This paper deals with the security of stock market transactions within financial markets, particularly that of the West African Economic and Monetary Union (UEMOA). The confidentiality and integrity of sensitive data ...This paper deals with the security of stock market transactions within financial markets, particularly that of the West African Economic and Monetary Union (UEMOA). The confidentiality and integrity of sensitive data in the stock market being crucial, the implementation of robust systems which guarantee trust between the different actors is essential. We therefore proposed, after analyzing the limits of several security approaches in the literature, an architecture based on blockchain technology making it possible to both identify and reduce the vulnerabilities linked to the design, implementation work or the use of web applications used for transactions. Our proposal makes it possible, thanks to two-factor authentication via the Blockchain, to strengthen the security of investors’ accounts and the automated recording of transactions in the Blockchain while guaranteeing the integrity of stock market operations. It also provides an application vulnerability report. To validate our approach, we compared our results to those of three other security tools, at the level of different metrics. Our approach achieved the best performance in each case.展开更多
Ajax is really several technologies,each flourishing in its own right,coming together in powerful new ways,which consists of HTML,JavaScript^(TM)technology,DHTML,and DOM,is an outstanding approach that helps to transf...Ajax is really several technologies,each flourishing in its own right,coming together in powerful new ways,which consists of HTML,JavaScript^(TM)technology,DHTML,and DOM,is an outstanding approach that helps to transform clunky Web interfaces into interactive Ajax applications.After the definition to Ajax,how to make asynchronous requests with JavaScript and Ajax was introduced.At the end,advanced requests and responses in Ajax were put forward.展开更多
This study presents a methodology to evaluate and prevent security vulnerabilities issues for web applications.The analysis process is based on the use of techniques and tools that allow to perform security assessment...This study presents a methodology to evaluate and prevent security vulnerabilities issues for web applications.The analysis process is based on the use of techniques and tools that allow to perform security assessments of white box and black box,to carry out the security validation of a web application in an agile and precise way.The objective of the methodology is to take advantage of the synergies of semi-automatic static and dynamic security analysis tools and manual checks.Each one of the phases contemplated in the methodology is supported by security analysis tools of different degrees of coverage,so that the results generated in one phase are used as feed for the following phases in order to get an optimized global security analysis result.The methodology can be used as part of other more general methodologies that do not cover how to use static and dynamic analysis tools in the implementation and testing phases of a Secure Software Development Life Cycle(SSDLC).A practical application of the methodology to analyze the security of a real web application demonstrates its effectiveness by obtaining a better optimized vulnerability detection result against the true and false positive metrics.Dynamic analysis with manual checking is used to audit the results,24.6 per cent of security vulnerabilities reported by the static analysis has been checked and it allows to study which vulnerabilities can be directly exploited externally.This phase is very important because it permits that each reported vulnerability can be checked by a dynamic second tool to confirm whether a vulnerability is true or false positive and it allows to study which vulnerabilities can be directly exploited externally.Dynamic analysis finds six(6)additional critical vulnerabilities.Access control analysis finds other five(5)important vulnerabilities such as Insufficient Protected Passwords or Weak Password Policy and Excessive Authentication Attacks,two vulnerabilities that permit brute force attacks.展开更多
Forms enhance both the dynamic and interactive abilities of Web applications and the system complexity. And it is especially important to test forms completely and thoroughly. Therefore, this paper discusses how to ca...Forms enhance both the dynamic and interactive abilities of Web applications and the system complexity. And it is especially important to test forms completely and thoroughly. Therefore, this paper discusses how to carry out the form testing by different methods in the related testing phases. Namely, at first, automatically abstracting forms in the Web pages by parsing the HTML documents; then, ohtai ning the testing data with a certain strategies, such as by requirement specifications, by mining users' hefore input informarion or by recording meehanism; and next executing the testing actions automatically due to the well formed test cases; finally, a case study is given to illustrate the convenient and effective of these methods.展开更多
A formal model representing the navigation behavior of a Web application as the Kripke structure is proposed and an approach that applies model checking to test case generation is presented. The Object Relation Diagra...A formal model representing the navigation behavior of a Web application as the Kripke structure is proposed and an approach that applies model checking to test case generation is presented. The Object Relation Diagram as the object model is employed to describe the object structure of a Web application design and can be translated into the behavior model. A key problem of model checking-based test generation for a Web application is how to construct a set of trap properties that intend to cause the violations of model checking against the behavior model and output of counterexamples used to construct the test sequences. We give an algorithm that derives trap properties from the object model with respect to node and edge coverage criteria.展开更多
To detect security vulnerabilities in a web application,the security analyst must choose the best performance Security Analysis Static Tool(SAST)in terms of discovering the greatest number of security vulnerabilities ...To detect security vulnerabilities in a web application,the security analyst must choose the best performance Security Analysis Static Tool(SAST)in terms of discovering the greatest number of security vulnerabilities as possible.To compare static analysis tools for web applications,an adapted benchmark to the vulnerability categories included in the known standard Open Web Application Security Project(OWASP)Top Ten project is required.The information of the security effectiveness of a commercial static analysis tool is not usually a publicly accessible research and the state of the art on static security tool analyzers shows that the different design and implementation of those tools has different effectiveness rates in terms of security performance.Given the significant cost of commercial tools,this paper studies the performance of seven static tools using a new methodology proposal and a new benchmark designed for vulnerability categories included in the known standard OWASP Top Ten project.Thus,the practitioners will have more precise information to select the best tool using a benchmark adapted to the last versions of OWASP Top Ten project.The results of this work have been obtaining using widely acceptable metrics to classify them according to three different degree of web application criticality.展开更多
