STREWS published its Second Case Study on Web Security Architecture:


Case study 2 Report: Web Security Architecture [PDF]

The Open Web Platform is already transforming the Web again. More functionality on the Web increases the attacking surface. From a document driven Web, we are heading towards an action-driven Web. This also includes the availability of higher value services on the Web. Must Online banking remain dumb? Or can we secure the new applications using HTML5 and all the features and potential it brings?

In a first study of STREWS resulted in D.1.1, the Web-platform security guide. STREWS gave an overview of the assets of the Web an attacker could target and the state of the art of attack and defense. This first study had a very formal approach. This scientific rigour was then applied in a first case study on Web Real Time Communications (WebRTC) resulting in D1.2 Case Study: Security Assessment of WebRTC

This is now the second case study. STREWS has done a deep dive into the toolbox available to Web developers today. First by putting the security tools developed by the IETF and the W3C in context. From there, the study is suggesting new ways to address remaining black spots for Web Security and finally addresses new ways to counter the ever increasing number of cross-site scripting attacks.

The study gives an overview of current development in the Web security area in the IETF and the W3C with pointers for further reading. It then suggests new ways of addressing security issues by exploring cutting edge research findings to be taken into account. Secure sessions and javascript sandboxing can help a lot to make the Web a better place. The case study describes and evaluates those new tools.

Until today, XSS is a serious and widespread security issue. The study has chosen to consolidate the existing knowledge on Cross-Site Scripting. The objective is to systematically review existing works and literature in order to present a comprehensive overview of this research field. On this basis, the study is able to identify open problems and potential research topics that still need to be addressed.