05. – 08. August 2018, Dagstuhl-Seminar 18321

Web Application Security


Martin Johns (TU Braunschweig, DE)
Nick Nikiforakis (Stony Brook University, US)
Melanie Volkamer (KIT – Karlsruher Institut für Technologie, DE)
John Wilander (Apple Computer Inc. – Cupertino, US)

Auskunft zu diesem Dagstuhl-Seminar erteilt

Dagstuhl Service Team


Dagstuhl Report, Volume 8, Issue 8 Dagstuhl Report




Since its birth in 1990, the Web has evolved from a simple, stateless delivery mechanism for static hypertext documents to a fully-fledged run-time environment for distributed, multi-party applications. Even today, there is still a continuous demand for new features and capabilities which drives the Web's evolution onwards. This unplanned and often chaotic development has led to several deeply ingrained security and privacy problems that plague the platform:

  • The Web's original hypertext, multi-origin nature which is manifested in the design of HTML and HTTP is in fundamental conflict with JavaScript's Same-Origin Policy, the Web's most important security mechanism.
  • Important security properties, such as end-to-end communication security or endpoint identity are outside of the control of the actual applications. Instead, they depend on the security of external entities, such as domain name servers or certificate authorities.
  • Data/code separation in web applications is practically infeasible, as the HTTP link between server-side application logic and client-side application interface requires an intermixing of protocol, data and code fragments within a single continuous character stream.
  • HTTP is a stateless protocol without a native session or authentication tracking concept.
  • Users are not aware of general or application specific threats. Protecting against these threats (incl. to know which security indicators to trust) is nowadays difficult and time consuming.

Using this fragile basis, critical applications are created, that long have left the strict client-server paradigm, on which the Web was initially built. Instead, scenarios are realized that involve several mutually distrusting entities in a single security and application context. In many cases the browser is the link that connects the remote parties, either via direct JavaScript inclusion, web mashups, or through the usage of web protocols, such as OpenID and OAuth.

The accumulated ballast of the last two decades of web evolution, the ever growing functional demands of sophisticated web applications and the ambitious vision of the web platform's drivers creates an exciting tension field which is in constant conflict with the required security assurances of high value business applications.

Since approximately ten years, academic security and privacy research has recognized the importance of the web platform and the unique characteristics and challenges of the web security and privacy topic. And while specific techniques, that originated from academic research, such as the Content Security Policy, have been adapted in practice, the fundamental security problems of the web remain and the overall vulnerability landscape is getting worse, as it can be seen in the constant flow of reported web security issues in bug trackers and vulnerability databases.

Academic web security research has started 2007 and usable security research started almost at the same time. In the context of this Dagstuhl Seminar, we will revisit the lessons learned from the last decade and revisit the success stories and mistakes that have been made. Questions, that have to be raised in include "What has worked?", "What has been taken up by industry?", "What failed and why?", and -- most importantly -- "What did we learn?"

Seminar Objectives

Today, several unconnected groups drive the topic, including Security, Privacy as well as Usable Security & Privacy Academics, standardization, and browser vendors. The seminar will facilitate essential exchange between them. This will allow academia to directly influence browser vendors and standardization representatives, and allow industry representatives to influence the research community.



The seminar was well attended with 39 participants. A good balance of European and American researchers was present. Furthermore, the group represented a nice mix of participants of academia and industry. Compared to the previous editions, not only researchers from the web security area participated but also from the field of human factors in security.


This was the third Dagstuhl seminar on Web application security. The seminar's organisation combined overview presentation of various subfields, highlight talks, and discussions in working groups. In particular the overview presentations were important to connect the two research fields web security from a more technical point of view and human factors in security. This way, also a good, comprehensive view on current activities and open problems in the realm of Web application security in particular from a user's point of view could be achieved and areas for potential future collaborations could be identified.


The following people presented either an overview of their research field, very recent research results or overarching observations on the field of web application security. Please also refer to Section~ ef{sec:abstracts} for selected talk abstracts.

