To view a recording of this session Get Adobe Flash player

Dr. ir. Lieven DesmetLieven Desmet

Lieven Desmet is Research Manager on Secure Software within the DistriNet Research Group at the Katholieke Universiteit Leuven, where he coaches junior researchers in web application security and participates in dissemination and valorization activities. His interests are in software verification and security of middleware and web-enabled technologies.  He is on the Belgium OWASP chapter board.


 description

Advanced web application security

Learning objectives

Understand

  • cross-domain web interactions and their security impact,
  • Cross-Site Request Forgery and the possible mitigation techniques,
  • enabling technologies for secure web mashups.

Overview

This web application security module goes beyond classical web application vulnerabilities (such as injection attacks), and focuses on advanced security topics in current web applications. In particular, Cross-Site Request Forgery (CSRF) and web mashup security are studied and discussed in more detail.

Cross-Site Request Forgery (CSRF) is a web application attack vector that can be leveraged by an attacker to force an unwitting user's browser to perform actions on a third party website, possibly reusing all cached authentication credentials of that user. In 2007, CSRF was listed as one of the most serious web application vulnerability in the OWASP Top Ten. In 2008, Zeller and Felten documented a number of serious CSRF vulnerabilities in high-profile websites, among which was a vulnerability in the home banking website of ING Direct.

Currently, a whole range of techniques exist to mitigate CSRF, either by protecting the server application or by protecting the end-user (e.g. via a browser extension or a client-side proxy). The server-side protection mechanisms offer the best guarantees, but are not yet widely adopted. Most of the client-side solutions provide only limited protection or cannot deal with complex web 2.0 applications, which use techniques such as AJAX, mashups or single sign on (SSO).

Apart from Cross-Site Request Forgery, this module also investigates the security requirements of web mashups. Mashups compose existing and new services into new web applications in a very flexible and lightweight composition. A mashup is in fact an aggregation of data and/or functionality from different sources, possible spread over multiple trust domains.

Components of multiple stakeholders are involved in such a web mashup, each with their particular security requirements. Secure composition demands strong separation guarantees (e.g. the isolation of the component's part of the DOM tree from other components), but also requires the possibility of interacting securely between separated components.

In this talk, we will gain more insights in cross-domain web interactions and security requirements for web mashups. In addition, client-side and server-side mitigation techniques against CSRF will be compared and discussed. Finally, an overview of enabling technologies will be presented to secure web mashups ranging from full interaction between components to full isolation.

Partners:

Solvay Brussels School of Economics and Management Katholieke Universiteit Leuven

Affiliated organizations:

OWASP NESSoS STREWS
Creative Commons

Contents of the secappdev.org website are licensed under a Creative Commons Attribution-NonCommercial 3.0 License.