Security weaknesses in web applications deployed in cloud architectures can seriously affect its data confidentiality and integrity.The construction of the procedure utilized in the static analysis tools of source cod...Security weaknesses in web applications deployed in cloud architectures can seriously affect its data confidentiality and integrity.The construction of the procedure utilized in the static analysis tools of source code security differs and therefore each tool finds a different number of each weakness type for which it is designed.To utilize the possible synergies different static analysis tools may process,this work uses a new method to combine several source codes aiming to investigate how to increase the performance of security weakness detection while reducing the number of false positives.Specifically,five static analysis tools will be combined with the designed method to study their behavior using an updated benchmark for OWASP Top Ten Security Weaknesses(OWASP TTSW).The method selects specific metrics to rank the tools for different criticality levels of web applications considering different weights in the ratios.The findings show that simply including more tools in a combination is not synonymous with better results;it depends on the specific tools included in the combination due to their different designs and techniques.展开更多
Usability and security are often considered contradictory in nature.One has a negative impact on the other.In order to satisfy the needs of users with the security perspective,the relationship and trade-offs among sec...Usability and security are often considered contradictory in nature.One has a negative impact on the other.In order to satisfy the needs of users with the security perspective,the relationship and trade-offs among security and usability must be distinguished.Security practitioners are working on developing new approaches that would help to secure healthcare web applications as well increase usability of the web applications.In the same league,the present research endeavour is premised on the usable-security of healthcare web applications.For a compatible blend of usability and security that would fulfill the users’requirments,this research proposes an integration of the Fuzzy AHP-TOPSIS method for assessing usable-security of healthcare web applications.Since the estimation of security-usability accrately is also a decision making problem,the study employs Multiple Criteria Decision Analysis(MCDA)for selecting the most decisive attributes of usability as well as security.Furthermore,this study also pinpoints the highest priority attributes that can strengthen the usable-security of the healthcare web applications.The effectiveness of the suggested method has been tested on the healthcare web applications of local hospitals in Mecca,Saudi Arabia.The results corroborate that Fuzzy AHP-TOPSIS is indeed a reliable technique that will help the developers to design a healthcare web applications that delivers optimum usable-security.展开更多
Web application fingerprint recognition is an effective security technology designed to identify and classify web applications,thereby enhancing the detection of potential threats and attacks.Traditional fingerprint r...Web application fingerprint recognition is an effective security technology designed to identify and classify web applications,thereby enhancing the detection of potential threats and attacks.Traditional fingerprint recognition methods,which rely on preannotated feature matching,face inherent limitations due to the ever-evolving nature and diverse landscape of web applications.In response to these challenges,this work proposes an innovative web application fingerprint recognition method founded on clustering techniques.The method involves extensive data collection from the Tranco List,employing adjusted feature selection built upon Wappalyzer and noise reduction through truncated SVD dimensionality reduction.The core of the methodology lies in the application of the unsupervised OPTICS clustering algorithm,eliminating the need for preannotated labels.By transforming web applications into feature vectors and leveraging clustering algorithms,our approach accurately categorizes diverse web applications,providing comprehensive and precise fingerprint recognition.The experimental results,which are obtained on a dataset featuring various web application types,affirm the efficacy of the method,demonstrating its ability to achieve high accuracy and broad coverage.This novel approach not only distinguishes between different web application types effectively but also demonstrates superiority in terms of classification accuracy and coverage,offering a robust solution to the challenges of web application fingerprint recognition.展开更多
This work leveraged predictive modeling techniques in machine learning (ML) to predict heart disease using a dataset sourced from the Center for Disease Control and Prevention in the US. The dataset was preprocessed a...This work leveraged predictive modeling techniques in machine learning (ML) to predict heart disease using a dataset sourced from the Center for Disease Control and Prevention in the US. The dataset was preprocessed and used to train five machine learning models: random forest, support vector machine, logistic regression, extreme gradient boosting and light gradient boosting. The goal was to use the best performing model to develop a web application capable of reliably predicting heart disease based on user-provided data. The extreme gradient boosting classifier provided the most reliable results with precision, recall and F1-score of 97%, 72%, and 83% respectively for Class 0 (no heart disease) and 21% (precision), 81% (recall) and 34% (F1-score) for Class 1 (heart disease). The model was further deployed as a web application.展开更多
Most of the behavior models with respect to Web applications focus on sequencing of events,without regard for the changes of parameters or elements and the relationship between trigger conditions of events and Web pag...Most of the behavior models with respect to Web applications focus on sequencing of events,without regard for the changes of parameters or elements and the relationship between trigger conditions of events and Web pages.As a result,these models are not sufficient to effectively represent the dynamic behavior of the Web2.0 application.Therefore,in this paper,to appropriately describe the dynamic behavior of the client side of Web applications,we define a novel Client-side Behavior Model(CBM)for Web applications and present a user behavior trace-based modeling method to automatically generate and optimize CBMs.To verify the effectiveness of our method,we conduct a series of experiments on six Web applications according to three types of user behavior traces.The experimental results show that our modeling method can construct CBMs automatically and effectively,and the CBMs built are more precise to represent the dynamic behavior of Web applications.展开更多
