Abstract:
Since the HTTP protocol is stateless by design, web applications have to implement client authentication by means of web sessions. Given the importance of client authentication, the web security community investigated session security at length. However, prior work in the field primarily focused on black-box testing, which has very limited access to the server-side logic of the web application. In this thesis, the first measurement of web session security based on static analysis of server-side code will be performed. From this distinctive vantage point, a number of security practices that cannot be assessed through black-box testing were analyzed, such as password hashing and cryptographic key management. This research analyzes more than 1,200 web applications built using the Django and Flask web development frameworks, unveiling a number of new insights on web session security that escaped prior work based on black-box testing.
