September 30th – October 5th 2012, Dagstuhl Seminar 12401
Web Application Security
1 / 2 >
For support, please contact
Since its birth in 1990, the web has evolved from a simple, stateless delivery mechanism for static hypertext documents to a fully-fledged run-time environment for distributed multi-party applications. Recently, the web technologies have gradually shifted from a central server technology towards a rich/stateful client paradigm and lively interaction models. The wave of popular peer-to-peer web applications and web mashup applications confirm this emerging trend. But the shift from the server-centered paradigm poses a significant challenge of securing web applications in the presence of multiple stakeholders, including security-ignorant end-users. This motivates the need for solid "web application security".
The seminar aimed to address the open question of how to protect against the pervasive threats to web applications. Some of the key objectives put forward are (i) over-viewing the state of the art to consolidate and structure it, (ii) identifying key challenges, and (iii) brainstorming on new ideas and approaches towards resolving these challenges. The inception of this Dagstuhl seminar was strongly inspired by the following emerging trends and challenges in the web security landscape:
- Fine-grained access control. Fine-grained access control policies define how the application authenticates and authorizes end users, from which application contexts the application can be consulted, and which interaction sequences maintain the application's integrity (i.e. control-flow integrity). Our objective is to address a range of questions from formal foundation of authentication policies and protocols to the practicalities of authentication such as secure session management.
- Information-flow control. Information-flow control specifies how sensitive data, possibly originating from multiple content providers in multiple trust domains, can be used in data aggregations, and client-side and server-side processing as is typically done in mashups. Challenges here include reconciling information-flow policies from several involved parties, with possibly conflicting goals. Moreover, tracking end-to-end information flow in web applications remains an open question. Our objective is enhanced understanding of how to make information-flow control policies and mechanisms practical in a web setting.
- Cross-domain interaction. One of the original and still unresolved problems of the web is the inherent incompatibility between the cross-domain nature of the hyperlink and the same-origin security policy of its active content. In the recent past the situation has become even more complex with the introduction of client-side primitives for cross-domain interaction, such as CORS. Our objective is to assess the impact of current developments and identify promising directions for solutions.
Finally, the organizers of the Dagstuhl seminar have set up a Special Issue on Web Application Security as part of the Journal of Computer Security, specifically devoted to a selection of promising results presented at the seminar. Four participants have been invited to submit an extended paper of their talk to the special issue, and the manuscripts are currently under review.
Related Dagstuhl Seminar
- 09141: "Web Application Security" (2009)
- Programming Languages / Compiler
- Security / Cryptology
- World Wide Web / Internet
- Application security
- Secure interaction
- Information flow
- Secure composition
- Web 2.0