Automated Security Testing of Web Widget Interactions

C. Bezemer; A. Mesbah; A. van Deursen

doi:10.1145/1595696.1595711

Automated Security Testing of Web Widget Interactions

C. Bezemer, A. Mesbah, A. van Deursen

Software Engineering

Research output: Chapter in Book/Conference proceedings/Edited volume › Conference contribution › Scientific › peer-review

31 Citations (Scopus)

Abstract

We present a technique for automatically detecting security vulnerabilities in client-side self-contained components, called web widgets, that can co-exist independently on a single web page. In this paper we focus on two security scenarios, namely the case in which (1) a malicious widget changes the content (DOM) of another widget, and (2) a widget steals data from another widget and sends it to the server via an HTTP request. We propose a dynamic analysis approach for automatically executing the web application and analyzing the runtime changes in the user interface, as well as the outgoing HTTP calls, to detect inter-widget interaction violations.
Our approach, implemented in a number of open source ATUSA plugins, called DIVA, requires no modification of application code, and has few false positives. We discuss the results of an empirical evaluation of the violation revealing capabilities, performance, and scalability of our approach, by means of two case studies, on the Exact Widget Framework and Pageflakes, a commercial, widely used widget framework.

Original language	English
Title of host publication	Proceedings of the 7th joint meeting of the European Software Engineering Conference and the ACM SIGSOFT Symposium on the Foundations of Software Engineering (ESEC/FSE'09)
Editors	H van Vliet, V Issarny
Place of Publication	New York
Publisher	Association for Computing Machinery (ACM)
Pages	81-90
Number of pages	10
ISBN (Print)	978-1-60558-001-2
DOIs	https://doi.org/10.1145/1595696.1595711
Publication status	Published - 2009
Event	7th joint meeting of the European Software Engineering Conference and the ACM SIGSOFT Symposium on the Foundations of Software Engineering (ESEC/FSE'09) - New York Duration: 24 Aug 2009 → 28 Aug 2009

Conference

Conference	7th joint meeting of the European Software Engineering Conference and the ACM SIGSOFT Symposium on the Foundations of Software Engineering (ESEC/FSE'09)
Period	24/08/09 → 28/08/09

Bibliographical note

Acceptance rate 14,7%

Access to Document

10.1145/1595696.1595711

Cite this

Bezemer, C., Mesbah, A., & van Deursen, A. (2009). Automated Security Testing of Web Widget Interactions. In H. van Vliet, & V. Issarny (Eds.), Proceedings of the 7th joint meeting of the European Software Engineering Conference and the ACM SIGSOFT Symposium on the Foundations of Software Engineering (ESEC/FSE'09) (pp. 81-90). Association for Computing Machinery (ACM). https://doi.org/10.1145/1595696.1595711

Bezemer, C. ; Mesbah, A. ; van Deursen, A. / Automated Security Testing of Web Widget Interactions. Proceedings of the 7th joint meeting of the European Software Engineering Conference and the ACM SIGSOFT Symposium on the Foundations of Software Engineering (ESEC/FSE'09). editor / H van Vliet ; V Issarny. New York : Association for Computing Machinery (ACM), 2009. pp. 81-90

@inproceedings{6a0959c1f3824cedac36af085e803bd4,

title = "Automated Security Testing of Web Widget Interactions",

abstract = "We present a technique for automatically detecting security vulnerabilities in client-side self-contained components, called web widgets, that can co-exist independently on a single web page. In this paper we focus on two security scenarios, namely the case in which (1) a malicious widget changes the content (DOM) of another widget, and (2) a widget steals data from another widget and sends it to the server via an HTTP request. We propose a dynamic analysis approach for automatically executing the web application and analyzing the runtime changes in the user interface, as well as the outgoing HTTP calls, to detect inter-widget interaction violations.Our approach, implemented in a number of open source ATUSA plugins, called DIVA, requires no modification of application code, and has few false positives. We discuss the results of an empirical evaluation of the violation revealing capabilities, performance, and scalability of our approach, by means of two case studies, on the Exact Widget Framework and Pageflakes, a commercial, widely used widget framework.",

author = "C. Bezemer and A. Mesbah and {van Deursen}, A.",

note = "Acceptance rate 14,7%; 7th joint meeting of the European Software Engineering Conference and the ACM SIGSOFT Symposium on the Foundations of Software Engineering (ESEC/FSE'09) ; Conference date: 24-08-2009 Through 28-08-2009",

year = "2009",

doi = "10.1145/1595696.1595711",

language = "English",

isbn = "978-1-60558-001-2",

pages = "81--90",

editor = "{van Vliet}, H and V Issarny",

booktitle = "Proceedings of the 7th joint meeting of the European Software Engineering Conference and the ACM SIGSOFT Symposium on the Foundations of Software Engineering (ESEC/FSE'09)",

