Unveiling Emerging Web Application Attack Surfaces

The security of modern web applications is continually challenged by both the evolution of development paradigms and the emergence of new attack surfaces. The OWASP Top 10 consistently shows injection attacks and insecure designs among the most prevalent threats. While issues such as XSS and SQLi have been extensively studied, many other vulnerabilities within these categories remain insufficiently explored. This thesis studies emerging web security weaknesses across three domains: template engines, HTTP/3, and concurrency. First, we perform an assessment of Server-Side Template Injection (SSTI) across diverse engines and languages, showing that Remote Code Execution (RCE) remains feasible despite longstanding awareness. We then perform the first large-scale study of Client-Side Template Injection (CSTI), using an automated scanner to reveal significant real‑world exposure to Cross-Site Scripting (XSS) via templating logic and to quantify gaps in current defenses. Turning to protocol evolution, we analyze HTTP/3 proxy behavior and uncover new classes of request smuggling and desynchronization attacks rooted in inconsistencies between specifications and implementations, providing a tool for detecting inconsistencies in proxy behavior. Finally, we present a benchmarking framework and introduce the first tool capable of performing single-datagram race condition attacks over HTTP/3. Our benchmark highlights how factors such as server architecture, language runtime, and database configuration influence the exploitability of concurrency issues. Collectively, these contributions provide measurement methodologies, tooling, and mitigation guidance for securing next-generation web applications.