Since the HTTP protocol is stateless by design, web applications have to implement client authentication by means of web sessions. Given the importance of client authentication, the web security community investigated session security at length. However, prior work in the field primarily focused on black-box testing, which has very limited access to the server-side logic of the web application. This curtain prevents the analysis of relevant session security aspects, such as cryptographic key management, and provides limited insights into why vulnerabilities arise due to insecure programming practices. In this paper, we go through the process of creating a representative dataset of open-source web applications and perform the first measurement of web session security based on static analysis of server-side code. From our distinctive vantage point, we are able to analyze a number of security practices that cannot be assessed through black-box testing alone. Our research analyzes around 1,200 web applications built using the Django and Flask web development frameworks for Python. Our study unveils a number of vulnerabilities and bad programming practices in real-world applications, while shedding light on how key design choices of Django and Flask impact the security posture of web applications.
IEEE Cybersecurity Development (SecDev)
2025-10-14
2025-11-05