Beveiliging van het Web aan de client-zijde: tegengaan van bedreigingen bij websessies

摘要

As the Web has claimed a prominent place in our society and in our daily lives, Web security has become more important than ever, illustrated by the mainstream media coverage of serious Web security incidents. Over the last years, the center of gravity of the Web has shifted towards the client, where the browser has become a full-fledged execution platform for highly dynamic, complex Web applications. Unfortunately, with the rising importance of the client-side execution context, attackers also shifted their focus towards browser-based attacks, and compromises of client devices. Naturally, when the attackers’ focus shifts towards the client, the countermeasures and security policies evolve as well, as illustrated by the numerous autonomous client-side security solutions, and the recently introduced server-driven security policies, that are enforced within the browser.In this dissertation, we elaborate on the evolution from server-side Web applications to the contemporary client-side applications, that offer a different user experience. We explore the underlying concepts of such applications, and illustrate several important attacks that can be executed from the client side. Ultimately, the focus of this dissertation lies with the security of Web sessions and session management mechanisms, an essential feature of every modern Web application. Concretely, we present three autonomous client-side countermeasures that improve the security of currently deployed session management mechanisms. Each of these countermeasures is implemented as a browser add-on, and is thoroughly evaluated. A fourth technical contribution consists of an alternative session management mechanism, that fundamentally eliminates common threats against Web sessions. A thorough evaluation of our prototype implementation shows the benefits of such an approach, as well as the compatibility with the current Web infrastructure. Finally, we report on our experience with developing client-side countermeasures, both during the inception phase, often backed by theoretical approaches, including formal modeling and rigorous security analyses, and during the development phase, resulting in practically deployable solutions, for example as a browser add-on.