Print Email Facebook Twitter Automated security testing of AJAX web widgets Title Automated security testing of AJAX web widgets Author Bezemer, C. Contributor Mesbah, A. (mentor) Faculty Electrical Engineering, Mathematics and Computer Science Date 2009-03-27 Abstract ver the years AJAX, a technique for improving the responsiveness of web applications, has become increasingly popular. One of the results of AJAX is the development of a new type of web application component called web widget. Widgets are mini-applications which are placed next to each other on a web page. This has consequences for their security. In this report two security threats are explained. The first threat discussed is the case in which a widget changes the DOM of another widget. The second threat discussed is the case in which a widget steals data from another widget. We propose a dynamic approach for automatically detecting these issues. Our approach uses ATUSA, a testing framework capable of crawling AJAX applications, for which we have developed two security testing plugins. In this report we also evaluate our approach using three case studies. The first case study is conducted on test widgets, which we created for a simplified widget framework. The second case study is conducted on the Exact Widget Framework, a widget framework which is being prototyped by the Research and Innovation team of Exact Software. The final case study is performed on Pageflakes, an industrial, widely used widget framework. The results of these case studies show that our approach has high violation-detection capabilities with a low false positive detection rate. Subject ajaxautomated testingsecurityweb applicationswidgets To reference this document use: http://resolver.tudelft.nl/uuid:54f7d7a3-de8a-4127-9cf3-897eb79a1860 Publisher TU Delft, Electrical Engineering, Mathematics and Computer Science, Computer Science Part of collection Student theses Document type master thesis Rights (c) 2009 Bezemer, C. Files PDF ewi_bezemer_2009.pdf 2.22 MB Close viewer /islandora/object/uuid:54f7d7a3-de8a-4127-9cf3-897eb79a1860/datastream/OBJ/view