Abstract
Web applications are the public-facing components of information systems, which makes them an easy entry point for various types of attacks. While it is often the responsibility of web developers to implement the proper security controls, it remains a challenge for them to develop a good understanding of the whole attack surface.This paper aims to understand developers’ familiarity with a number of web attack and defense mechanisms. In particular, we conducted two different experiments: First, we employed a questionnaire to understand the perceived attack surface and the types of security controls that are often considered. Second, we designed a Capture the Flag challenge aiming to push participants to discover as many attack points as possible on a given web application. We found that one third of developers are not aware of the clients’ ability to intercept and modify all parts of an HTTP request. Moreover, developers’ attack awareness focuses on a limited set of attacks (such as Cross-site scripting and SQL injection), overlooking a large part of the attack surface.
Original language | English |
---|---|
Title of host publication | 43rd IEEE Symposium on Security and Privacy Workshops, SPW 2022 |
Subtitle of host publication | proceedings |
Editors | Lisa O'Conner |
Place of Publication | Piscataway, NJ |
Publisher | IEEE |
Pages | 31-43 |
Number of pages | 13 |
ISBN (Electronic) | 9781665496438 |
ISBN (Print) | 9781665496445 |
DOIs | |
Publication status | Published - 25 Jul 2022 |
Event | Third Workshop of Designing Security for the Web - San Francisco, United States Duration: 26 May 2022 → 26 May 2022 Conference number: 3rd https://secweb.work/2022.html |
Publication series
Name | IEEE Security and Privacy Workshops |
---|---|
Publisher | IEEE |
ISSN (Print) | 2639-7862 |
ISSN (Electronic) | 2770-8411 |
Workshop
Workshop | Third Workshop of Designing Security for the Web |
---|---|
Abbreviated title | SecWeb 2022 |
Country/Territory | United States |
City | San Francisco |
Period | 26/05/22 → 26/05/22 |
Internet address |
Keywords
- Web
- Framework
- Security awareness
- Secure software development
- CTF