Web Security

Web security is a broad and evolving subject, and partly as a result, there isn't a single definitive up-to-date description or paper. In this class, we broadly divide web security into three parts: server-side security (exemplified by privilege separation ideas as in OKWS and lab 2), client-side security (worrying about how to isolate many web sites and web applications running in a user's browser), and network security (worrying about network-level attackers). We have already covered server-side security at length in the first half of the class, and we will now turn our attention to client-side security (with network security to come later on).

To start learning about client-side security in web browsers, instead of asking you to read a specific paper, we have put together the following collection of documents that you should read in preparation for lecture.

First, read about the basic security mechanisms underlying client-side security in a browser:

Next, read about common vulnerabilities in web applications, along with browser mechanisms developed to mitigate them:

You can see similarities between XSS in web applications and buffer overflows in server-side C code. Both are simple mistakes that are easy for developers to make, leading to significant security problems by allowing an adversary to execute arbitrary code. Both have spawned a long line of mitigation mechanisms to make the bugs more difficult to exploit. These defenses and mitigations are effective at making the bugs harder to take advantage of, but the vulnerabilities persist because the mitigations do not eliminate the bugs in all possible situations.

A wonderful and detailed book about web security is The Tangled Web by Michal Zalewski. It is a bit dated at this point, having been published in 2012; many developments have taken place in web security since then. It is also very detailed, making it somewhat challenging to extract the big picture from it. However, in many ways it is still accurate, and many of the details described in the book are still important for security. You can access "The Tangled Web" online through the MIT libraries' subscription to O'Reilly Online Learning; the link can be found by searching for the book in the MIT library catalog. Chapters 9-13 are the most relevant for the web security lectures in this class.