Web App Security

Refers to the class of security problems targeting web applications.

The [see page 2, goals] are:

Allow users to safely browse websites without incurring harm.
Support secure web applications, being on the web should be just as secure as a non-web based application.

We [see page 6, consider]:

Classic web attacker: just someone who sets up a malicious website that the victim can visit. They can't control the network.
Network attacker: intercepts messages between the user and the server and can control the communication between them. Network attackers can be further divided into:
- Passive: Doesn't actively modify communication, just snoops on them (example: wireless eavesdropper)
- Active: Actively manipulates communications to their own ends (example: evil router, DNS poisoning)
Malware attacker: bypasses browser sandbox and runs separately under OS control.