tailieunhanh - End-to-end Web Application Security

The only distinctions remaining to be made here are between ‘fine’ art and ‘applied’ art, or ‘popular’ art and ‘high’ art, between ‘amateur’ art and ‘professional’ art, and, of course, between good art and less good art. Selecting a very poor, amateurish, depiction (say a businessman’s deskpad doodle) and presenting it in a nice frame in a serious exhibition might be interesting, but it would not satisfy the criteria Duchamp established for the Readymade. The doodle is already nominated as art and the operation of the Readymade in regard to it is redundant | End-to-end Web Application Security Ulfar Erlingsson Benjamin Livshits Yinglian Xie Microsoft Research Abstract Web applications are important ubiquitous distributed systems whose current security relies primarily on server-side mechanisms. This paper makes the end-to-end argument that the client and server must collaborate to achieve security goals to eliminate common security exploits and to secure the emerging class of rich crossdomain Web applications referred to as Web . In order to support end-to-end security Web clients must be enhanced. We introduce Mutation-Event Transforms an easy-to-use client-side mechanism that can enforce even fine-grained application-specific security policies and whose implementation requires only straightforward changes to existing Web browsers. We give numerous examples of attractive new security policies that demonstrate the advantages of end-to-end Web application security and of our proposed mechanism. 1 Introduction Web applications provide end users with client access to server functionality through a set of Web pages. These pages often contain script code to be executed dynamically within the client Web browser. Most Web applications aim to enforce simple intuitive security policies such as for Web-based email disallowing any scripts in untrusted email messages. Even so Web applications are currently subject to a plethora of successful attacks such as cross-site scripting cookie theft session riding browser hijacking and the recent self-propagating worms in Web-based email and social networking sites 2 17 24 . Indeed according to surveys security issues in Web applications are the most commonly reported vulnerabilities on the Internet 16 . The problems of Web application security are only becoming worse with the recent trends towards richer Web applications. These applications enable new avenues of attacks by making use of complex asynchronous client-side scripts and by combining services across Web application .