The advanced technological need,exacerbated by the flexible time constraints,leads to several more design level unexplored vulnerabilities.Security is an extremely vital component in software development;we must take ...The advanced technological need,exacerbated by the flexible time constraints,leads to several more design level unexplored vulnerabilities.Security is an extremely vital component in software development;we must take charge of security and therefore analysis of software security risk assumes utmost significance.In order to handle the cyber-security risk of the web application and protect individuals,information and properties effectively,one must consider what needs to be secured,what are the perceived threats and the protection of assets.Security preparation plans,implements,tracks,updates and consistently develops safety risk management activities.Risk management must be interpreted as the major component for tackling security efficiently.In particular,during application development,security is considered as an add-on but not the main issue.It is important for the researchers to stress on the consideration of protection right from the earlier developmental stages of the software.This approach will help in designing software which can itself combat threats and does not depend on external security programs.Therefore,it is essential to evaluate the impact of security risks during software design.In this paper the researchers have used the hybrid Fuzzy AHPTOPSIS method to evaluate the risks for improving security durability of different Institutional Web Applications.In addition,the e-component of security risk is measured on software durability,and vice versa.The paper’s findings will prove to be valuable for enhancing the security durability of different web applications.展开更多
JavaScript has become one of the most widely used languages for Web development.Its dynamic and event-driven features make it challenging to ensure the correctness of Web applications written in JavaScript.A variety o...JavaScript has become one of the most widely used languages for Web development.Its dynamic and event-driven features make it challenging to ensure the correctness of Web applications written in JavaScript.A variety of dynamic analysis techniques have been proposed which are,however,limited in either coverage or scalability.In this paper,we propose a simple,yet effective,model-based automated testing approach to achieve a high code-coverage within the time budget via testing with longer event sequences.We implement our approach as an open-source tool LJS,and perform extensive experiments on 21 publicly available benchmarks.On average,LJS is able to achieve 86.5%line coverage in 10 minutes.Compared with JSDEP,a state-of-the-art breadth-first search based automated testing tool enriched with partial order reduction,the coverage of LJS is 11%-19%higher than that of JSDEP on real-world large Web applications.Our empirical findings support that proper longer test sequences can achieve a higher code coverage in JavaScript Web application testing.展开更多
This paper investigates whether security headers are enforced to mitigate cyber-attacks in web-based systems in cyberspace. The security headers examined include X-Content-Type-Options, X-Frame-Options, Strict-Transpo...This paper investigates whether security headers are enforced to mitigate cyber-attacks in web-based systems in cyberspace. The security headers examined include X-Content-Type-Options, X-Frame-Options, Strict-Transport-Security, Referrer-Policy, Content-Security-Policy, and Permissions-Policy. The study employed a controlled experiment using a security header analysis tool. The web-based applications (websites) were analyzed to determine whether security headers have been correctly implemented. The experiment was iterated for 100 universities in Africa which are ranked high. The purposive sampling technique was employed to understand the status quo of the security headers implementations. The results revealed that 70% of the web-based applications in Africa have not enforced security headers in web-based applications. The study proposes a secure system architecture design for addressing web-based applications’ misconfiguration and insecure design. It presents security techniques for securing web-based applications through hardening security headers using automated threat modelling techniques. Furthermore, it recommends adopting the security headers in web-based applications using the proposed secure system architecture design.展开更多
Recently, testing techniques based on dynamic exploration, which try to automatically exercise every possible user interface element, have been extensively used to facilitate fully testing web applications. Most of su...Recently, testing techniques based on dynamic exploration, which try to automatically exercise every possible user interface element, have been extensively used to facilitate fully testing web applications. Most of such testing tools are however not effective in reaching dynamic pages induced by form interactions due to their emphasis on handling client-side scripting. In this paper, we present a combinatorial strategy to achieve a full form test and build an automated test model. We propose an algorithm called pairwise testing with constraints (PTC) to iraplement the strategy. Our PTC algorithm uses pairwise coverage and handles the issues of semantic constraints and illegal values. We have implemented a prototype tool ComjaxTest and conducted an empirical study on five web applications. Experimental results indicate that our PTC algorithm generates less form test cases while achieving a higher coverage of dynamic pages than the general pairwise testing algorithm. Additionally, our ComjaxTest generates a relatively complete test model and then detects more faults in a reasonable amount of time, as compared with other existing tools based on dynamic exploration.展开更多
To satisfy the rapid growth of cloud technologies, a large number of web applications have been developed and deployed, and these applications are being run in clouds. Due to the scalability provided by clouds, a sing...To satisfy the rapid growth of cloud technologies, a large number of web applications have been developed and deployed, and these applications are being run in clouds. Due to the scalability provided by clouds, a single web application may be concurrently visited by several millions or billions of users. Thus, the testing and performance evaluations of these applications are increasingly important. User model based evaluations can significantly reduce the manual work required, and can enable us to determine the performance of applications under real runtime environments. Hence, it has become one of the most popular evaluation methods in both industry and academia. Significant efforts have focused on building different kinds of models using mining web access logs, such as Markov models and Customer Behavior Model Graph (CBMG). This paper proposes a new kind of model, named the User Representation Model Graph (URMG), which is built based on CBMG. It uses an algorithm to refine CBMG and optimizes the evaluations execution process. Based on this model, an automatic testing and evaluation system for web applications is designed, implemented, and deployed in our test cloud, which is able to execute all of the analysis and testing operations using only web access logs. In our system, the error rate caused by random access to applications in the execution phase is also reduced, and the results show that the error rate of the evaluation that depends on URMG is 50% less than that which depends on CBMG.展开更多
