Cookies

Subscribe (Full Service)


	Search: The ACM Digital Library The Guide

	Feedback

Cookies: A deployment study and the testing implications

Full text

Pdf (2.25 MB)

Source

ACM Transactions on the Web (TWEB) archive
Volume 3 , Issue 3 (June 2009) table of contents

Article No. 9

Year of Publication: 2009

ISSN:1559-1131

Authors

Andrew F. Tappenden	University of Alberta, Canada
James Miller	University of Alberta, Canada

Publisher

ACM New York, NY, USA

Bibliometrics

Downloads (6 Weeks): 58, Downloads (12 Months): 231, Citation Count: 0

Additional Information:

abstract references index terms collaborative colleagues

Tools and Actions:	Request Permissions Review this Article Save this Article to a Binder Display Formats: BibTeX EndNote ACM Ref

DOI Bookmark:	Use this link to bookmark this Article: http://doi.acm.org/10.1145/1541822.1541824 What is a DOI?

ABSTRACT

The results of an extensive investigation of cookie deployment amongst 100,000 Internet sites are presented. Cookie deployment is found to be approaching universal levels and hence there exists an associated need for relevant Web and software engineering processes, specifically testing strategies which actively consider cookies. The semi-automated investigation demonstrates that over two-thirds of the sites studied deploy cookies. The investigation specifically examines the use of first-party, third-party, sessional, and persistent cookies within Web-based applications, identifying the presence of a P3P policy and dynamic Web technologies as major predictors of cookie usage. The results are juxtaposed with the lack of testing strategies present in the literature. A number of real-world examples, including two case studies are presented, further accentuating the need for comprehensive testing strategies for Web-based applications. The use of antirandom test case generation is explored with respect to the testing issues discussed. Finally, a number of seeding vectors are presented, providing a basis for testing cookies within Web-based applications.

