People's Newsroom


Three concrete threats against Web sessions and session management mechanisms: 

  • violating the integrity of a session
  • unauthorized transfer of a session
  • impersonating a user by establishing a new session.

The security of the underlying protocols is considered to be out of scope, for example, cryptographic attacks on the TLS protocol. Since this dissertation focuses on client-side Web security, specific server-side technologies and infrastructure are also considered to be out of scope, unless relevant for client-side countermeasures.


Modern Web applications are built in a highly dynamic and complex environment, consisting of numerous interacting components and security policies, but also subtleties and potential security pitfalls. An insecure banking application, which has been instrumental to demonstrate CsFire, our add-on that protects against cross-site request forgery attacks, at numerous local and international events, including OWASP conferences and chapter meetings, iMinds the Conference, and departmental events within the university.

Web application, but under the hood, numerous components and browser features enable a dynamic, interactive, and complex Web application. Examples are browser add-ons, content plugins, background JavaScript threads, JavaScript’s cryptographic APIs, the ability to register protocol and content handlers, etc. Within the browser, a window is a container object holding all the Web application’s data, such as the currently displayed page and the associated JavaScript executing context. Additionally, the window offers access to the browser-provided features, such as the numerous APIs, the cookie jar, etc. While even a single-window container already seems to be a complex structure, modern browsers not only support multiple window objects to live simultaneously next to one another as tabs or browser windows, they also support the dynamic nesting of window containers using the HTML frame or iframe tags. The specific features of these components and their interactions will be covered in more detail below. 

Back to top button