Container-based virtualization techniques are becoming an alternative to traditional virtual machines,due to less overhead and better scaling.As one of the most widely used open-source container orchestration systems,...Container-based virtualization techniques are becoming an alternative to traditional virtual machines,due to less overhead and better scaling.As one of the most widely used open-source container orchestration systems,Kubernetes provides a built-in mechanism,that is,horizontal pod autoscaler(HPA),for dynamic resource provisioning.By default,scaling pods only based on CPU utilization,a single performance metric,HPA may create more pods than actually needed.Through extensive measurements of a containerized n-tier application benchmark,RUBBoS,we find that excessive pods consume more CPU and memory and even deteriorate response times of applications,due to interference.Furthermore,a Kubernetes service does not balance incoming requests among old pods and new pods created by HPA,due to stateful HTTP.In this paper,we propose a bi-metric approach to scaling pods by taking into account both CPU utilization and utilization of a thread pool,which is a kind of important soft resource in Httpd and Tomcat.Our approach collects the utilization of CPU and memory of pods.Meanwhile,it makes use of ELBA,a milli-bottleneck detector,to calculate queue lengths of Httpd and Tomcat pods and then evaluate the utilization of their thread pools.Based on the utilization of both CPU and thread pools,our approach could scale up less replicas of Httpd and Tomcat pods,contributing to a reduction of hardware resource utilization.At the same time,our approach leverages preStop hook along with liveness and readiness probes to relieve load imbalance among old Tomcat pods and new ones.Based on the containerized RUBBoS,our experimental results show that the proposed approach could not only reduce the usage of CPU and memory by as much as 14%and 24%when compared with HPA,but also relieve the load imbalance to reduce average response time of requests by as much as 80%.Our approach also demonstrates that it is better to scale pods by multiple metrics rather than a single one.展开更多
Logic flaws within web applications will allow malicious operations to be triggered towards back-end database. Existing approaches to identifying logic flaws of database accesses are strongly tied to structured query ...Logic flaws within web applications will allow malicious operations to be triggered towards back-end database. Existing approaches to identifying logic flaws of database accesses are strongly tied to structured query language (SQL) statement construction and cannot be applied to the new generation of web applications that use not only structured query language (NoSQL) databases as the storage tier. In this paper, we present Lom, a black-box approach for discovering many categories of logic flaws within MongoDB- based web applications. Our approach introduces a MongoDB operation model to support new features of MongoDB and models the application logic as a mealy finite state machine. During the testing phase, test inputs which emulate state violation attacks are constructed for identifying logic flaws at each application state. We apply Lom to several MongoDB-based web applications and demonstrate its effectiveness.展开更多
Fileless webshell attacks against Java web applications have becomemore frequent in recent years as Java has gained market share. Webshell is amalicious script that can remotely execute commands and invade servers. It...Fileless webshell attacks against Java web applications have becomemore frequent in recent years as Java has gained market share. Webshell is amalicious script that can remotely execute commands and invade servers. Itis widely used in attacks against web applications. In contrast to traditionalfile-based webshells, fileless webshells leave no traces on the hard drive, whichmeans they are invisible to most antivirus software. To make matters worse,although there are some studies on fileless webshells, almost all of themare aimed at web applications developed in the PHP language. The complexmechanism of Java makes researchers face more challenges. To mitigate thisattack, this paper proposes JShellDetector, a fileless webshell detector forJava web applications based on program analysis. JShellDetector uses methodprobes to capture dynamic characteristics of web applications in the JavaVirtual Machine (JVM). When a suspicious class tries to call a specificsensitive method, JShellDetector catches it and converts it from the JVMto a bytecode file. Then, JShellDetector builds a Jimple-based control flowgraph and processes it using taint analysis techniques. A suspicious classis considered malicious if there is a valid path from sources to sinks. Todemonstrate the effectiveness of the proposed approach, we manually collect35 test cases (all open source on GitHub) and test JShellDetector and onlytwo other Java fileless webshell detection tools. The experimental results showthat the detection rate of JShellDetector reaches 77.1%, which is about 11%higher than the other two tools.展开更多
With the rapid development of quantum computers capable of realizing Shor’s algorithm,existing public key-based algorithms face a significant security risk.Crystals-Kyber has been selected as the only key encapsulati...With the rapid development of quantum computers capable of realizing Shor’s algorithm,existing public key-based algorithms face a significant security risk.Crystals-Kyber has been selected as the only key encapsulation mechanism(KEM)algorithm in the National Institute of Standards and Technology(NIST)Post-Quantum Cryptography(PQC)competition.In this study,we present a portable and efficient implementation of a Crystals-Kyber post-quantum KEM based on WebAssembly(Wasm),a recently released portable execution framework for high-performance web applications.Until now,most Kyber implementations have been developed with native programming languages such as C and Assembly.Although there are a few previous Kyber implementations based on JavaScript for portability,their performance is significantly lower than that of implementations based on native programming languages.Therefore,it is necessary to develop a portable and efficient Kyber implementation to secure web applications in the quantum computing era.Our Kyber software is based on JavaScript and Wasm to provide portability and efficiency while ensuring quantum security.Namely,the overall software is written in JavaScript,and the performance core parts(secure hash algorithm-3-based operations and polynomial multiplication)are written in Wasm.Furthermore,we parallelize the number theoretic transform(NTT)-based polynomial multiplication using single instruction multiple data(SIMD)functionality,which is available in Wasm.The three steps in the NTT-based polynomial multiplication have been parallelized with Wasm SIMD intrinsic functions.Our software outperforms the latest reference implementation of Kyber developed in JavaScript by×4.02(resp.×4.32 and×4.1),×3.42(resp.×3.52 and×3.44),and×3.41(resp.×3.44 and×3.38)in terms of key generation,encapsulation,and decapsulation on Google Chrome(resp.Firefox,and Microsoft Edge).As far as we know,this is the first software implementation of Kyber with Wasm technology in the web environment.展开更多
文摘This paper deals with the security of stock market transactions within financial markets, particularly that of the West African Economic and Monetary Union (UEMOA). The confidentiality and integrity of sensitive data in the stock market being crucial, the implementation of robust systems which guarantee trust between the different actors is essential. We therefore proposed, after analyzing the limits of several security approaches in the literature, an architecture based on blockchain technology making it possible to both identify and reduce the vulnerabilities linked to the design, implementation work or the use of web applications used for transactions. Our proposal makes it possible, thanks to two-factor authentication via the Blockchain, to strengthen the security of investors’ accounts and the automated recording of transactions in the Blockchain while guaranteeing the integrity of stock market operations. It also provides an application vulnerability report. To validate our approach, we compared our results to those of three other security tools, at the level of different metrics. Our approach achieved the best performance in each case.
