Web applications are a standout amongst the most predominant stages for data and administrations conveyance over Internet today. As they are progressively utilized for basic administrations, web applications turn into a prominent and significant focus for security assaults. Despite the fact that a huge group of methods have been developed to invigorate web applications and alleviate the assaults toward web applications, there is little exertion gave to drawing associations among these strategies and building a major picture of web application security look into. This paper reviews the range of web application security, with the point of systematizing the current strategies into a enormous picture that advances future research. We initially present the one of kind viewpoints in the web application advancement which brings inalienable difficulties for building secure web applications. At that point we distinguish three fundamental security properties that a web application should protect: Input Validity, State Integrity what`s more, Logic Correctness, and depict the relating vulnerabilities that abuse these properties alongside the assault vectors that adventure these vulnerabilities. We compose the current research works on securing web applications into three classifications in view of their outline theory: security by Construction, security by Verification and security by Protection. At long last, we compress the lessons learnt and examine future research openings around there.

Web Security, Web Application, AJAX, Jquery, XML, JavaScript, HTTP, PHP, session

[1] S. Chong, K. Vikram, and A. C. Myers, “Sif: Enforcing confidentiality and integrity in web applications,” in USENIX’07: Proceedings of the 16th conference on USENIX security symposium , 2007.
[2] S. Chong, J. Liu, A. C. Myers, X. Qi, K. Vikram, L. Zheng, and X. Zheng, “Secure web applications via automatic partitioning,” in SOSP ’07: Proceedings of the 21st ACM SIGOPS symposium on Operating systems principles, 2007, pp. 31–44.
[3] M. Samuel, P. Saxena, and D. Song, “Context-sensitive auto- sanitization in web templating languages using type qualifiers,” in CCS’11: Proceedings of the 18th ACM conference on Computer and communications security , 2011, pp. 587–600.
[4] G. Wassermann and Z. Su, “Sound and precise analysis of web applications for injection vulnerabilities,” in PLDI’07: Proceedings of the 2007 ACM SIGPLAN conference on Programming language design and implementation , 2007, pp. 32–41.
[5] A. Nguyen-tuong, S. Guarnieri, D. Greene, J. Shirley, and D. Evans, “Automatically hardening web applications using precise tainting,” in Proc. of the 20th IFIP International Information Security Conference, 2005, pp. 372–382.
[6] W. Robertson and G. Vigna, “Static enforcement of web application integrity through strong typing,” in USENIX’09: Proceedings of the 18th conference on USENIX security symposium, 2009, pp. 283–298.
[7] Y.-W. Huang, F. Yu, C. Hang, C.-H. Tsai, D.-T. Lee, and S.-Y. Kuo, “Securing web application code by static analysis and runtime protection,” in WWW’04: Proceedings of the 13th international conference on World Wide Web , 2004, pp. 40–52.
[8] M. Johns, “Sessionsafe: Implementing xss immune session handling,” in ESORICS’06: Proceedings of the 11th European Symposium On Research In Computer Security , 2006.
[9] A. Barth, C. Jackson, and J. C. Mitchell, “Robust defenses for cross-site request forgery,” in CCS’08: Proceedings of the 15th ACM conference on Computer and communications security , 2008, pp. 75–88.
[10] N. Jovanovic, E. Kirda, and C. Kruegel, “Preventing cross site request forgery attacks,” in SecureComm’06: 2nd International Conference on Security and Privacy in Communication Networks , 2006, pp. 1 –10.
[11] M. Johons and J. Winter, “Requestrodeo: Client-side protection against session riding,” in OWASP AppSec Europe , 2006.
[12] Z. Mao, N. Li, and I. Molloy, “Defeating cross-site request forgery attacks with browser-enforced authenticity protection,” in FC’09: 13 th International Conference on Financial Cryptography and Data Security , 2009, pp. 238–255.