This lecture reviews key details of web application architecture, then goes on to consider attacks against the connection and attacks against the server side of the application. It considers briefly how open redirects can be abused (e.g., to steal user credentials) and how pages dealing with authentication or payment might be bypassed via URL jumping. It also looks at secure password management for web applications, revisiting some of the issues covered in Lecture 7.

Web applications typically make user interaction stateful by means of sessions. The lecture therefore explores the threats associated with session IDs and highlights what should be done to manage sessions securely. The lecture finishes by considering how the XML payload of an HTTP request can cause security problems.

• Lecture video
• Slides (PDF)
• Exercises:
  • Classic Web Vulnerabilities
  • Bypassing Web Authentication
• Other resources:
  • March 2020 analysis of the Alexa Top 1 Million sites
  • The DROWN attack against HTTPS
  • Article on BBC roll-out of HSTS
  • Misuse of TLS certificates by Lenovo’s Superfish adware and Sennheiser’s HeadSetup
  • Troy Hunt blog from 2014 on The Tesco Hack
  • Password encryption at PlusNet (2012)
  • Jetty session ID prediction: a vulnerability from 2006