文摘Ajax is really several technologies,each flourishing in its own right,coming together in powerful new ways,which consists of HTML,JavaScript^(TM)technology,DHTML,and DOM,is an outstanding approach that helps to transform clunky Web interfaces into interactive Ajax applications.After the definition to Ajax,how to make asynchronous requests with JavaScript and Ajax was introduced.At the end,advanced requests and responses in Ajax were put forward.
文摘This study presents a methodology to evaluate and prevent security vulnerabilities issues for web applications.The analysis process is based on the use of techniques and tools that allow to perform security assessments of white box and black box,to carry out the security validation of a web application in an agile and precise way.The objective of the methodology is to take advantage of the synergies of semi-automatic static and dynamic security analysis tools and manual checks.Each one of the phases contemplated in the methodology is supported by security analysis tools of different degrees of coverage,so that the results generated in one phase are used as feed for the following phases in order to get an optimized global security analysis result.The methodology can be used as part of other more general methodologies that do not cover how to use static and dynamic analysis tools in the implementation and testing phases of a Secure Software Development Life Cycle(SSDLC).A practical application of the methodology to analyze the security of a real web application demonstrates its effectiveness by obtaining a better optimized vulnerability detection result against the true and false positive metrics.Dynamic analysis with manual checking is used to audit the results,24.6 per cent of security vulnerabilities reported by the static analysis has been checked and it allows to study which vulnerabilities can be directly exploited externally.This phase is very important because it permits that each reported vulnerability can be checked by a dynamic second tool to confirm whether a vulnerability is true or false positive and it allows to study which vulnerabilities can be directly exploited externally.Dynamic analysis finds six(6)additional critical vulnerabilities.Access control analysis finds other five(5)important vulnerabilities such as Insufficient Protected Passwords or Weak Password Policy and Excessive Authentication Attacks,two vulnerabilities that permit brute force attacks.
基金Supported by the National Natural Science Foun-dation of China (60425206 ,90412003 ,60503033)the National Bas-ic Research Program of China (973 Program 2002CB312000 ) Opening Foundation of State Key Laboratory of Software Engineeringin Wuhan University, High Technology Research Project of JiangsuProvince (BG2005032)
文摘Forms enhance both the dynamic and interactive abilities of Web applications and the system complexity. And it is especially important to test forms completely and thoroughly. Therefore, this paper discusses how to carry out the form testing by different methods in the related testing phases. Namely, at first, automatically abstracting forms in the Web pages by parsing the HTML documents; then, ohtai ning the testing data with a certain strategies, such as by requirement specifications, by mining users' hefore input informarion or by recording meehanism; and next executing the testing actions automatically due to the well formed test cases; finally, a case study is given to illustrate the convenient and effective of these methods.
基金Supported by the National Natural Science Foundation of China (60673115)the National Basic Research Program of China (973 Program) (2002CB312001)the Open Foundation of State Key Laboratory of Soft-ware Engineering (SKLSE05-13)
文摘A formal model representing the navigation behavior of a Web application as the Kripke structure is proposed and an approach that applies model checking to test case generation is presented. The Object Relation Diagram as the object model is employed to describe the object structure of a Web application design and can be translated into the behavior model. A key problem of model checking-based test generation for a Web application is how to construct a set of trap properties that intend to cause the violations of model checking against the behavior model and output of counterexamples used to construct the test sequences. We give an algorithm that derives trap properties from the object model with respect to node and edge coverage criteria.
文摘To detect security vulnerabilities in a web application,the security analyst must choose the best performance Security Analysis Static Tool(SAST)in terms of discovering the greatest number of security vulnerabilities as possible.To compare static analysis tools for web applications,an adapted benchmark to the vulnerability categories included in the known standard Open Web Application Security Project(OWASP)Top Ten project is required.The information of the security effectiveness of a commercial static analysis tool is not usually a publicly accessible research and the state of the art on static security tool analyzers shows that the different design and implementation of those tools has different effectiveness rates in terms of security performance.Given the significant cost of commercial tools,this paper studies the performance of seven static tools using a new methodology proposal and a new benchmark designed for vulnerability categories included in the known standard OWASP Top Ten project.Thus,the practitioners will have more precise information to select the best tool using a benchmark adapted to the last versions of OWASP Top Ten project.The results of this work have been obtaining using widely acceptable metrics to classify them according to three different degree of web application criticality.