publisher = "Association for Computing Machinery (ACM)",

address = "United States",

}

Bezemer, C, Mesbah, A & van Deursen, A 2009, Automated Security Testing of Web Widget Interactions. in H van Vliet & V Issarny (eds), Proceedings of the 7th joint meeting of the European Software Engineering Conference and the ACM SIGSOFT Symposium on the Foundations of Software Engineering (ESEC/FSE'09). Association for Computing Machinery (ACM), New York, pp. 81-90, 7th joint meeting of the European Software Engineering Conference and the ACM SIGSOFT Symposium on the Foundations of Software Engineering (ESEC/FSE'09), 24/08/09. https://doi.org/10.1145/1595696.1595711

Automated Security Testing of Web Widget Interactions. / Bezemer, C.; Mesbah, A.; van Deursen, A.
Proceedings of the 7th joint meeting of the European Software Engineering Conference and the ACM SIGSOFT Symposium on the Foundations of Software Engineering (ESEC/FSE'09). ed. / H van Vliet; V Issarny. New York: Association for Computing Machinery (ACM), 2009. p. 81-90.

Research output: Chapter in Book/Conference proceedings/Edited volume › Conference contribution › Scientific › peer-review

TY - GEN

T1 - Automated Security Testing of Web Widget Interactions

AU - Bezemer, C.

AU - Mesbah, A.

AU - van Deursen, A.

N1 - Acceptance rate 14,7%

PY - 2009

Y1 - 2009

N2 - We present a technique for automatically detecting security vulnerabilities in client-side self-contained components, called web widgets, that can co-exist independently on a single web page. In this paper we focus on two security scenarios, namely the case in which (1) a malicious widget changes the content (DOM) of another widget, and (2) a widget steals data from another widget and sends it to the server via an HTTP request. We propose a dynamic analysis approach for automatically executing the web application and analyzing the runtime changes in the user interface, as well as the outgoing HTTP calls, to detect inter-widget interaction violations.Our approach, implemented in a number of open source ATUSA plugins, called DIVA, requires no modification of application code, and has few false positives. We discuss the results of an empirical evaluation of the violation revealing capabilities, performance, and scalability of our approach, by means of two case studies, on the Exact Widget Framework and Pageflakes, a commercial, widely used widget framework.

AB - We present a technique for automatically detecting security vulnerabilities in client-side self-contained components, called web widgets, that can co-exist independently on a single web page. In this paper we focus on two security scenarios, namely the case in which (1) a malicious widget changes the content (DOM) of another widget, and (2) a widget steals data from another widget and sends it to the server via an HTTP request. We propose a dynamic analysis approach for automatically executing the web application and analyzing the runtime changes in the user interface, as well as the outgoing HTTP calls, to detect inter-widget interaction violations.Our approach, implemented in a number of open source ATUSA plugins, called DIVA, requires no modification of application code, and has few false positives. We discuss the results of an empirical evaluation of the violation revealing capabilities, performance, and scalability of our approach, by means of two case studies, on the Exact Widget Framework and Pageflakes, a commercial, widely used widget framework.

UR - http://swerl.tudelft.nl/twiki/pub/Main/TechnicalReports/TUD-SERG-2009-011.pdf

U2 - 10.1145/1595696.1595711

DO - 10.1145/1595696.1595711

M3 - Conference contribution

SN - 978-1-60558-001-2

SP - 81

EP - 90

BT - Proceedings of the 7th joint meeting of the European Software Engineering Conference and the ACM SIGSOFT Symposium on the Foundations of Software Engineering (ESEC/FSE'09)

A2 - van Vliet, H

A2 - Issarny, V

PB - Association for Computing Machinery (ACM)

CY - New York

T2 - 7th joint meeting of the European Software Engineering Conference and the ACM SIGSOFT Symposium on the Foundations of Software Engineering (ESEC/FSE'09)

Y2 - 24 August 2009 through 28 August 2009

ER -

Bezemer C, Mesbah A, van Deursen A. Automated Security Testing of Web Widget Interactions. In van Vliet H, Issarny V, editors, Proceedings of the 7th joint meeting of the European Software Engineering Conference and the ACM SIGSOFT Symposium on the Foundations of Software Engineering (ESEC/FSE'09). New York: Association for Computing Machinery (ACM). 2009. p. 81-90 doi: 10.1145/1595696.1595711

Automated Security Testing of Web Widget Interactions

Abstract

Conference

Bibliographical note

Access to Document

Other files and links

Fingerprint

Cite this