Web Security

Web security is a broad and evolving subject, and partly as a result, there isn't a single definitive up-to-date description or paper. In this class, we broadly divide web security into three parts: server-side security (exemplified by privilege separation ideas as in lab 2 or Google's infrastructure security), client-side security (worrying about how to isolate many web sites and web applications running in a user's browser), and network security (worrying about network-level attackers). In this lecture, we will turn our attention to client-side security (with network security to come later on).

To start learning about client-side security in web browsers, instead of asking you to read a specific paper, we have put together the following collection of documents that you should read in preparation for lecture.

First, read about the basic security mechanisms underlying client-side security in a browser:

• The basics of the Same-Origin Policy from web.dev
• A detailed dive into the Same-Origin Policy from the MDN Web Docs
• HTTP cookies and their security from the MDN Web Docs
• localStorage from the MDN Web Docs
• An overview of Cross-Origin Request Sharing from web.dev

Next, read about common vulnerabilities in web applications, along with browser mechanisms developed to mitigate them:

• Cross-site scripting attacks on Wikipedia
• Clickjacking attacks on Wikipedia
• Cross-site request forgery attacks from the MDN Web Docs
• Content-Security Policy, a browser mechanism that helps mitigate XSS and clickjacking vulnerabilities

You can see similarities between XSS in web applications and buffer overflows in server-side C code. Both are simple mistakes that are easy for developers to make, leading to significant security problems by allowing an adversary to execute arbitrary code. Both have spawned a long line of mitigation mechanisms to make the bugs more difficult to exploit. These defenses and mitigations are effective at making the bugs harder to take advantage of, but the vulnerabilities persist because the mitigations do not eliminate the bugs in all possible situations.

A wonderful and detailed book about web security is The Tangled Web by Michal Zalewski. It is a bit dated at this point, having been published in 2012; many developments have taken place in web security since then. It is also very detailed, making it somewhat challenging to extract the big picture from it. However, in many ways it is still accurate, and many of the details described in the book are still important for security. You can access "The Tangled Web" online through the MIT libraries' subscription to O'Reilly Online Learning; the link can be found by searching for the book in the MIT library catalog. Chapters 9-13 are the most relevant for the web security lectures in this class.