Web application protection techniques: A taxonomy

The growing popularity of web applications makes them an attractive target for malicious users. Large amounts of private data commonly processed and stored by web applications are a valuable asset for attackers, resulting in more sophisticated web-oriented attacks. Therefore, multiple web application protections have been proposed. Such protections range from narrow, vector-specific solutions used to prevent some attacks only, to generic development practices aiming to build secure software from the ground up. However, due to the diversity of the proposed protection methods, choosing one to protect an existing or a planned application becomes an issue of its own.This paper surveys the web application protection techniques, aiming to systematise the existing approaches into a holistic big picture. First, a general background is presented to highlight the issues specific to web applications. Then, a novel classification of the protections is provided. A variety of existing protections is overviewed and systematised next, followed by a discussion of current issues and limitation inherent to the existing protection methods. Finally, the overall picture is summarised and future potentially beneficial research lines are discussed.