polimd/Computer Security/lesson_11.md

Computer Security - lesson 11

Stefano Zanero

6 May 2016

Web Application Security

The typical target of web attacks are the browser of the users and the data on the server. It is the current trend to offer software not anymore as clients but as web applications, this is true for SaaS and Corporate Intranets.

The core of navigation is going through pages carrying over a state But that's an illusion in HTTP pages because it is intrinsecally stateless. So we're building stateful interaction over HTTP that is stateless Also HTTP doesn't support authentication by itself, so it is implemented in the application.

People make mistakes. And the fact that web applications have the view side not under the control of the programmer, in fact it runs inside the browser

SOP is a common policy adopted by browsers and consists of allowing scripts coming from a website to access only data from that website.

XSS or cross site scripting is the technique of putting in a textbox a javascript executable code marked as <SCRIPT> that will be executed in the client and violate the SOP policy to access data or perform operations on the attached site from the client.