September 30 – October 5 , 2012, Dagstuhl Seminar 12401

Web Application Security


Lieven Desmet (KU Leuven, BE)
Martin Johns (SAP SE – Karlsruhe, DE)
Ben Livshits (Microsoft Corporation – Redmond, US)
Andrei Sabelfeld (Chalmers UT – Göteborg, SE)

For support, please contact

Dagstuhl Service Team


Dagstuhl Report, Volume 2, Issue 10 Dagstuhl Report
List of Participants
Dagstuhl's Impact: Documents available


Since its birth in 1990, the web has evolved from a simple, stateless delivery mechanism for static hypertext documents to a fully-fledged run-time environment for distributed multi-party applications. Recently, the web technologies have gradually shifted from a central server technology towards a rich/stateful client paradigm and lively interaction models. The wave of popular peer-to-peer web applications and web mashup applications confirm this emerging trend. But the shift from the server-centered paradigm poses a significant challenge of securing web applications in the presence of multiple stakeholders, including security-ignorant end-users. This motivates the need for solid "web application security".

The seminar aimed to address the open question of how to protect against the pervasive threats to web applications. Some of the key objectives put forward are (i) over-viewing the state of the art to consolidate and structure it, (ii) identifying key challenges, and (iii) brainstorming on new ideas and approaches towards resolving these challenges. The inception of this Dagstuhl seminar was strongly inspired by the following emerging trends and challenges in the web security landscape:

  • Fine-grained access control. Fine-grained access control policies define how the application authenticates and authorizes end users, from which application contexts the application can be consulted, and which interaction sequences maintain the application's integrity (i.e. control-flow integrity). Our objective is to address a range of questions from formal foundation of authentication policies and protocols to the practicalities of authentication such as secure session management.
  • Information-flow control. Information-flow control specifies how sensitive data, possibly originating from multiple content providers in multiple trust domains, can be used in data aggregations, and client-side and server-side processing as is typically done in mashups. Challenges here include reconciling information-flow policies from several involved parties, with possibly conflicting goals. Moreover, tracking end-to-end information flow in web applications remains an open question. Our objective is enhanced understanding of how to make information-flow control policies and mechanisms practical in a web setting.
  • Secure composition. Secure composition policies specify how active third-party components, for instance written in JavaScript, can be securely integrated into applications via client-side and server-side mashups. By nature, web mashups heavily depend on interaction and communication across different origins, but contradictory, mashup security relies on separation techniques for protecting both code and data. As a result, traditional HTML techniques (mainly based on the same-origin policies) fail to address both the interaction and separation needs. We will explore principled approaches to the delicate balance between interaction and separation in security composition.
  • Cross-domain interaction. One of the original and still unresolved problems of the web is the inherent incompatibility between the cross-domain nature of the hyperlink and the same-origin security policy of its active content. In the recent past the situation has become even more complex with the introduction of client-side primitives for cross-domain interaction, such as CORS. Our objective is to assess the impact of current developments and identify promising directions for solutions.
  • Recent advances in JavaScript and HTML5.There are several technological advances in the latest versions of JavaScript (such as strict mode, frozen objects, proxies and SES), that might contribute to the security of web applications. In addition, the research community did make important steps forward in understanding and improving the language by formalizing its semantics. At the same time, web specification (including HTML5 and CSP) are adding tons of new features as well as security measures as part of the browsing environment. Our objective was to have an enhanced understanding of the latest trends and research advances in JavaScript and HTML5 with respect to security.

The Dagstuhl seminar on Web Application Security was a timely follow-up of the previous Dagstuhl seminar on this topic in 2009. The research domain has been maturing over the last five years, and new challenges have emerged such as the client-side complexity, the need of information-flow control enforcement, and hardening of JavaScript code.

The seminar brought 44 web security researchers together, coming from companies and research institutions across Europe and the US. The seminar had a well-filled program, with 3 keynotes, 28 research talks, and 15 5-minute talks. As web application security is a broad research domain, a diverse set of recent research results was presented during the talks, covering the web security vulnerability landscape, information-flow control, JavaScript formalization, JavaScript confinement, and infrastructure and server hardening.

In addition to the plenary program, the seminar also featured three parallel break-out sessions on Cross-Site Scripting (XSS), JavaScript and Information-flow control. The main goal of the break-out sessions was to informally discuss the most important state-of-the-art work, as well as to identify the main challenges and research directions for future research, as documented in this report.

Finally, the organizers of the Dagstuhl seminar have set up a Special Issue on Web Application Security as part of the Journal of Computer Security, specifically devoted to a selection of promising results presented at the seminar. Four participants have been invited to submit an extended paper of their talk to the special issue, and the manuscripts are currently under review.

Dagstuhl Seminar Series


  • Programming Languages / Compiler
  • Security / Cryptology
  • World Wide Web / Internet


  • Application security
  • Secure interaction
  • Information flow
  • Secure composition
  • Web 2.0


In the series Dagstuhl Reports each Dagstuhl Seminar and Dagstuhl Perspectives Workshop is documented. The seminar organizers, in cooperation with the collector, prepare a report that includes contributions from the participants' talks together with a summary of the seminar.


Download overview leaflet (PDF).

Dagstuhl's Impact

Please inform us when a publication was published as a result from your seminar. These publications are listed in the category Dagstuhl's Impact and are presented on a special shelf on the ground floor of the library.


Furthermore, a comprehensive peer-reviewed collection of research papers can be published in the series Dagstuhl Follow-Ups.