Three concrete threats against Web sessions and session management mechanisms:
- violating the integrity of a session
- unauthorized transfer of a session
- impersonating a user by establishing a new session.
The security of the underlying protocols is considered to be out of scope, for example, cryptographic attacks on the TLS protocol. Since this dissertation focuses on client-side Web security, specific server-side technologies and infrastructure are also considered to be out of scope, unless relevant for client-side countermeasures.
BUILDING BLOCKS OF WEB APPLICATIONS
Modern Web applications are built in a highly dynamic and complex environment, consisting of numerous interacting components and security policies, but also subtleties and potential security pitfalls. An insecure banking application, which has been instrumental to demonstrate CsFire, our add-on that protects against cross-site request forgery attacks, at numerous local and international events, including OWASP conferences and chapter meetings, iMinds the Conference, and departmental events within the university.