ABSTRACT
We present a technique for automatically detecting security vulnerabilities in client-side self-contained components, called web widgets, that can co-exist independently on a single web page. In this paper we focus on two security scenarios, namely the case in which (1) a malicious widget changes the content (DOM) of another widget, and (2) a widget steals data from another widget and sends it to the server via an HTTP request. We propose a dynamic analysis approach for automatically executing the web application and analyzing the runtime changes in the user interface, as well as the outgoing HTTP calls, to detect inter-widget interaction violations.
Our approach, implemented in a number of open source ATUSA plugins, called DIVA, requires no modification of application code, and has few false positives. We discuss the results of an empirical evaluation of the violation revealing capabilities, performance, and scalability of our approach, by means of two case studies, on the Exact Widget Framework and Pageflakes, a commercial, widely used widget framework.
- A. Carzaniga, G. P. Picco, and G. Vigna. Designing distributed applications with mobile code paradigms. In Proceedings of the 19th International Conference on Software Engineering (ICSE'97), pages 22--32. ACM Press, 1997. Google ScholarDigital Library
- J. Garrett. Ajax: A new approach to web applications. Adaptive path, February 2005. http://www.adaptivepath.com/publications/essays/archives/000385.php.Google Scholar
- W. G. J. Halfond, A. Orso, and P. Manolios. Using positive tainting and syntax-aware evaluation to counter sql injection attacks. In Proceedings of the 14th International Symposium on Foundations of software engineering (FSE'06), pages 175--185. ACM, 2006. Google ScholarDigital Library
- Y.-W. Huang, C.-H. Tsai, T.-P. Lin, S.-K. Huang, D. T. Lee, and S.-Y. Kuo. A testing framework for web application security assessment. J. of Computer Networks, 48(5):739--761, 2005. Google ScholarDigital Library
- Y.-W. Huang, F. Yu, C. Hang, C.-H. Tsai, D.-T. Lee, and S.-Y. Kuo. Securing web application code by static analysis and runtime protection. In Proceedings of the 13th international conference on World Wide Web (WWW'04), pages 40--52, New York, NY, USA, 2004. ACM. Google ScholarDigital Library
- C. Jackson and H. J. Wang. Subspace: secure cross-domain communication for web mashups. In WWW '07: Proceedings of the 16th international conference on World Wide Web, pages 611--620, New York, NY, USA, 2007. ACM. Google ScholarDigital Library
- N. Jovanovic, E. Kirda, and C. Kruegel. Preventing Cross Site Request Forgery Attacks. Securecomm and Workshops, 2006, pages 1--10, 28 2006-Sept. 1 2006.Google Scholar
- S. Kals, E. Kirda, C. Kruegel, and N. Jovanovic. Secubat: a web vulnerability scanner. In Proc. 15th int. conf. on World Wide Web (WWW'06), pages 247--256. ACM, 2006. Google ScholarDigital Library
- A. Kiezun, P. J. Guo, K. Jayaraman, and M. D. Ernst. Automatic creation of SQL injection and cross-site scripting attacks. In Proceedings of the 31st International Conference on Software Engineering (ICSE'09). IEEE Computer Society, 2009. Google ScholarDigital Library
- E. Kirda, C. Kruegel, G. Vigna, and N. Jovanovic. Noxes: a client-side solution for mitigating cross-site scripting attacks. In Proceedings of the 2006 ACM symposium on Applied computing (SAC'06), pages 330--337. ACM, 2006. Google ScholarDigital Library
- B. Livshits and S. Guarnieri. Gatekeeper: Mostly static enforcement of security and reliability policies for JavaScript code. Technical Report MSR-TR-2009-43, Microsoft Research, 2009.Google Scholar
- A. Mesbah, E. Bozdag, and A. van Deursen. Crawling Ajax by inferring user interface state changes. In Proc. 8th Int. Conference on Web Engineering (ICWE'08), pages 122--134. IEEE Computer Society, 2008. Google ScholarDigital Library
- A. Mesbah and A. van Deursen. A component- and push-based architectural style for Ajax applications. Journal of Systems and Software, 81(12):2194--2209, 2008. Google ScholarDigital Library
- A. Mesbah and A. van Deursen. Invariant-based automatic testing of Ajax user interfaces. In Proceedings of the 31st International Conference on Software Engineering (ICSE'09), Research Papers, pages 210--220. IEEE Computer Society, 2009. Google ScholarDigital Library
- J. Ruderman. The Same Origin Policy. http://www.mozilla.org/projects/security/components/same-origin.html, 2001.Google Scholar
- D. Scott and R. Sharp. Abstracting application-level web security. In Proceedings of the 11th international conference on World Wide Web (WWW'02), pages 396--407, New York, NY, USA, 2002. ACM. Google ScholarDigital Library
- G. F. Stefano Di Paola. Subverting Ajax. In 23rd Chaos Communication Congress, 2006.Google Scholar
- W3C. The global structure of an html document. http://www.w3.org/TR/REC-html40/struct/global.html.Google Scholar
- H. J. Wang, X. Fan, J. Howell, and C. Jackson. Protection and communication abstractions for web browsers in MashupOS. In Proceedings of twenty-first ACM SIGOPS symposium on Operating systems principles (SOSP'07), pages 1--16. ACM, 2007. Google ScholarDigital Library
- G. Wassermann and Z. Su. Static detection of cross-site scripting vulnerabilities. In Proceedings of the 30th international conference on Software engineering (ICSE'08), pages 171--180. ACM, 2008. Google ScholarDigital Library
- R. K. Yin. Case Study Research: Design and Methods. SAGE Publications Inc, 3d edition, 2003.Google Scholar
Index Terms
- Automated security testing of web widget interactions
Recommendations
Web sites usability, usability requirements specification & usability evaluation
ACM-SE 44: Proceedings of the 44th annual Southeast regional conferenceWorld Wide Web has gained its dominant status in the information and services delivery world in recent years, but how to build a good usability web site is still a problem. In this paper, we proposed a methodology for structured use-centered ...
Automated combinatorial testing for detecting SQL vulnerabilities in web applications
AST '19: Proceedings of the 14th International Workshop on Automation of Software TestIn this paper, we present a combinatorial testing methodology for testing web applications in regards to SQL injection vulnerabilities. We describe three attack grammars that were developed and used to generate concrete attack vectors. Furthermore, we ...
Planning-based security testing of web applications
AST '18: Proceedings of the 13th International Workshop on Automation of Software TestWeb applications are deployed on machines around the globe and offer almost universal accessibility. The systems ensure functional interconnectivity between different components on a 24/7 basis. One of the most important requirements represents data ...
Comments