ACM Portal
  Subscribe (Full Service)    Register (Limited Service, Free)    Login
  Search:   The ACM Digital Library   The Guide
  
ACM Home Page
Please provide us with feedback. Feedback
Automated security testing of web widget interactions
Full text PdfPdf (512 KB)
Source
Foundations of Software Engineering archive
Proceedings of the 7th joint meeting of the European software engineering conference and the ACM SIGSOFT symposium on The foundations of software engineering on European software engineering conference and foundations of software engineering symposium table of contents
Amsterdam, The Netherlands
SESSION: Dependability table of contents
Pages 81-90  
Year of Publication: 2009
ISBN:978-1-60558-001-2
Authors
Cor-Paul Bezemer  Delft University of Technology and Exact Software, Delft, Netherlands
Ali Mesbah  Delft University of Technology, Delft, Netherlands
Arie van Deursen  Delft University of Technology, Delft, Netherlands
Sponsors
ACM: Association for Computing Machinery
SIGSOFT: ACM Special Interest Group on Software Engineering
Publisher
ACM  New York, NY, USA
Bibliometrics
Downloads (6 Weeks): 44,   Downloads (12 Months): 87,   Citation Count: 0
Additional Information:

abstract   references   index terms  

Tools and Actions: Request Permissions Request Permissions    Review this Article  
DOI Bookmark: Use this link to bookmark this Article: http://doi.acm.org/10.1145/1595696.1595711
What is a DOI?

ABSTRACT

We present a technique for automatically detecting security vulnerabilities in client-side self-contained components, called web widgets, that can co-exist independently on a single web page. In this paper we focus on two security scenarios, namely the case in which (1) a malicious widget changes the content (DOM) of another widget, and (2) a widget steals data from another widget and sends it to the server via an HTTP request. We propose a dynamic analysis approach for automatically executing the web application and analyzing the runtime changes in the user interface, as well as the outgoing HTTP calls, to detect inter-widget interaction violations.

Our approach, implemented in a number of open source ATUSA plugins, called DIVA, requires no modification of application code, and has few false positives. We discuss the results of an empirical evaluation of the violation revealing capabilities, performance, and scalability of our approach, by means of two case studies, on the Exact Widget Framework and Pageflakes, a commercial, widely used widget framework.


REFERENCES

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

 
1
A. Carzaniga, G. P. Picco, and G. Vigna. Designing distributed applications with mobile code paradigms. In Proceedings of the 19th International Conference on Software Engineering (ICSE'97), pages 22--32. ACM Press, 1997.
 
2
J. Garrett. Ajax: A new approach to web applications. Adaptive path, February 2005. http://www.adaptivepath.com/publications/essays/archives/000385.php.
 
3
W. G. J. Halfond, A. Orso, and P. Manolios. Using positive tainting and syntax-aware evaluation to counter sql injection attacks. In Proceedings of the 14th International Symposium on Foundations of software engineering (FSE'06), pages 175--185. ACM, 2006.
 
4
Y.-W. Huang, C.-H. Tsai, T.-P. Lin, S.-K. Huang, D. T. Lee, and S.-Y. Kuo. A testing framework for web application security assessment. J. of Computer Networks, 48(5):739--761, 2005.
 
5
Y.-W. Huang, F. Yu, C. Hang, C.-H. Tsai, D.-T. Lee, and S.-Y. Kuo. Securing web application code by static analysis and runtime protection. In Proceedings of the 13th international conference on World Wide Web (WWW'04), pages 40--52, New York, NY, USA, 2004. ACM.
 
6
C. Jackson and H. J. Wang. Subspace: secure cross-domain communication for web mashups. In WWW '07: Proceedings of the 16th international conference on World Wide Web, pages 611--620, New York, NY, USA, 2007. ACM.
 
7
N. Jovanovic, E. Kirda, and C. Kruegel. Preventing Cross Site Request Forgery Attacks. Securecomm and Workshops, 2006, pages 1--10, 28 2006-Sept. 1 2006.
 
8
S. Kals, E. Kirda, C. Kruegel, and N. Jovanovic. Secubat: a web vulnerability scanner. In Proc. 15th int. conf. on World Wide Web (WWW'06), pages 247--256. ACM, 2006.
 
9
A. Kiezun, P. J. Guo, K. Jayaraman, and M. D. Ernst. Automatic creation of SQL injection and cross-site scripting attacks. In Proceedings of the 31st International Conference on Software Engineering (ICSE'09). IEEE Computer Society, 2009.
 
10
E. Kirda, C. Kruegel, G. Vigna, and N. Jovanovic. Noxes: a client-side solution for mitigating cross-site scripting attacks. In Proceedings of the 2006 ACM symposium on Applied computing (SAC'06), pages 330--337. ACM, 2006.
 
11
B. Livshits and S. Guarnieri. Gatekeeper: Mostly static enforcement of security and reliability policies for JavaScript code. Technical Report MSR-TR-2009-43, Microsoft Research, 2009.
 
12
A. Mesbah, E. Bozdag, and A. van Deursen. Crawling Ajax by inferring user interface state changes. In Proc. 8th Int. Conference on Web Engineering (ICWE'08), pages 122--134. IEEE Computer Society, 2008.
 
13
A. Mesbah and A. van Deursen. A component- and push-based architectural style for Ajax applications. Journal of Systems and Software, 81(12):2194--2209, 2008.
 
14
A. Mesbah and A. van Deursen. Invariant-based automatic testing of Ajax user interfaces. In Proceedings of the 31st International Conference on Software Engineering (ICSE'09), Research Papers, pages 210--220. IEEE Computer Society, 2009.
 
15
J. Ruderman. The Same Origin Policy. http://www.mozilla.org/projects/security/components/same-origin.html, 2001.
 
16
D. Scott and R. Sharp. Abstracting application-level web security. In Proceedings of the 11th international conference on World Wide Web (WWW'02), pages 396--407, New York, NY, USA, 2002. ACM.
 
17
G. F. Stefano Di Paola. Subverting Ajax. In 23rd Chaos Communication Congress, 2006.
 
18
W3C. The global structure of an html document. http://www.w3.org/TR/REC-html40/struct/global.html.
 
19
H. J. Wang, X. Fan, J. Howell, and C. Jackson. Protection and communication abstractions for web browsers in MashupOS. In Proceedings of twenty-first ACM SIGOPS symposium on Operating systems principles (SOSP'07), pages 1--16. ACM, 2007.
 
20
G. Wassermann and Z. Su. Static detection of cross-site scripting vulnerabilities. In Proceedings of the 30th international conference on Software engineering (ICSE'08), pages 171--180. ACM, 2008.
 
21
R. K. Yin. Case Study Research: Design and Methods. SAGE Publications Inc, 3d edition, 2003.

INDEX TERMS

Primary Classification:
  D. Software
  D.2 SOFTWARE ENGINEERING
      D.2.5 Testing and Debugging


General Terms:
Reliability, Security, Verification


Keywords:
security testing, web applications


The ACM Portal is published by the Association for Computing Machinery. Copyright © 2009 ACM, Inc.
Terms of Usage   Privacy Policy   Code of Ethics   Contact Us

Useful downloads: Adobe Acrobat    QuickTime    Windows Media Player    Real Player