Noxes: a client-side solution for mitigating cross-site scripting attacks
Proceedings of the 2006 ACM symposium on Applied computing
Defeating script injection attacks with browser-enforced embedded policies
Proceedings of the 16th international conference on World Wide Web
XSS-GUARD: Precise Dynamic Prevention of Cross-Site Scripting Attacks
DIMVA '08 Proceedings of the 5th international conference on Detection of Intrusions and Malware, and Vulnerability Assessment
Robust defenses for cross-site request forgery
Proceedings of the 15th ACM conference on Computer and communications security
Ripley: automatically securing web 2.0 applications through replicated execution
Proceedings of the 16th ACM conference on Computer and communications security
ESCUDO: A Fine-Grained Protection Model for Web Browsers
ICDCS '10 Proceedings of the 2010 IEEE 30th International Conference on Distributed Computing Systems
ConScript: Specifying and Enforcing Fine-Grained Security Policies for JavaScript in the Browser
SP '10 Proceedings of the 2010 IEEE Symposium on Security and Privacy
Enforcing request integrity in web applications
DBSec'10 Proceedings of the 24th annual IFIP WG 11.3 working conference on Data and applications security and privacy
Cryptography in the Web: The Case of Cryptographic Design Flaws in ASP.NET
SP '11 Proceedings of the 2011 IEEE Symposium on Security and Privacy
Contego: capability-based access control for web browsers
TRUST'11 Proceedings of the 4th international conference on Trust and trustworthy computing
Re-designing the web's access control system
DBSec'11 Proceedings of the 25th annual IFIP WG 11.3 conference on Data and applications security and privacy
Defending against injection attacks through context-sensitive string evaluation
RAID'05 Proceedings of the 8th international conference on Recent Advances in Intrusion Detection
| Hi-index | 0.00 |
As the Web has become more and more ubiquitous, the number of attacks on web applications have increased substantially. According to a recent report, over 80 percent of web applications have had at least one serious vulnerability. This percentage is alarmingly higher than traditional applications. Something must be fundamentally wrong in the web infrastructure. Based on our research, we have formulated the following position: when choosing the stateless framework for the Web, we ignored a number of security properties that are essential to applications. As a result, the Trusted Computing Base(TCB) of the Web has significant weaknesses. To build secure stateful applications on top of a weakened TCB, developers have to implement extra protection logic in their web applications, making development difficult and error prone, and thereby causing a number of security problems in web applications. In this paper, we will present evidence, justification, and in-depth analysis to support this position.