Homework SoursePlease prepare a term paper on topic Web programming and Sec
Please prepare a term paper on topic \"Web programming and Security.
Style Guidelines
The title of the paper
Your proposed problem statement
Required Format for Term Papers
Term papers for this class must be organized with five parts, an introduction, a review of the literature, a discussion, conclusions and suggestions for future research, and a reference section. The following outline illustrates the required format. Each of the items numbered with Roman numerals should have a heading in the paper. Each required section is discussed further below.
Introduction
Introductory Paragraph
Statement of the Problem
Rationale
Review of the Literature
Discussion
Conclusions and Suggestions for Future Research
References
An abstract; a description of what you intend to cover. This should be no more than one double-spaced page.
Identification of at least three of the required references.
Solution
\"Web programming and Security\"
I. Introduction
World Wide Web has evolved from a system that delivers static pages to a platform that supports distributed applications, known as web applications and become one of the most prevalent technologies for information and service delivery over Internet. The increasing popularity of web application can be attributed to several factors, including remote accessibility, cross-platform compatibility, fast development, etc. The AJAX (Asynchronous JavaScript and XML) technology also enhances the user experiences of web applications with better interactiveness and responsiveness.
As web applications are increasingly used to deliver security critical services, they become a valuable target for security attacks. Many web applications interact with back-end database systems, which may store sensitive information (e.g., financial, health), the compromise of web applications would result in breaching an enormous amount of information, leading to severe economical losses, ethical and legal consequences. A breach report from Verizon shows that web applications now reign supreme in both the number of breaches and the amount of data compromised.
II. Statement of the Problem
The Web platform is a complex ecosystem composed of a large number of components and technologies, including HTTP protocol, web server and server-side application development technologies, web browser and client-side technologies. Web application built and hosted upon such a complex infrastructure faces inherent challenges posed by the features of those components and technologies and the inconsistencies among them. Current widely-used web application development and testing frameworks, on the other hand, offer limited security support. Thus secure web application development is an errorprone process and requires substantial efforts, which could be unrealistic under time-to-market pressure and for people with insufficient security skills or awareness. As a result, a high percentage of web applications deployed on the Internet are exposed to security vulnerabilities. According to a report by the Web Application Security Consortium, about 49% of the web applications being reviewed contain vulnerabilities of high risk level and more than 13% of the websites can be compromised completely automatically. A recent report reveals that over 80% of the websites on the Internet have had at least one serious vulnerability.
Past research and experience reveal that different tools can have different effects on application security. The software engineering and software development communities have seen that an effective way to preclude buffer overflow vulnerabilities when developing a new application is to simply use a language that offers automatic memory management.
III. Rationale
challenges in the web security landscape:-
(A)Fine-grained access control.- Fine-grained access control policies define how the application authenticates and authorizes end users, from which application contexts the application can be consulted, and which interaction sequences maintain the application’s integrity (i.e. control-flow integrity). Our objective was to address a range of questions from formal foundation of authentication policies and protocols to the practicalities of authentication such as secure session management.
(B)Information-flow control.- Information-flow control specifies how sensitive data, possibly originating from multiple content providers in multiple trust domains, can be used in data aggregations, and client-side and server-side processing as is typically done in mashups. Challenges here include reconciling information-flow policies from several involved parties, with possibly conflicting goals. Moreover, tracking end-to-end information flow in web applications remains an open question. Our objective was to establish an enhanced understanding of how to make information-flow control policies and mechanisms practical in a web setting.
(C)Secure composition.- Secure composition policies specify how active third-party components, for instance written in JavaScript, can be securely integrated into applications via clientside and server-side mashups. By nature, web mashups heavily depend on interaction and communication across different origins, but contradictory, mashup security relies on separation techniques for protecting both code and data. As a result, traditional HTML techniques (mainly based on the same-origin policies) fail to address both the interaction and separation needs. We wanted to explore principled approaches to achieve the delicate balance between interaction and separation in security composition.
(D)Cross-domain interaction.- One of the original and still unresolved problems of the web is the inherent incompatibility between the cross-domain nature of the hyperlink and the same-origin security policy of its active content. In the recent past the situation has become even more complex with the introduction of client-side primitives for cross-domain interaction, such as CORS. Our objective was to assess the impact of current developments and identify promising directions for solutions.
(E)Recent advances in JavaScript and HTML5.- There are several technological advances in the latest versions of JavaScript (such as strict mode, frozen objects, proxies and SES), that might contribute to the security of web applications. In addition, the research community did make important steps forward in understanding and improving the language by formalizing its semantics. At the same time, web specification (including HTML5 and CSP) are adding tons of new features as well as security measures as part of the browsing environment. Our objective was to have an enhanced understanding of the latest trends and research advances in JavaScript and HTML5 with respect to security.
IV. Review of the Literature
It can focus on the problem of building secure web applications and protecting vulnerable ones. The contributions of this paper are:
(1) We present three aspects in web application development, which poses inherent challenges for building secure web applications, and identify three levels of security properties that a secure web application should hold: input validity, state integrity and logic correctness. Failure of web applications to fulfill the above security properties is the root cause of corresponding vulnerabilities, which allow for successful exploits.
