Web applications are a critical component of the security ecosystem as they are often the front door for many companies, as such, vulnerabilities in web applications allow hackers access to companies' private data, which contains consumers' private financial information. Web applications are, by their nature, available to everyone, at anytime, from anywhere, and this includes attackers. Therefore, attackers have the opportunity to perform reconnaissance at their leisure, acquiring information on the layout and technologies of the web application, before launching an attack. However, the defender must be prepared for all possible attacks and does not have the luxury of performing reconnaissance on the attacker. The idea behind Moving Target Defense (MTD) is to reduce the information asymmetry between the attacker and defender, ultimately rendering the reconnaissance information misleading or useless. In this paper we take the first steps of applying MTD concepts to web applications in order to create effective defensive layers. We first analyze the web application stack to understand where and how MTD can be applied. The key issue here is that an MTD application must actively prevent or disrupt a vulnerability or exploit, while still providing identical functionality. Then, we discuss our implementation of two MTD approaches, which can mitigate several classes of web application vulnerabilities or exploits. We hope that our discussion will help guide future research in applying the MTD concepts to the web application stack.

Original languageEnglish (US)
Title of host publicationProceedings - 2015 IEEE 16th International Conference on Information Reuse and Integration, IRI 2015
PublisherInstitute of Electrical and Electronics Engineers Inc.
Number of pages8
ISBN (Print)9781467366564
StatePublished - Oct 19 2015
Event16th IEEE International Conference on Information Reuse and Integration, IRI 2015 - San Francisco, United States
Duration: Aug 13 2015Aug 15 2015


Other16th IEEE International Conference on Information Reuse and Integration, IRI 2015
Country/TerritoryUnited States
CitySan Francisco


  • Abstract Syntax Tree
  • Automated Conversion
  • Diversify
  • Layers
  • Moving
  • Randomize
  • Source Translation
  • Tiered
  • Web applications
  • Web Software

ASJC Scopus subject areas

  • Information Systems
  • Information Systems and Management
  • Electrical and Electronic Engineering


Dive into the research topics of 'Toward a Moving Target Defense for Web Applications'. Together they form a unique fingerprint.

Cite this