Ready for Detection! A Survey on Attack-Awareness Means in Web Frameworks

In the development of web applications, web frameworks play a vital role, providing tools and ready-to-use components which simplify the development of common web application tasks. Such components include security controls and mechanisms to prevent web application vulnerabilities that could potentially be exploited. However, while these security controls most often focus on the prevention of vulnerabilities, there is limited research on whether frameworks also include detective security controls which could make web applications attack-aware and report on active exploitation attempts. An attack-awareness capability could act as a warning system, or “canary” for suspicious activity and enable developers to step in before an attacker succeeds.

This talk will present survey research on web frameworks, exploring to what extent these frameworks provide means to implement attack-awareness capabilities for web applications. The talk will give a brief overview of the survey methodology which will primarily explain how means to implement attack-awareness capabilities can be identified, including the type of resources that have been considered. In addition to presenting the findings, the talk will also discuss the challenges and limitations of adopting this approach. This talk will conclude with a discussion of how two of the surveyed web frameworks, Django and Spring, already have a framework-based system to detect attacks which other web frameworks could adopt and benefit from. Furthermore, the architecture underlying both systems could entail the key components and concepts which enables a practical and usable integration of attack-awareness in web applications.