文摘Security weaknesses in web applications deployed in cloud architectures can seriously affect its data confidentiality and integrity.The construction of the procedure utilized in the static analysis tools of source code security differs and therefore each tool finds a different number of each weakness type for which it is designed.To utilize the possible synergies different static analysis tools may process,this work uses a new method to combine several source codes aiming to investigate how to increase the performance of security weakness detection while reducing the number of false positives.Specifically,five static analysis tools will be combined with the designed method to study their behavior using an updated benchmark for OWASP Top Ten Security Weaknesses(OWASP TTSW).The method selects specific metrics to rank the tools for different criticality levels of web applications considering different weights in the ratios.The findings show that simply including more tools in a combination is not synonymous with better results;it depends on the specific tools included in the combination due to their different designs and techniques.
基金grant number 12-INF2970-10 from the National Science,Technology and Innovation Plan(MAARIFAH),the King Abdul-Aziz City for Science and Technology(KACST),Kingdom of Saudi Arabia.We thank the Science and Technology Unit at Umm Al-Qura University for their continued logistics support.
文摘Usability and security are often considered contradictory in nature.One has a negative impact on the other.In order to satisfy the needs of users with the security perspective,the relationship and trade-offs among security and usability must be distinguished.Security practitioners are working on developing new approaches that would help to secure healthcare web applications as well increase usability of the web applications.In the same league,the present research endeavour is premised on the usable-security of healthcare web applications.For a compatible blend of usability and security that would fulfill the users’requirments,this research proposes an integration of the Fuzzy AHP-TOPSIS method for assessing usable-security of healthcare web applications.Since the estimation of security-usability accrately is also a decision making problem,the study employs Multiple Criteria Decision Analysis(MCDA)for selecting the most decisive attributes of usability as well as security.Furthermore,this study also pinpoints the highest priority attributes that can strengthen the usable-security of the healthcare web applications.The effectiveness of the suggested method has been tested on the healthcare web applications of local hospitals in Mecca,Saudi Arabia.The results corroborate that Fuzzy AHP-TOPSIS is indeed a reliable technique that will help the developers to design a healthcare web applications that delivers optimum usable-security.
基金supported in part by the National Science Foundation of China under Grants U22B2027,62172297,62102262,61902276 and 62272311,Tianjin Intelligent Manufacturing Special Fund Project under Grant 20211097the China Guangxi Science and Technology Plan Project(Guangxi Science and Technology Base and Talent Special Project)under Grant AD23026096(Application Number 2022AC20001)+1 种基金Hainan Provincial Natural Science Foundation of China under Grant 622RC616CCF-Nsfocus Kunpeng Fund Project under Grant CCF-NSFOCUS202207.
文摘Web application fingerprint recognition is an effective security technology designed to identify and classify web applications,thereby enhancing the detection of potential threats and attacks.Traditional fingerprint recognition methods,which rely on preannotated feature matching,face inherent limitations due to the ever-evolving nature and diverse landscape of web applications.In response to these challenges,this work proposes an innovative web application fingerprint recognition method founded on clustering techniques.The method involves extensive data collection from the Tranco List,employing adjusted feature selection built upon Wappalyzer and noise reduction through truncated SVD dimensionality reduction.The core of the methodology lies in the application of the unsupervised OPTICS clustering algorithm,eliminating the need for preannotated labels.By transforming web applications into feature vectors and leveraging clustering algorithms,our approach accurately categorizes diverse web applications,providing comprehensive and precise fingerprint recognition.The experimental results,which are obtained on a dataset featuring various web application types,affirm the efficacy of the method,demonstrating its ability to achieve high accuracy and broad coverage.This novel approach not only distinguishes between different web application types effectively but also demonstrates superiority in terms of classification accuracy and coverage,offering a robust solution to the challenges of web application fingerprint recognition.
文摘This work leveraged predictive modeling techniques in machine learning (ML) to predict heart disease using a dataset sourced from the Center for Disease Control and Prevention in the US. The dataset was preprocessed and used to train five machine learning models: random forest, support vector machine, logistic regression, extreme gradient boosting and light gradient boosting. The goal was to use the best performing model to develop a web application capable of reliably predicting heart disease based on user-provided data. The extreme gradient boosting classifier provided the most reliable results with precision, recall and F1-score of 97%, 72%, and 83% respectively for Class 0 (no heart disease) and 21% (precision), 81% (recall) and 34% (F1-score) for Class 1 (heart disease). The model was further deployed as a web application.
基金supported by the National Natural Science Foundation of China(Nos.61672085,61702029,and 61872026)。
文摘Most of the behavior models with respect to Web applications focus on sequencing of events,without regard for the changes of parameters or elements and the relationship between trigger conditions of events and Web pages.As a result,these models are not sufficient to effectively represent the dynamic behavior of the Web2.0 application.Therefore,in this paper,to appropriately describe the dynamic behavior of the client side of Web applications,we define a novel Client-side Behavior Model(CBM)for Web applications and present a user behavior trace-based modeling method to automatically generate and optimize CBMs.To verify the effectiveness of our method,we conduct a series of experiments on six Web applications according to three types of user behavior traces.The experimental results show that our modeling method can construct CBMs automatically and effectively,and the CBMs built are more precise to represent the dynamic behavior of Web applications.
基金the Deanship of Scientific Research(DSR),King Abdulaziz University,Jeddah,under grant No.G-323-611-1441.
