Designing distributed applications with mobile code paradigms
ICSE '97 Proceedings of the 19th international conference on Software engineering
Abstracting application-level web security
Proceedings of the 11th international conference on World Wide Web
Securing web application code by static analysis and runtime protection
Proceedings of the 13th international conference on World Wide Web
A testing framework for Web application security assessment
Computer Networks: The International Journal of Computer and Telecommunications Networking - Web security
SecuBat: a web vulnerability scanner
Proceedings of the 15th international conference on World Wide Web
Noxes: a client-side solution for mitigating cross-site scripting attacks
Proceedings of the 2006 ACM symposium on Applied computing
Using positive tainting and syntax-aware evaluation to counter SQL injection attacks
Proceedings of the 14th ACM SIGSOFT international symposium on Foundations of software engineering
Subspace: secure cross-domain communication for web mashups
Proceedings of the 16th international conference on World Wide Web
Protection and communication abstractions for web browsers in MashupOS
Proceedings of twenty-first ACM SIGOPS symposium on Operating systems principles
Static detection of cross-site scripting vulnerabilities
Proceedings of the 30th international conference on Software engineering
Crawling AJAX by Inferring User Interface State Changes
ICWE '08 Proceedings of the 2008 Eighth International Conference on Web Engineering
A component- and push-based architectural style for ajax applications
Journal of Systems and Software
Automatic creation of SQL Injection and cross-site scripting attacks
ICSE '09 Proceedings of the 31st International Conference on Software Engineering
Invariant-based automatic testing of AJAX user interfaces
ICSE '09 Proceedings of the 31st International Conference on Software Engineering
Research Issues in the Automated Testing of Ajax Applications
SOFSEM '10 Proceedings of the 36th Conference on Current Trends in Theory and Practice of Computer Science
Locating need-to-translate constant strings in web applications
Proceedings of the eighteenth ACM SIGSOFT international symposium on Foundations of software engineering
A strategy for efficient crawling of rich internet applications
ICWE'11 Proceedings of the 11th international conference on Web engineering
Crawling Ajax-Based Web Applications through Dynamic Analysis of User Interface State Changes
ACM Transactions on the Web (TWEB)
JSART: javascript assertion-based regression testing
ICWE'12 Proceedings of the 12th international conference on Web Engineering
Automating presentation changes in dynamic web applications via collaborative hybrid analysis
Proceedings of the ACM SIGSOFT 20th International Symposium on the Foundations of Software Engineering
Crawling rich internet applications: the state of the art
CASCON '12 Proceedings of the 2012 Conference of the Center for Advanced Studies on Collaborative Research
Path sensitive static analysis of web applications for remote code execution vulnerability detection
Proceedings of the 2013 International Conference on Software Engineering
Building rich internet applications models: example of a better strategy
ICWE'13 Proceedings of the 13th international conference on Web Engineering
| Hi-index | 0.00 |
We present a technique for automatically detecting security vulnerabilities in client-side self-contained components, called web widgets, that can co-exist independently on a single web page. In this paper we focus on two security scenarios, namely the case in which (1) a malicious widget changes the content (DOM) of another widget, and (2) a widget steals data from another widget and sends it to the server via an HTTP request. We propose a dynamic analysis approach for automatically executing the web application and analyzing the runtime changes in the user interface, as well as the outgoing HTTP calls, to detect inter-widget interaction violations. Our approach, implemented in a number of open source ATUSA plugins, called DIVA, requires no modification of application code, and has few false positives. We discuss the results of an empirical evaluation of the violation revealing capabilities, performance, and scalability of our approach, by means of two case studies, on the Exact Widget Framework and Pageflakes, a commercial, widely used widget framework.