The Web's Security Model - Philippe De Ryck

The Web's Security Model, by Philippe De Ryck While the Web has undergone a dramatic transformation since the first static HTML documents, the underlying security model has been largely unchanged. However, due to the vastly expanded client-side capabilities in modern web applications, the security model is now more important than ever. Understanding this security model is key to building secure web applications. In this session we explore the details of the Web's security model, which mainly consists of the Same-Origin Policy and the browser-implemented cookie behavior. We will investigate which restrictions are imposed by the security model, and where the lack of restrictions actually allows common web vulnerabilities to exist (e.g. Cross-Site Request Forgery, inclusion of untrusted content, etc.). We illustrate how newly introduced technologies such as Cross-Origin Resource Sharing or the HTML5 sandbox attribute can be used to modify the behavior of the default security model. Overall, we will learn how the security model of the Web can be leveraged to build secure web applications, by carefully applying domain separation and origin isolation. Learning objectives + Understand the underlying security model of the Web + Be aware of the greatly enhanced client-side capabilities of modern web applications + Learn about common vulnerabilities within the security model, and their countermeasures + Learn how to design secure web applications by leveraging the Web's security model + Be aware of new and upcoming web technologies, and their impact on the security model This lecture was delivered by Philippe De Ryck at SecAppDev 2014 in Leuven, Belgium. Philippe is a doctoral researcher at the department of Computer Science of the KU Leuven. His main research interest is web application security, with a specific focus on cross-site request forgery (CSRF), JavaScript sandboxing and emerging web specifications (HTML5 and friends). Philippe is the author and maintainer of CsFire, a client-side countermeasure against CSRF attacks coming from his research. In 2011, Philippe performed a security analysis of 13 next-generation web standards for ENISA, the European Network and Information Security Agency. This analysis not only looks at the security of newly proposed features and APIs, but also investigates potential problems with the combination of several features, as well as consistency across specifications.