Automated security testing of AJAX web widgets

Automated security testing of AJAX web widgets

Bezemer, C.

Mesbah, A. (mentor)

Electrical Engineering, Mathematics and Computer Science

2009-03-27

ver the years AJAX, a technique for improving the responsiveness of web applications, has become increasingly popular. One of the results of AJAX is the development of a new type of web application component called web widget. Widgets are mini-applications which are placed next to each other on a web page. This has consequences for their security. In this report two security threats are explained. The first threat discussed is the case in which a widget changes the DOM of another widget. The second threat discussed is the case in which a widget steals data from another widget. We propose a dynamic approach for automatically detecting these issues. Our approach uses ATUSA, a testing framework capable of crawling AJAX applications, for which we have developed two security testing plugins. In this report we also evaluate our approach using three case studies. The first case study is conducted on test widgets, which we created for a simplified widget framework. The second case study is conducted on the Exact Widget Framework, a widget framework which is being prototyped by the Research and Innovation team of Exact Software. The final case study is performed on Pageflakes, an industrial, widely used widget framework. The results of these case studies show that our approach has high violation-detection capabilities with a low false positive detection rate.

ajax
automated testing
security
web applications
widgets

http://resolver.tudelft.nl/uuid:54f7d7a3-de8a-4127-9cf3-897eb79a1860

TU Delft, Electrical Engineering, Mathematics and Computer Science, Computer Science

Student theses

master thesis

(c) 2009 Bezemer, C.