1.3 Purpose of this Book
This book extensively covers the broad field of client-side Web security, in all its
aspects, in order to help understand and position client-side Web security in the
story of the Web. To this purpose, the book briefly covers the history of the Web,
along with its fundamental building blocks and most recent evolutions. Based on a
commonly used set of threat models, we investigate 13 different attacks, grouped into
five chapters, based on their methods and impact. This book does not only cover the
state-of-the-art technologies emerging from research and standardization activities,
but also provides valuable insights into the current state of practice.
To be able to offer relevant information on the current state of practice, we have
performed a large-scale study of the Alexa top 10,000 sites. We have trawled these
Web sites, in total good for 4,185,227 requests, looking for deployments of well-
known and recently introduced mitigation techniques. Based on these results, we
can give an up-to-date view on the adoption rate of certain mitigation techniques,
and show how even the most recent security technologies are already being adopted
across the Web.
While the book is relevant for anyone aiming to learn about Web security and
client-side countermeasures, the content is specifically tailored towards the following
target audiences:
• Students, Teachers, and Trainers: Web development and Web security have
become an indispensable part of academic computer science curricula and pro-
fessional training programs. This book is ideally suited for Web security courses,
as it provides the necessary background information, covers the different capabil-
ities of attackers on the Web, and continues with a broad coverage of the Web’s
security problems and their countermeasures. The grouping of the attacks into
chapters allows teachers and trainers to focus on the desired topics.
• Researchers: There is no lack of high-quality research on a wide variety of Web
security topics, but being researchers ourselves, we noticed that it is hard to see the
big picture. Therefore, we wrote this book to provide the big picture of the field of
client-side Web security, covering both the attacks and the mitigation techniques.
For every security problem, we describe the current state of practice as well as
the latest research. The numerous citations make this book a timely reference
work for both starting and experienced researchers, interested in discovering the
current state-of-the-art research and the challenges that lie ahead.
• Developers and Security Practitioners: As you will learn from this book, many
countermeasures depend on explicit developer action to ensure that Web applica-
tions are secured appropriately. Keeping up-to-date with all latest developments
in the field of Web security is a daunting task. This book targets Web developers
and security practitioners not only by offering an overview of the current Web
security problems and their countermeasures but also by discussing the current
state of practice in securing Web applications, as well as a set of best practices to
secure a Web application.