The traditional conception of web application security covers how attacks piggyback HTTP(S) through a firewall to attack servers. Yet this is a bidirectional path; web browsers can be attacked by compromised sites with malicious payloads. Such attacks exploit assumptions of trust and security between the browser and web site.
Understanding the capabilities of a web application worm is important for creating defenses. Web browsers have started to implement countermeasures to phishing. Browsers are the gateway between a host and the Internet, a path which is all too often unaffected by firewalls or network security devices.