End-to-end web application security

Authors:
Úlfar Erlingsson;Benjamin Livshits;Yinglian Xie
Affiliations:
Microsoft Research;Microsoft Research;Microsoft Research
Venue:
HOTOS'07 Proceedings of the 11th USENIX workshop on Hot topics in operating systems
Year:
2007

Citing 13
Cited 16

End-to-end arguments in system design

ACM Transactions on Computer Systems (TOCS)
IRM Enforcement of Java Stack Inspection

SP '00 Proceedings of the 2000 IEEE Symposium on Security and Privacy
Static approximation of dynamically generated Web pages

WWW '05 Proceedings of the 14th international conference on World Wide Web
Detecting Malicious JavaScript Code in Mozilla

ICECCS '05 Proceedings of the 10th IEEE International Conference on Engineering of Complex Computer Systems
The essence of command injection attacks in web applications

Conference record of the 33rd ACM SIGPLAN-SIGACT symposium on Principles of programming languages
Pixy: A Static Analysis Tool for Detecting Web Application Vulnerabilities (Short Paper)

SP '06 Proceedings of the 2006 IEEE Symposium on Security and Privacy
Noxes: a client-side solution for mitigating cross-site scripting attacks

Proceedings of the 2006 ACM symposium on Applied computing
JavaScript instrumentation for browser security

Proceedings of the 34th annual ACM SIGPLAN-SIGACT symposium on Principles of programming languages
Defeating script injection attacks with browser-enforced embedded policies

Proceedings of the 16th international conference on World Wide Web
Finding security vulnerabilities in java applications with static analysis

SSYM'05 Proceedings of the 14th conference on USENIX Security Symposium - Volume 14
BrowserShield: vulnerability-driven filtering of dynamic HTML

OSDI '06 Proceedings of the 7th USENIX Symposium on Operating Systems Design and Implementation - Volume 7
Ajax Security

Ajax Security
SessionSafe: implementing XSS immune session handling

ESORICS'06 Proceedings of the 11th European conference on Research in Computer Security

Using web application construction frameworks to protect against code injection attacks

Proceedings of the 2007 workshop on Programming languages and analysis for security
Protectit: trusted distributed services operating on sensitive data

Proceedings of the 3rd ACM SIGOPS/EuroSys European Conference on Computer Systems 2008
Better abstractions for secure server-side scripting

Proceedings of the 17th international conference on World Wide Web
Lightweight self-protecting JavaScript

Proceedings of the 4th International Symposium on Information, Computer, and Communications Security
Ripley: automatically securing web 2.0 applications through replicated execution

Proceedings of the 16th ACM conference on Computer and communications security
Object views: fine-grained sharing in browsers

Proceedings of the 19th international conference on World wide web
Towards health 2.0: mashups to the rescue

NGITS'09 Proceedings of the 7th international conference on Next generation information technologies and systems
Dartmouth internet security testbed (DIST: building a campus-wide wireless testbed

CSET'09 Proceedings of the 2nd conference on Cyber security experimentation and test
Symbolic security analysis of ruby-on-rails web applications

Proceedings of the 17th ACM conference on Computer and communications security
Supporting dynamic, third-party code customizations in JavaScript using aspects

Proceedings of the ACM international conference on Object oriented programming systems languages and applications
Towards privacy-enhancing identity management in mashup-providing platforms

DBSec'10 Proceedings of the 24th annual IFIP WG 11.3 working conference on Data and applications security and privacy
AdJail: practical enforcement of confidentiality and integrity policies on web advertisements

USENIX Security'10 Proceedings of the 19th USENIX conference on Security
SessionShield: lightweight protection against session hijacking

ESSoS'11 Proceedings of the Third international conference on Engineering secure software and systems
Designing and Implementing the OP and OP2 Web Browsers

ACM Transactions on the Web (TWEB)
SessionJuggler: secure web login from an untrusted terminal using session hijacking

Proceedings of the 21st international conference on World Wide Web
Securing web-clients with instrumented code and dynamic runtime monitoring

Journal of Systems and Software

Quantified Score

Hi-index	0.00

Visualization

Abstract

Web applications are important, ubiquitous distributed systems whose current security relies primarily on server-side mechanisms. This paper makes the end-to-end argument that the client and server must collaborate to achieve security goals, to eliminate common security exploits, and to secure the emerging class of rich, cross-domain Web applications referred to as Web 2.0. In order to support end-to-end security, Web clients must be enhanced. We introduce Mutation-Event Transforms: an easy-to-use client-side mechanism that can enforce even fine-grained, application-specific security policies, and whose implementation requires only straightforward changes to existing Web browsers. We give numerous examples of attractive, new security policies that demonstrate the advantages of end-to-end Web application security and of our proposed mechanism.