文摘The advanced technological need,exacerbated by the flexible time constraints,leads to several more design level unexplored vulnerabilities.Security is an extremely vital component in software development;we must take charge of security and therefore analysis of software security risk assumes utmost significance.In order to handle the cyber-security risk of the web application and protect individuals,information and properties effectively,one must consider what needs to be secured,what are the perceived threats and the protection of assets.Security preparation plans,implements,tracks,updates and consistently develops safety risk management activities.Risk management must be interpreted as the major component for tackling security efficiently.In particular,during application development,security is considered as an add-on but not the main issue.It is important for the researchers to stress on the consideration of protection right from the earlier developmental stages of the software.This approach will help in designing software which can itself combat threats and does not depend on external security programs.Therefore,it is essential to evaluate the impact of security risks during software design.In this paper the researchers have used the hybrid Fuzzy AHPTOPSIS method to evaluate the risks for improving security durability of different Institutional Web Applications.In addition,the e-component of security risk is measured on software durability,and vice versa.The paper’s findings will prove to be valuable for enhancing the security durability of different web applications.
基金P.Gao,Y.Xu and F.Song were partially supported by the National Natural Science Foundation of China(NSFC)(Grant Nos.62072309,61532019,61761136011)T.Chen is partially supported by the National Natural Science Foundation of China(Grant No.61872340)+1 种基金Guangdong Science and Technology Department(2018B010107004)Natural Science Foundation of Guangdong Province(2019A1515011689).
文摘JavaScript has become one of the most widely used languages for Web development.Its dynamic and event-driven features make it challenging to ensure the correctness of Web applications written in JavaScript.A variety of dynamic analysis techniques have been proposed which are,however,limited in either coverage or scalability.In this paper,we propose a simple,yet effective,model-based automated testing approach to achieve a high code-coverage within the time budget via testing with longer event sequences.We implement our approach as an open-source tool LJS,and perform extensive experiments on 21 publicly available benchmarks.On average,LJS is able to achieve 86.5%line coverage in 10 minutes.Compared with JSDEP,a state-of-the-art breadth-first search based automated testing tool enriched with partial order reduction,the coverage of LJS is 11%-19%higher than that of JSDEP on real-world large Web applications.Our empirical findings support that proper longer test sequences can achieve a higher code coverage in JavaScript Web application testing.
文摘This paper investigates whether security headers are enforced to mitigate cyber-attacks in web-based systems in cyberspace. The security headers examined include X-Content-Type-Options, X-Frame-Options, Strict-Transport-Security, Referrer-Policy, Content-Security-Policy, and Permissions-Policy. The study employed a controlled experiment using a security header analysis tool. The web-based applications (websites) were analyzed to determine whether security headers have been correctly implemented. The experiment was iterated for 100 universities in Africa which are ranked high. The purposive sampling technique was employed to understand the status quo of the security headers implementations. The results revealed that 70% of the web-based applications in Africa have not enforced security headers in web-based applications. The study proposes a secure system architecture design for addressing web-based applications’ misconfiguration and insecure design. It presents security techniques for securing web-based applications through hardening security headers using automated threat modelling techniques. Furthermore, it recommends adopting the security headers in web-based applications using the proposed secure system architecture design.
基金This work is supported by the National Natural Science Foundation of China under Grant Nos. 61472076, 61472077, and 61300054.
文摘Recently, testing techniques based on dynamic exploration, which try to automatically exercise every possible user interface element, have been extensively used to facilitate fully testing web applications. Most of such testing tools are however not effective in reaching dynamic pages induced by form interactions due to their emphasis on handling client-side scripting. In this paper, we present a combinatorial strategy to achieve a full form test and build an automated test model. We propose an algorithm called pairwise testing with constraints (PTC) to iraplement the strategy. Our PTC algorithm uses pairwise coverage and handles the issues of semantic constraints and illegal values. We have implemented a prototype tool ComjaxTest and conducted an empirical study on five web applications. Experimental results indicate that our PTC algorithm generates less form test cases while achieving a higher coverage of dynamic pages than the general pairwise testing algorithm. Additionally, our ComjaxTest generates a relatively complete test model and then detects more faults in a reasonable amount of time, as compared with other existing tools based on dynamic exploration.
基金supported by the National Natural Science Foundation of China(No.61232008)the National High-Tech Research and Development(863)Program of China(Nos.2013AA01A213 and 2013AA01A208)+1 种基金Chinese Universities Scientific Fund(No.2013TS094)Guangzhou Science and Technology Program(No.2012Y2-00040)
文摘To satisfy the rapid growth of cloud technologies, a large number of web applications have been developed and deployed, and these applications are being run in clouds. Due to the scalability provided by clouds, a single web application may be concurrently visited by several millions or billions of users. Thus, the testing and performance evaluations of these applications are increasingly important. User model based evaluations can significantly reduce the manual work required, and can enable us to determine the performance of applications under real runtime environments. Hence, it has become one of the most popular evaluation methods in both industry and academia. Significant efforts have focused on building different kinds of models using mining web access logs, such as Markov models and Customer Behavior Model Graph (CBMG). This paper proposes a new kind of model, named the User Representation Model Graph (URMG), which is built based on CBMG. It uses an algorithm to refine CBMG and optimizes the evaluations execution process. Based on this model, an automatic testing and evaluation system for web applications is designed, implemented, and deployed in our test cloud, which is able to execute all of the analysis and testing operations using only web access logs. In our system, the error rate caused by random access to applications in the execution phase is also reduced, and the results show that the error rate of the evaluation that depends on URMG is 50% less than that which depends on CBMG.
基金The research has been supported by a grant from NSFC(Grant No.61702063)Fundamental Science and by a grant from Frontier Technology Research Projects of Chongqing(cstc2017jcyjAX0089)China Scholarship Council(201708505099).
