The security landscape in the early Web was vastly different from what we see today. Attackers focused on server-side services, attempting to exploit the services or gain control over the server machine. Well-known examples of such attacks are SQL injection, command injection, or the exploitation of buffer overflow vulnerabilities within server software. As the functionalities of Web services grew, attackers started targeting client machines, aiming at exploiting client-side vulnerabilities to install malware, for example, to gain unauthorized access to the victim’s bank accounts and other personal information. As memory corruption exploits in browsers or plugins became scarcer, the focus shifted more towards the “weaker” Web vulnerabilities. Attacks such as cross-site scripting and cross-site request forgery use the browser as a means to carry out actions on the server, in the name of the victim.
A perfect illustration of the attacker’s shift from server-side services towards the client-side is two industry-driven surveys of the most important security vulnerabilities. Both the OWASP Top Ten Project and the CWE/SANS Top 25 Most Dangerous Software Errors include the typical server-side vulnerabilities, such as SQL injection and command injection, but also have allocated approximately one-third of the slots to client-side security problems.
Naturally, when the attackers’ focus shifts towards the client, the countermeasures and security policies evolve as well. This evolution closely aligns with the evolutionary steps of the Web. The first security policies were static, encoded as the default behavior in the browser, with the same rules for every Web application. Two examples of such static policies are the Same-Origin Policy, and the same-origin behavior of the XMLHttpRequest object, two policies which will be explained in the coming chapters. Next, come the dynamic security policies, mainly enforced at the server-side. Typical examples are token-based or request header-based protection against cross-site request forgery, or validation-based protections against cross-site scripting. These security policies line up with the rise of dynamic Web applications with a server-side processing component.
The next wave of security mechanisms takes advantage of the browser transformation into an application platform. Modern security policies are enforced at the client-side but driven by the Web application at the server-side. One prime example is Content Security Policy, which is an application-specific policy enforced by the browser. Similarly, the recent work on Entry Points proposes client-enforced protection against cross-site request forgery attacks. These server-driven, client-enforced policies are often used in a layered defense strategy, where both the client and the server enforce a security policy, striving to stop attackers, even when they manage to circumvent one of the security measures.
The content of this dissertation strongly affirms the evolution towards client-side security mechanisms. On one hand, we provide a broad overview of the client-side Web security landscape, which consists of several vulnerabilities that have emerged from the fundamental technologies of the Web, and mitigation techniques that build upon the basic security policies of the Web. On the other hand, we take an in-depth look at session management, one specific building block of the Web which poses interesting security challenges, even until today. The client-side mitigation techniques push the autonomous client-side defenses to their limits, flirting with the delicate balance between usability and security.