Web applications are one of the most prevalent
platforms for information and services delivery over Internet
today. As they are increasingly used for critical services, web
applications become a popular and valuable target for security
attacks. Although a large body of techniques have been developed
to fortify web applications and and mitigate the attacks
toward web applications, there is little effort devoted to drawing
connections among these techniques and building a big picture
of web application security research.
This paper surveys the area of web application security,
with the aim of systematizing the existing techniques into a
big picture that promotes future research. We first present
the unique aspects in the web application development which
bring inherent challenges for building secure web applications.
Then we identify three essential security properties that a web
application should preserve: input validity, state integrity and logic
correctness, and describe the corresponding vulnerabilities that
violate these properties along with the attack vectors that exploit
these vulnerabilities. We organize the existing research works
on securing web applications into three categories based on their
design philosophy: security by construction, security by verification
and security by protection. Finally, we summarize the lessons
learnt and discuss future research opportunities in this area.