(2) We classify existing research works into three categories: security by construction, security by verification and security by protection, based on their design principle (i.e., constructing vulnerability-free web applications, identifying and fixing vulnerabilities, or protecting vulnerable web applications against exploits at runtime, respectively) and how security properties are assured at different phases in the life cycle of web application. We are not trying to enumerate all the existing works but have covered most of the represented works.
(3) We identify several open issues that are insufficiently addressed in the existing literature. We also discuss future research opportunities in the area of web application security and the new challenges that are expected ahead. We structure the rest of this paper as follows. Then, we illustrate three essential security properties that a secure web application should hold, as well as corresponding vulnerabilities and attack vectors.we categorize and illustrate the state-of-theart of proposed techniques systematically.
V. Discussion
A secure web application has to satisfy desired security properties under the given threat model. In the area of web application security, the following threat model is usually considered:-
1) the web application itself is benign (i.e., not hosted or owned for malicious purposes) and hosted on a trusted and hardened infrastructure i.e., the trust computing base, including OS, web server, interpreter, etc.
2) the attacker is able to manipulate either the contents or the sequence of web requests sent to the web application, but cannot directly compromise the infrastructure or the application code. The vulnerabilities within web application implementations may violate the intended security properties and allow for corresponding successful exploits.
A secure web application should preserve the following stack of security properties. Input validity means the user input should be validated before it can be utilized by the web application; state integrity means the application state should be kept untampered; logic correctness means the application logic should be executed correctly as intended by the developers. The above three security properties are related in a way that failure in preserving a security property at the lower level will affect the assurance of the security property at a higher level. For instance, if the web application fails to hold the input validity property, a crosssite scripting attack can be launched by the attacker to steal the victim’s session cookie. Then, the attacker can hijack and tamper the victim’s web session, resulting in the violation of state integrity property. In the following sections, we describe the three security properties and show how the unique features of web application development complicate the security design for web applications.Given the threat model, user input data cannot be trusted. However, for the untrusted user data to be used in the application (e.g., composing web response or SQL queries), they have to be first validated. Thus, we refer to this security property as input validity property.All the user input should be validated correctly to ensure it is utilized by the web application in the intended way.
Ensuring logic correctness is key to the functioning of web applications. Since the application logic is specific to each web application, it is impossible to cover all the aspects by one description. Instead, a general description that covers most common application functionalities is given as follows, which we refer to as logic correctness property.Users can only access authorized information and operations and are enforced to follow the intended workflow provided by the web application.
VI. Conclusions and Suggestions for Future Research
This paper provided a comprehensive survey of recent research results in the area of web application security. We described unique characteristics of web application development, identified important security properties that secure web applications should preserve and categorized existing works into three major classes. We also pointed out several open issues that still need to be addressed. Web applications have been evolving extraordinarily fast with new programming models and technologies emerging, resulting in an ever-changing landscape for web application security with new challenges, which requires substantial and sustained efforts from security researchers. We outline several evolving trends and point out several pioneering works as follows. First, an increasing amount of application code and logic is moving to the client side, which brings new security challenges. Since the client-side code is exposed, the attacker is able to gain more knowledge about the application, thus more likely to compromise the server-side application state.web applications is becoming more and more complex, which further exacerbates the absence of formal verification and robust protection mechanisms for application logic. For example, when multiple web applications are integrated through APIs, their interactions may expose logic vulnerabilities. Third, an increasing number of web applications are embedding third-party programs or extensions, e.g., iGoogle gadgets, Facebook games etc. To automatically verify the security of third-party applications and securely integrate them is nontrivial. Last but not least, new types of attacks are always emerging, e.g., HTTP parameter pollution attack, which requires security professionals to quickly react without putting a huge number of web applications at risk.
VII. References
[1] Verizon 2010 Data Breach Investigations Report, “http://www.verizonbusiness.com/resources/reports/rp 2010-databreach-report en xg.pdf.”
[2] Web Application Security Statistics, “http://projects.webappsec.org/w/page/13246989/WebApplication SecurityStatistics.”
[3] WhiteHat Security, “WhiteHat website security statistic report 2010.”
[4] J. Bau and J. C. Mitchell, “Security modeling and analysis,” IEEE Security & Privacy, vol. 9, no. 3, pp. 18–25, 2011.
[5] H. J. Wang, C. Grier, A. Moshchuk, S. T. King, P. Choudhury, and H. Venter, “The multi-principal os construction of the gazelle web browser,” in USENIX’09: Proceedings of the 18th conference on USENIX security symposium, 2009, pp. 417–432.
[6] S. Tang, H. Mai, and S. T. King, “Trust and protection in the illinois browser operating system,” in OSDI’10: Proceedings of the 9th USENIX conference on Operating systems design and implementation, 2010, pp. 1–8.
[7] W. G. Halfond, J. Viegas, and A. Orso, “A Classification of SQLInjection Attacks and Countermeasures,” in Proc. of the International Symposium on Secure Software Engineering, March 2006.
[8] MySpace Samy Worm, “http://namb.la/popular/tech.html,” 2005.
[9] A. Barth, J. Caballero, and D. Song, “Secure content sniffing for web browsers, or how to stop papers from reviewing themselves,” in Oakland’09: Proceedings of the 30th IEEE Symposium on Security and Privacy, 2009, pp. 360–371.
