous industry conferences and other venues for the discussion of Web application security issues between industry practitioners. The discussion of these issues from a more fundamental, Our intent with this seminar is to enable participants from academia to discuss these Web application security issues from a principled, more formal perspective with longer-term goals in mind. To foster the exchange of ideas, we are inviting several attendees from industry; we may invite further practitioners, such as the highly visible and widely-published Gary McGraw, Michael Howard, or Brian Chess.

OBJECTIVE # 2:

We want to foster a productive discussion on what the future holds in terms of Web application security, given current Internet trends. In particular, in addition to the migration towards substantial client-side script execution, there is a strong shift towards video and other rich content on the Web (in two years 90% of Web traffic will be video). What can be done today to ensure that Web applications developed to serve future content (such as video) do not repeat the mistakes of the current Web? What are the important lessons we should apply from the first 10 years of Web application (in)security? It seems clear that more and more sophisticated applications will be deployed over the Web, as exemplified the Web-base Google office suite. Through this seminar, we hope that design proposals may be developed whose implementation now can lead to the security-by-design of Web applications in the coming decades.

In the future, interactive, high-functionality Web applications are likely to be one of the foundations on which services are provisioned and accessed in society at large. We believe that there is a current, great opportunity for the principled consideration of the security of these Web applications, and a re-thinking of previous assumptions.

Our seminar at Dagstuhl would play an essential role by providing a forum for such g a forum for such consideration between leading academic researchers and industry practitioners.