REFERENCES

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

	1	Alexa Internet Inc. 2006a. About the Alexa traffic rankings. http://www.alexa.com/site/devcorner/top_sites.
	2	Alexa Internet Inc. 2006b. Alexa top site service. http://www.alexa.com/site/devcorner/top_sites.
	3	Alvin T. S. Chan, Cookies on-the-move: managing cookies on a smart card, Proceedings of the 2004 ACM symposium on Applied computing, March 14-17, 2004, Nicosia, Cyprus [doi>10.1145/967900.968236]
	4	Andrews, A., Offutt, J., and Alexander, R. 2005. Testing Web applications by modeling with FSMs. Softw. Syst. Model. 4, 326--345.
	5	Auger, R., Currudo, C., Huseby, S. H., Newman, A. C., Pompon, R., Groves, D., and Ristic, I. 2005. Web security glossary. Web Application Security Consortium. http://www.webappsec.org/projects/glossary/.
	6	Carlo Bellettini , Alessandro Marchetto , Andrea Trentini, TestUml: user-metrics driven web applications testing, Proceedings of the 2005 ACM symposium on Applied computing, March 13-17, 2005, Santa Fe, New Mexico [doi>10.1145/1066677.1067060]
	7	BlackHawk. 2007. RevokeBB blind SQL injection/hash extractor. Neohapsis. http://archives.neohapsis.com/archives/bugtraq/2007-06/0014.html.
	8	CBS News. 2002. CIA caught sneaking cookies. CBS Worldwide Inc. http://www.cbsnews.com/stories/2002/03/20/tech/printable504131.shtml.
	9	CGISecurity.com. 2002. The cross site scripting FAQ. http://www.cgisecurity.com/articles/xss-faq.shtml.
	10	ComScore Inc. 2007a. ComScore releases March U.S. search engine rankings. http://www.comscore.com/press/release.asp?id=1397.
	11	ComScore Inc. 2007b. Cookie-Based counting overstates size of Web site audiencces. http://www.comscore.com/press/release.asp?press=1389.
	12	Cook, S. 2003. A Web developers guide to cross-site scripting. The SANS Institute. http://www.sans.org/reading_room/whitepapers/securecode/988.php.
	13	G. Di Lucca , A. Fasolino , F. Faralli, Testing Web Applications, Proceedings of the International Conference on Software Maintenance (ICSM'02), p.310, October 03-06, 2002
	14	Sebastian Elbaum , Gregg Rothermel , Srikanth Karre , Marc Fisher II, Leveraging User-Session Data to Support Web Application Testing, IEEE Transactions on Software Engineering, v.31 n.3, p.187-202, March 2005 [doi>10.1109/TSE.2005.36]
	15	Fogie, S. 2006. XSS, cookies, and session ID authentication: Three ingredients for a successful hack. Pearson Education Inc. http://www.informit.com/articles/article.asp?p=603037&rl=1.
	16	Gold, R. 2004. HTTPUnit home. http://httpunit.sourceforge.net/.
	17	Google. 2007. Google analytics. Google. http://www.google.com/analytics/.
	18	Iron. 2008. EazyPortal <= 1.0 SQL injection exploit. milw0rm.com. http://milw0rm.com/exploits/5196.
	19	Ari Juels , Markus Jakobsson , Tom N. Jagatic, Cache Cookies for Browser Authentication (Extended Abstract), Proceedings of the 2006 IEEE Symposium on Security and Privacy, p.301-305, May 21-24, 2006 [doi>10.1109/SP.2006.8]
	20	Kals, S. 2007. SecuBat. http://www.secubat.org/.
	21	D. Kristol , L. Montulli, HTTP State Management Mechanism, RFC Editor, 1997
	22	D. Kristol , L. Montulli, HTTP State Management Mechanism, RFC Editor, 2000
	23	David M. Kristol, HTTP Cookies: Standards, privacy, and politics, ACM Transactions on Internet Technology (TOIT), v.1 n.2, p.151-198, November 2001 [doi>10.1145/502152.502153]
	24	David C. Kung , Chien-Hung Liu , Pei Hsia, An Object-Oriented Web Test Model for Testing Web Applications, Proceedings of the The First Asia-Pacific Conference on Quality Software (APAQS'00), p.111, October 30-31, 2000
	25	Malaiya, Y. K. 1995. Antirandom testing: Getting the most out of black-box testing. In Proceedings of the 6th International Symposium on Software Reliability Engineering. 86--95.
	26	Microsoft Corp. 2002. No cookies for you! Internet explorer service pack helps thwart cross-site script attacks. Microsoft Corp. http://www.microsoft.com/presspass/features/2002/oct02/10-23xss-ie.mspx.
	27	Microsoft Corp. 2007. Mitigating cross-site scripting with HTTP-only cookies. http://msdn2.microsoft.com/en-us/library/ms533046.aspx.
	28	Mozilla Corp. 2006. Firefox. http://www.mozilla.com/firefox/.
	29	Net Applications. 2006. Browser market share. Net Applications. http://marketshare.hitslink.com/report.aspx?qprid=0.
	30	Nielsen//NetRatings. 2007. Nielsen//NetRatings announces March U.S. search share rankings.
	31	Nielsen//NetRatings. http://www.netratings.com/pr/pr_070320.pdf.
	32	Jeff Offutt , Ye Wu , Xiaochen Du , Hong Huang, Bypass Testing of Web Applications, Proceedings of the 15th International Symposium on Software Reliability Engineering, p.187-197, November 02-05, 2004 [doi>10.1109/ISSRE.2004.13]
