Position paper: Why are there so many vulnerabilities in web applications?

Wenliang Du, Karthick Jayaraman, Xi Tan, Tongbo Luo, Steve Chapin

Research output: Chapter in Book/Entry/PoemConference contribution

4 Scopus citations


As the Web has become more and more ubiquitous, the number of attacks on web applications have increased substantially. According to a recent report, over 80 percent of web applications have had at least one serious vulnerability. This percentage is alarmingly higher than traditional applications. Something must be fundamentally wrong in the web infrastructure. Based on our research, we have formulated the following position: when choosing the stateless framework for the Web, we ignored a number of security properties that are essential to applications. As a result, the Trusted Computing Base(TCB) of the Web has significant weaknesses. To build secure stateful applications on top of a weakened TCB, developers have to implement extra protection logic in their web applications, making development difficult and error prone, and thereby causing a number of security problems in web applications. In this paper, we will present evidence, justification, and in-depth analysis to support this position.

Original languageEnglish (US)
Title of host publicationNSPW'11 - Proceedings of the 2011 New Security Paradigms Workshop
Number of pages11
StatePublished - 2011
Event2011 New Security Paradigms Workshop, NSPW'11 - Marin County, CA, United States
Duration: Sep 12 2011Sep 15 2011

Publication series

NameProceedings New Security Paradigms Workshop


Other2011 New Security Paradigms Workshop, NSPW'11
Country/TerritoryUnited States
CityMarin County, CA


  • access control
  • browser
  • web security
  • web server

ASJC Scopus subject areas

  • Safety, Risk, Reliability and Quality
  • Hardware and Architecture
  • Software
  • Information Systems


Dive into the research topics of 'Position paper: Why are there so many vulnerabilities in web applications?'. Together they form a unique fingerprint.

Cite this