Professional Documents
Culture Documents
Application Level Security
Application Level Security
Application Level Security
The stateless nature of the HTTP protocol leaves designers with the
task of managing application state across multiple requests. It is often
easier to thread state through a series of request/responses using hidden
form fields than it is to store data in a back-end database. Unfortunately
using hidden form fields in this way enables the client to modify internal
application state, leading to vulnerabilities such as the price changing
attack described in the Introduction. It is interesting to note that a
respected textbook on HTML [21] recommends this dangerous practice
without any mention of security issues.
Cross-Site Scripting
Figure 1: A diagrammatic view of our system for abstracting application-level web security
Policy Compiler
Extensions