Web Application Security Research
This section presents an overview of research concerning the security of web applications:
- Preventing CSRF attacks:
Cross Site Request Forgery (CSRF a.k.a. XSRF, a.k.a. Session Riding) attacks are public at least since 2001. However this class of web application vulnerabilities is rather obscure compared to attack vectors like Cross Site Scripting or SQL Injection. As the trend towards web applications continues and an increasing number of local programs and appliances like firewalls rely on web based frontends, the attack surface for XSRF grows continuously.
We created two client-side tools that protect web-surfers against CSRF-attack: RequestRodeo for protection against Cookie- and HTTP-authentication attacks and LocalRodeo for protection against CSRF-attacks that target intranet resources.
- SMask: (for details please refer to our ACM SAC paper)
For the time being one single XSS-vulnerability suffices to compromise the complete web application in respect to the application's session management.
For this reason we worked on methods that protect web applications against session hijacking even if the applications contains an XSS-vulnerability.
For details see our ESORICS paper and Christian Weitendorf's diploma thesis.
- Static analysis of PHP applications: As a subproject of the first software security project at Hamburg University, Jeremias Reith and Nadine Wunderlich developed a framework for static analysis of PHP-code which is based on PHP's own parser.
Martin Johns, Christian Beyerlein: SMask: Preventing Injection Attacks in Web Applications by Approximating Automatic Data/Code Separation, 22nd ACM Symposium on Applied Computing (SAC 2007), Security Track, Seoul, Korea, March 2007 (paper).
Christopher Holm, Christopher Schwardt: Verwundbarkeiten von Web-Anwendungen, in Informatiktage 2007, Lecture Notes in Informatics (LNI), Köllen Druck+Verlag, March 2007 (paper)
Martin Johns: SessionSafe: Implementing XSS Immune Session Handling in
in European Symposium on Research in Computer Security (ESORICS 2006), Gollmann, D.; Meier, J. & Sabelfeld, A. (ed.), Springer, LNCS 4189, pp. 444-460, September 2006 (paper).
Martin Johns, Justus Winter: RequestRodeo: Client Side Protection against Session Riding
in Proceedings of the OWASP Europe 2006 Conference by Piessens, F. (ed.), Report CW448, Departement Computerwetenschappen, Katholieke Universiteit Leuven, Belgium, May 2006 (paper).
- Martin Johns: "Exploiting the Intranet with a Webpage", talk at the HITBSecConf2007 conference, September 3-6 2007, Kuala Lumpur, Malaysia.
- Martin Johns: "Cross Site Scripting (XSS) und Session Riding (CSRF): Angriffe auf Web-Session Management - Ursachen, Konsequenzen, Gegenmaßnahmen", talk at the IICO-Congress, May 9-11 2007, Berlin, Germany.
Martin Johns, Justus Winter: "CSRF, the Intranet and You", talk at the 23C3,
December 27-30 2006, Berlin, Germany.
Martin Johns: "On CSRF and why you should care", talk at the PacSec 2006 conference, November 27-30 2006, Tokio, Japan.
Martin Johns: "Using the same-origin policy to disarm XSS vulnerabilities", talk at ph-neutral 0x7d6, 27th May 2006, Berlin, Germany.
Opportunities for students
- Diploma Theses:
We offer diploma theses on the security of web applications.
if you are interested.