March 29 – April 3 , 2009, Dagstuhl Seminar 09141

Web Application Security


Dan Boneh (Stanford University, US)
Ulfar Erlingsson (Reykjavik University, IS)
Martin Johns (Universität Passau, DE)
Benjamin Livshits (Microsoft Corporation – Redmond, US)

For support, please contact

Dagstuhl Service Team


Dagstuhl Seminar Proceedings DROPS
List of Participants


Security of Web applications has become increasingly important over the last decade. This is not at all surprising: Web applications are now ubiquitous, spanning the spheres of e-commerce, healthcare, finance, and numerous other areas. More and more Web-based enterprise applications deal with sensitive financial and medical data, which, if compromised, in addition to downtime can mean millions of dollars in damages. It is crucial to protect these applications from malicious attacks. Yet, to date, a great deal of attention has been given to network-level attacks such as port scanning, even though, about 75% of all attacks against Web servers target Web-based applications, according to recent surveys. Traditional defense strategies such as firewalls do not protect against Web application attacks, as these attacks rely solely on HTTP traffic, which is usually allowed to pass through firewalls unhindered. Thus, attackers typically have a direct line to Web applications. Furthermore, traditional vulnerabilities such as buffer overruns, pervasive in applications written in C and C++, that have been the subject of intense for over a decade are now largely superseded by Web applications vulnerabilities such as cross-site scripting, SQL injection, and session riding attacks.

Web applications have progressed a great deal in the last decade since their humble beginnings as CGI scripts. Todays Web applications are sophisticated multi-tier systems that are built on top of complex software stacks. Web applications are also distributed: a Web application typically includes both a server-side component running on top of an application server such as JBoss, as well as a client-side component that usually consists of HTML and JavaScript. Consequently, Web application security touches upon many aspects of systems research. The topic of Web application security has attracted researchers from diverse backgrounds in recent years. In addition to core security experts, this includes specialists in programming languages, operating systems, and hardware. Similarly, the research directions proposed so far range from improving security through Web browser changes to low-level hardware-level support and in-depth analysis of server code. Last but not least, much work remains to be done in social engineering for security as applied to Web applications.

The last several years have seen dramatic changes inWeb application development. We are now in the middle of the Web 2.0 revolution, triggered by demand for better, more interactive user experience and enabled by Ajax (asynchronous JavaScript and XML). However, extra functionality of rich-client applications is generating new security concerns. A good example of that is JavaScript worms, which first emerged in 2005 and have grown increasingly popular in the last year or so. JavaScript worms take advantage of the ability of the Web client to programmatically issue server requests through Ajax to propagate malicious payload.

The seminar was well attended with 38 participants. A good balance of European and American researchers was present. Furthermore, the group represented a nice mix of participants of academia and industry (including members of companies such as Mozilla, Microsoft, SAP, and Google).

This was the first Dagstuhl seminar on Web application security. In addition, academic research on this topic is a rather young discipline. For this reason, the seminar’s organisation favored presentations over open workgroups or plenum style discussions. This way, a good, comprehensive view on current activities and open problems in the realm of Web application security could be achieved.

Since the seminar took place, the underlying research of most talks has been presented at conferences and the corresponding papers have been published in the associated proceedings. Hence, we list a comprehensive list of publications that are directly associated with the seminar’s content in the bibliography of this document.

The seminar was perceived as highly inspiring by the participants. In consequence, it had a fertilizing effect on follow-up activities: Besides various informal collaborations that resulted from discussions in Dagstuhl, we would like to single out two results which directly can be attributed to the seminar: For one, during the seminar the observation was made, that Europe at that point in time did not offer a compelling venue for academic Web application research. For this reason, a set of present participants decided to pursue this issue. The result of this effort was the OWASP AppSec Research conference, which had its first iteration in June 2010 in Stockholm. Furthermore, based on initial discussions during the seminar, a consortium formed for further collaboration in a larger research project. This resulted in a successful proposal for a EU FP7 project. Out of the five primary drivers of the proposal, four (in the form of the seminar participants from SAP, Chalmers, KU Leuven, and Uni Passau) had met at the seminar. The project is called WebSand and will start in October 2010 its three year run. It will target research questions in the field of Web application security in multi-party scenarios.

The dominant result of the seminar was that the field of Web application security research simply does not exist. Instead, the topic is approached from a highly heterogeneous set of directions, ranging from low-level vulnerability countermeasures, through ad-hoc run-time enforcement mechanisms, over security protocol analysis, to fully formalized typing approaches. Research in this field has to be agile and versatile as even the most fundamental building blocks of the young application paradigm are still evolving and constantly changing – sometimes for the better, sometimes for the worse from a security point of view. The fight for secure Web applications is still an uphill battle. We live in interesting times.

Dagstuhl Seminar Series


  • Web
  • Security / Cryptography
  • Programming Languages / Compiler


  • Web applications
  • Security
  • Ajax
  • Web 2.0
  • Analysis for security
  • Browser design
  • Distributed applications


In the series Dagstuhl Reports each Dagstuhl Seminar and Dagstuhl Perspectives Workshop is documented. The seminar organizers, in cooperation with the collector, prepare a report that includes contributions from the participants' talks together with a summary of the seminar.


Download overview leaflet (PDF).

Dagstuhl's Impact

Please inform us when a publication was published as a result from your seminar. These publications are listed in the category Dagstuhl's Impact and are presented on a special shelf on the ground floor of the library.


Furthermore, a comprehensive peer-reviewed collection of research papers can be published in the series Dagstuhl Follow-Ups.