  • Stefano Calzavara, University of Venezia, IT: REASON - A programmable architecture for secure browsing
  • Luca Compagna, SAP Labs France - Mougins, FR: Analysis & Detection of Authentication Cross-Site Request Forgeries
  • Lieven Desmet, KU Leuven, BE: Detecting and Preventing Malicious Domain Registrations in the .eu TLD
  • Steven Englehardt, Mozilla - Mountain View, US: No Boundaries: Data exfiltration by directly embedded tracking scripts
  • Thomas Gross, Newcastle University, GB: Investigating Cognitive and Affective Predictors Impacting Password Choice
  • Mario Heiderich, Cure53 - Berlin, DE, DOMPurify: Client-Side Protection Against XSS and Markup Injection
  • Boris Hemkemeier, Commerzbank AG - Frankfurt, DE: Web application security in vulnerable environments
  • Martin Johns, TU Braunschweig, DE: WebAppSec @ Dagstuhl - The Third Iteration
  • Christoph Kerschbaumer, Mozilla - San Francisco, US: Could we use Information Flow Tracking to generate more sophisticated blacklists?
  • Pierre Laperdrix, Stony Brook University, US: Browser fingerprinting: current state and possible future
  • Sebastian Lekies, Google Switzerland - Zürich, CH: Trusted Types: Prevent XSS with this one simple trick!
  • Benjamin Livshits, Imperial College London, GB: Browser Extensions for the Web of Value
  • Marius Musch, TU Braunschweig, DE: On measurement studies and reproducibility
  • Lukasz Olejnik, Independent researcher, W3C TAG, FR: Private browsing modes guaranteed. On the example of Payment Request API
  • Juan David Parra, Universität Passau, DE: Computational Resource Abuse through the Browser
  • Giancarlo Pellegrino, Stanford University, US: Removing Browsers from the Equation: A New Direction for Web Application Security
  • Tamara Rezk, INRIA Sophia Antipolis, FR: Content Security Policy Challenges
  • Konrad Rieck, TU Braunschweig, DE: Beyond the Hype: Web Security and Machine Learning?
  • Andrei Sabelfeld, Chalmers University of Technology - Göteborg, SE: A Challenge for Web of Things: Securing IoT Apps
  • Sebastian Schinzel, FH Münster, DE: Handling HTML Emails after the Efail Attacks
  • Zubair Shafiq, University of Iowa - Iowa City, US: The Arms Race between Ad Tech vs. Adblockers: Key Challenges and Opportunities
  • Lynsay Shepherd, Abertay University - Dundee, GB: How to Design Browser Security and Privacy Alerts
  • Dolière Francis Somé, INRIA Sophia Antipolis, FR: The Same Origin Policy and Browser Extensions
  • Ben Stock, CISPA - Saarbrücken, DE: Persistent Client-Side Cross-Site Scripting in the Wild
  • Melanie Volkamer, KIT - Karlsruher Institut für Technologie, DE: Web Security Meets Human Factors in Security
  • Mike West, Google - München, DE: HTTP State Tokens


This seminar was the third Dagstuhl Seminar von Web Application Security, following Seminar 09141 (2009) and Seminar 12401 (2012). Thus, it was a great opportunity to reflect on a decade of web security research. In 2009 the field was largely undefined and that year's seminar offered a wild mix of various topics, some with lasting impact and many that went nowhere. Where the 2009 seminar was overly broad, the 2012 iteration had a comparatively narrow focus as the seminar was dominated by the notion that solving web security mainly revolves around solving the security properties of JavaScript.

This year's seminar reflected the ongoing maturing of the topic very well. Fundamental problems, such as Cross-site Scripting or the Web Browser security model, are well explored and their understanding served as a great foundation for the seminar's discussions. This allowed the extension of the topic toward important facets, such as privacy problems or human factors. While the addressed topics were too broad and the time for overarching discussions was limited due to the three-day format of the seminar, the sparked discussions were fruitful for several follow-up activities (see above). An underlying theme of the seminar can be summarized as "the last decade of web security has broad good progress and development but the overall problem is still neither fully understood nor solved". Especially, the newly introduced dimension of integrating human factors in security, which was reflected through including several high-profile members of this community in the seminar, is still immature.

One of the seminar's prime objectives has been reached very nicely: The fostering of collaboration between the different web security communities. For one, several compelling interactions between practitioners from industry (such as SAP, Commerzbank and Cure53) and researcher from academia took place. Furthermore, thanks to the fact that all major web browser vendors (plus the new privacy-centric browser Brave) were represented at the seminar, both cross-browser vendor interaction as well as browser/academia collaborations were initiated, with the browser-based sanitizer initiative (see breakout session 4.3) being a prominent example.

Summary text license
  Creative Commons BY 3.0 Unported license
  Martin Johns, Nick Nikiforakis, Melanie Volkamer, and John Wilander

Dagstuhl-Seminar Series


  • Security / Cryptology
  • World Wide Web / Internet


  • Web Security


In der Reihe Dagstuhl Reports werden alle Dagstuhl-Seminare und Dagstuhl-Perspektiven-Workshops dokumentiert. Die Organisatoren stellen zusammen mit dem Collector des Seminars einen Bericht zusammen, der die Beiträge der Autoren zusammenfasst und um eine Zusammenfassung ergänzt.


Download Übersichtsflyer (PDF).

Dagstuhl's Impact

Bitte informieren Sie uns, wenn eine Veröffentlichung ausgehend von Ihrem Seminar entsteht. Derartige Veröffentlichungen werden von uns in der Rubrik Dagstuhl's Impact separat aufgelistet  und im Erdgeschoss der Bibliothek präsentiert.


Es besteht weiterhin die Möglichkeit, eine umfassende Kollektion begutachteter Arbeiten in der Reihe Dagstuhl Follow-Ups zu publizieren.