Dagstuhl-Seminar "Web Application Security"

Event date: 2018-08-05


Melanie Volkamer (TU Darmstadt, DE / Karlstad University, SE)
Martin Johns (SAP SE – Karlsruhe, DE)
Nick Nikiforakis (Stony Brook University, US)
John Wilander (Apple Computer Inc. – Cupertino, US)


Since its birth in 1990, the Web has evolved from a simple, stateless delivery mechanism for static hypertext documents to a fully-fledged run-time environment for distributed, multi-party applications. Even today, there is still a continuous demand for new features and capabilities which drives the Web’s evolution onwards. This unplanned and often chaotic development has led to several deeply ingrained security and privacy problems that plague the platform:

  • The Web’s original hypertext, multi-origin nature which is manifested in the design of HTML and HTTP is in fundamental conflict with JavaScript’s Same-Origin Policy, the Web’s most important security mechanism.
  • Important security properties, such as end-to-end communication security or endpoint identity are outside of the control of the actual applications. Instead, they depend on the security of external entities, such as domain name servers or certificate authorities.
  • Data/code separation in web applications is practically infeasible, as the HTTP link between server-side application logic and client-side application interface requires an intermixing of protocol, data and code fragments within a single continuous character stream.
  • HTTP is a stateless protocol without a native session or authentication tracking concept.
  • Users are not aware of general or application specific threats. Protecting against these threats (incl. to know which security indicators to trust) is nowadays difficult and time consuming.

A A A | Drucken Print | Impressum Impressum | Sitemap Sitemap | Suche Search | Kontakt Contact | Website Analysis: More Information
zum Seitenanfangzum Seitenanfang