	33	Joon S. Park , Ravi Sandhu, Secure Cookies on the Web, IEEE Internet Computing, v.4 n.4, p.36-44, July 2000 [doi>10.1109/4236.865085]
	34	PHP Group. 2008. The PHP manual: Magic quotes. http://ca.php.net/magic_quotes.
	35	Rathaus, N. 2004. PlaySMS SQL injetion via cookie. Beyond Security. http://www.securiteam.com/unixfocus/5UP0F2ADPS.html.
	36	Ian K. Reay , Patricia Beatty , Scott Dick , James Miller, A Survey and Analysis of the P3P Protocol's Agents, Adoption, Maintenance, and Future, IEEE Transactions on Dependable and Secure Computing, v.4 n.2, p.151-164, April 2007 [doi>10.1109/TDSC.2007.1004]
	37	Filippo Ricca , Paolo Tonella, Analysis and testing of Web applications, Proceedings of the 23rd International Conference on Software Engineering, p.25-34, May 12-19, 2001, Toronto, Ontario, Canada
	38	Vipin Samar, Single Sign-On Using Cookies for Web Applications, Proceedings of the 8th Workshop on Enabling Technologies on Infrastructure for Collaborative Enterprises, p.158-163, June 16-18, 1999
	39	Secunia. 2005a. PaFileDB administrative user authentication SQL injection. http://secunia.com/advisories/16566/.
	40	Secunia. 2005b. phpCOIN SQL injection and file inclusion vulnerabilities. http://secunia.com/advisories/21624.
	41	Secunia. 2006. e107 cookie parameter SQL injection vulnerability. http://secunia.com/advisories/20089/.
	42	SecuriTeam. 2004. Internet software sciences's Web+Center SQL injection. Beyond Security. http://www.securiteam.com/windowsntfocus/5RP0N0ADGK.html.
	43	SecuriTeam. 2008. MyBB SQL injetion (exploit). Beyond Security. http://www.securiteam.com/exploits/5GP0E1PI0Y.html.
	44	Security Space. 2006a. Internet cookie report. E-Soft Inc. http://www.securityspace.com/s_survey/data/man.200609/cookieReport.html.
	45	Security Space. 2006b. Technology penetration report. E-Soft Inc. http://www.securityspace.com/s_survey/data/man.200610/techpen.html.
	46	Smith, R. M. 1999. The Web bug FAQ. Electronic Frontier Foundation. http://www.eff.org/Privacy/Marketing/web_bug.html.
	47	A. Tappenden , P. Beatty , J. Miller, Agile Security Testing of Web-Based Systems via HTTPUnit, Proceedings of the Agile Development Conference, p.29-38, July 24-29, 2005 [doi>10.1109/ADC.2005.11]
	48	Andrew Tappenden , James Miller, A Three-Tiered Testing Strategy for Cookies, Proceedings of the 2008 International Conference on Software Testing, Verification, and Validation, p.131-140, April 09-11, 2008 [doi>10.1109/ICST.2008.18]
	49	Tappenden, A. F., Huynh, T., Miller, J., Geras, A., and Smith, M. R. 2006. Agile development of secure Web-based applications. Int. J. Inform. Technol. Web Engin. 1, 1--24.
	50	Tezinde, T., Murphy, J., Nguyen, H. C., and Jenkinson, C. 2001. Cookies: Walking the fine line between love and hate. In Proceedings of the Western Australian Workshop on Information Systems Research.
	51	TheCounter.com. 2006. Browser stats. Jupitermedia Corporation. http://www.thecounter.com/stats/2006/October/browser.php.
	52	Paolo Tonella , Filippo Ricca, A 2-Layer Model for the White-Box Testing of Web Applications, Proceedings of the Web Site Evolution, Sixth IEEE International Workshop, p.11-19, September 11-11, 2004
	53	Verton, R. 2007. WebSpell authentication bypass and arbitrary code execution. NEOHAPSIS. http://archives.neohapsis.com/archives/bugtraq/2007-02/0426.html.
	54	Vind, J. 2007. Critical SQL injection in NukeSentinel 2.5.12. http://www.waraxe.us/advisory-58.html.
	55	Anneliese von Mayrhauser , Andre Bai , Tom Chen , Charles Anderson , Amjad Hajjar, Fast Antirandom (FAR) Test Generation, The 3rd IEEE International Symposium on High-Assurance Systems Engineering, p.262-269, November 13-14, 1998
	56	W3 Schools. 2006. Browser statistics. Refsnes Data. http://www.w3schools.com/browsers/browsers_stats.asp.
	57	W3C. 2006. Platform for privacy preferences (P3P) project. W3C. http://www.w3.org/P3P/.
	58	Lei Xu , Baowen Xu , Jixiang Jiang, Testing web applications focusing on their specialties, ACM SIGSOFT Software Engineering Notes, v.30 n.1, January 2005 [doi>10.1145/1039174.1039200]
	59	Yahoo! Inc. 2006. Yahoo! search marketing. http://www.content.overture.com/d/.
	60	Huifang Yin , Zemen Lebne-Dengel , Yashwant K. Malaiya, Automatic Test Generation using Checkpoint Encoding and Antirandom Testing, Proceedings of the Eighth International Symposium on Software Reliability Engineering, p.84, November 02-05, 1997
	61	Chuan Yue , Mengjun Xie , Haining Wang, Automatic Cookie Usage Setting with CookiePicker, Proceedings of the 37th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, p.460-470, June 25-28, 2007 [doi>10.1109/DSN.2007.21]
	62	Zalewski, M. 2006. Cross site cooking. Beyond Security. http://www.securiteam.com/securityreviews/5EP0L2KHFG.html.