TUW Team Explores Web Security
Marco Squarcina from TU Wien’s Institute for Logic and Computation shared findings on Internet security at the 32nd USENIX Security Symposium (August 9–11, 2023, Anaheim, CA, USA) and BlackHat USA 2023 (August 5-10, 2023, Mandalay Bay / Las Vegas). The research highlighted significant security gaps related to the challenges of maintaining backward compatibility and the complexities of multiple components and parties involved in web development, delivery, and operations.
The study focused on the vulnerabilities of cookie files, revealing historical issues related to confidentiality and integrity. The increasing complexity of code, framework usage, and the intricate interaction between browsers and server-side applications were noted as potential sources for new vulnerabilities.
The investigation delved into real-world implications, demonstrating how supposedly robust security measures could be circumvented, leaving web applications exposed to session integrity threats like session fixation and cross-origin request forgery. As a result of the authors’ responsible disclosure and proposed practical mitigations, the most significant security gaps surrounding the discovered problems have now been closed. However, Marco Squarcina emphasized in his interview that certain risks still persist. This is one of the topics Marco will cover at m0leCon 2023.
In a related discussion on the Redefining CyberSecurity Podcast (released on August 2, 2023), Marco Squarcina and Pedro Adão from Instituto Superior Técnico, Universidade de Lisboa, conversed with ITSPmagazine’s Co-Founders, Sean Martin and Marco Ciappelli. The podcast explored broader web security issues, the importance of ongoing research, reporting vulnerabilities, and solutions to enhance overall web application security. The conversation also touched on the role of companies and the development community, as well as the impact of legislation in this domain.