March 29th – April 3rd 2009, Dagstuhl Seminar 09141
Web Application Security
For support, please contact
Security of Web applications has become increasingly important over the last decade. This is not at all surprising: Web applications are now ubiquitous, spanning the spheres of e-commerce, healthcare, finance, and numerous other areas. More and more Web-based enterprise applications deal with sensitive financial and medical data, which, if compromised, in addition to downtime can mean millions of dollars in damages. It is crucial to protect these applications from malicious attacks. Yet, to date, a great deal of attention has been given to network-level attacks such as port scanning, even though, about 75% of all attacks against Web servers target Web-based applications, according to recent surveys. Traditional defense strategies such as firewalls do not protect against Web application attacks, as these attacks rely solely on HTTP traffic, which is usually allowed to pass through firewalls unhindered. Thus, attackers typically have a direct line to Web applications. Furthermore, traditional vulnerabilities such as buffer overruns, pervasive in applications written in C and C++, that have been the subject of intense for over a decade are now largely superseded by Web applications vulnerabilities such as cross-site scripting, SQL injection, and session riding attacks.
The seminar was well attended with 38 participants. A good balance of European and American researchers was present. Furthermore, the group represented a nice mix of participants of academia and industry (including members of companies such as Mozilla, Microsoft, SAP, and Google).
This was the first Dagstuhl seminar on Web application security. In addition, academic research on this topic is a rather young discipline. For this reason, the seminar’s organisation favored presentations over open workgroups or plenum style discussions. This way, a good, comprehensive view on current activities and open problems in the realm of Web application security could be achieved.
Since the seminar took place, the underlying research of most talks has been presented at conferences and the corresponding papers have been published in the associated proceedings. Hence, we list a comprehensive list of publications that are directly associated with the seminar’s content in the bibliography of this document.
The seminar was perceived as highly inspiring by the participants. In consequence, it had a fertilizing effect on follow-up activities: Besides various informal collaborations that resulted from discussions in Dagstuhl, we would like to single out two results which directly can be attributed to the seminar: For one, during the seminar the observation was made, that Europe at that point in time did not offer a compelling venue for academic Web application research. For this reason, a set of present participants decided to pursue this issue. The result of this effort was the OWASP AppSec Research conference, which had its first iteration in June 2010 in Stockholm. Furthermore, based on initial discussions during the seminar, a consortium formed for further collaboration in a larger research project. This resulted in a successful proposal for a EU FP7 project. Out of the five primary drivers of the proposal, four (in the form of the seminar participants from SAP, Chalmers, KU Leuven, and Uni Passau) had met at the seminar. The project is called WebSand and will start in October 2010 its three year run. It will target research questions in the field of Web application security in multi-party scenarios.
The dominant result of the seminar was that the field of Web application security research simply does not exist. Instead, the topic is approached from a highly heterogeneous set of directions, ranging from low-level vulnerability countermeasures, through ad-hoc run-time enforcement mechanisms, over security protocol analysis, to fully formalized typing approaches. Research in this field has to be agile and versatile as even the most fundamental building blocks of the young application paradigm are still evolving and constantly changing – sometimes for the better, sometimes for the worse from a security point of view. The fight for secure Web applications is still an uphill battle. We live in interesting times.
Related Dagstuhl Seminar
- 12401: "Web Application Security" (2012)
- Security / Cryptography
- Programming Languages / Compiler
- Web applications
- Web 2.0
- Analysis for security
- Browser design
- Distributed applications