文摘Container-based virtualization techniques are becoming an alternative to traditional virtual machines,due to less overhead and better scaling.As one of the most widely used open-source container orchestration systems,Kubernetes provides a built-in mechanism,that is,horizontal pod autoscaler(HPA),for dynamic resource provisioning.By default,scaling pods only based on CPU utilization,a single performance metric,HPA may create more pods than actually needed.Through extensive measurements of a containerized n-tier application benchmark,RUBBoS,we find that excessive pods consume more CPU and memory and even deteriorate response times of applications,due to interference.Furthermore,a Kubernetes service does not balance incoming requests among old pods and new pods created by HPA,due to stateful HTTP.In this paper,we propose a bi-metric approach to scaling pods by taking into account both CPU utilization and utilization of a thread pool,which is a kind of important soft resource in Httpd and Tomcat.Our approach collects the utilization of CPU and memory of pods.Meanwhile,it makes use of ELBA,a milli-bottleneck detector,to calculate queue lengths of Httpd and Tomcat pods and then evaluate the utilization of their thread pools.Based on the utilization of both CPU and thread pools,our approach could scale up less replicas of Httpd and Tomcat pods,contributing to a reduction of hardware resource utilization.At the same time,our approach leverages preStop hook along with liveness and readiness probes to relieve load imbalance among old Tomcat pods and new ones.Based on the containerized RUBBoS,our experimental results show that the proposed approach could not only reduce the usage of CPU and memory by as much as 14%and 24%when compared with HPA,but also relieve the load imbalance to reduce average response time of requests by as much as 80%.Our approach also demonstrates that it is better to scale pods by multiple metrics rather than a single one.
基金supported by China Scholarship Council,Tianjin Science and Technology Committee(No.12JCZDJC20800)Science and Technology Planning Project of Tianjin(No.13ZCZDGX01098)+2 种基金NSF TRUST(The Team for Research in Ubiquitous Secure Technology)Science and Technology Center(No.CCF-0424422)National High Technology Research and Development Program of Chia(863Program)(No.2013BAH01B05)National Natural Science Foundation of China(No.61402264)
文摘Logic flaws within web applications will allow malicious operations to be triggered towards back-end database. Existing approaches to identifying logic flaws of database accesses are strongly tied to structured query language (SQL) statement construction and cannot be applied to the new generation of web applications that use not only structured query language (NoSQL) databases as the storage tier. In this paper, we present Lom, a black-box approach for discovering many categories of logic flaws within MongoDB- based web applications. Our approach introduces a MongoDB operation model to support new features of MongoDB and models the application logic as a mealy finite state machine. During the testing phase, test inputs which emulate state violation attacks are constructed for identifying logic flaws at each application state. We apply Lom to several MongoDB-based web applications and demonstrate its effectiveness.
基金supported by the National Natural Science Foundation of China under Grant Number 62001055.
文摘Fileless webshell attacks against Java web applications have becomemore frequent in recent years as Java has gained market share. Webshell is amalicious script that can remotely execute commands and invade servers. Itis widely used in attacks against web applications. In contrast to traditionalfile-based webshells, fileless webshells leave no traces on the hard drive, whichmeans they are invisible to most antivirus software. To make matters worse,although there are some studies on fileless webshells, almost all of themare aimed at web applications developed in the PHP language. The complexmechanism of Java makes researchers face more challenges. To mitigate thisattack, this paper proposes JShellDetector, a fileless webshell detector forJava web applications based on program analysis. JShellDetector uses methodprobes to capture dynamic characteristics of web applications in the JavaVirtual Machine (JVM). When a suspicious class tries to call a specificsensitive method, JShellDetector catches it and converts it from the JVMto a bytecode file. Then, JShellDetector builds a Jimple-based control flowgraph and processes it using taint analysis techniques. A suspicious classis considered malicious if there is a valid path from sources to sinks. Todemonstrate the effectiveness of the proposed approach, we manually collect35 test cases (all open source on GitHub) and test JShellDetector and onlytwo other Java fileless webshell detection tools. The experimental results showthat the detection rate of JShellDetector reaches 77.1%, which is about 11%higher than the other two tools.
基金This work was supported by Institute of Information&communications Technology Planning&Evaluation(IITP)grant funded by the Korea government(MSIT)(No.2022-0-01019,Development of eSIM security platform technology for edge devices to expand the eSIM ecosystem)This was partly supported by the MSIT(Ministry of Science and ICT)Korea,under the ITRC(Information Technology Research Center)support program(IITP-2022-RS-2022-00164800)supervised by the IITP(Institute for Information&Communications Technology Planning&Evaluation).
文摘With the rapid development of quantum computers capable of realizing Shor’s algorithm,existing public key-based algorithms face a significant security risk.Crystals-Kyber has been selected as the only key encapsulation mechanism(KEM)algorithm in the National Institute of Standards and Technology(NIST)Post-Quantum Cryptography(PQC)competition.In this study,we present a portable and efficient implementation of a Crystals-Kyber post-quantum KEM based on WebAssembly(Wasm),a recently released portable execution framework for high-performance web applications.Until now,most Kyber implementations have been developed with native programming languages such as C and Assembly.Although there are a few previous Kyber implementations based on JavaScript for portability,their performance is significantly lower than that of implementations based on native programming languages.Therefore,it is necessary to develop a portable and efficient Kyber implementation to secure web applications in the quantum computing era.Our Kyber software is based on JavaScript and Wasm to provide portability and efficiency while ensuring quantum security.Namely,the overall software is written in JavaScript,and the performance core parts(secure hash algorithm-3-based operations and polynomial multiplication)are written in Wasm.Furthermore,we parallelize the number theoretic transform(NTT)-based polynomial multiplication using single instruction multiple data(SIMD)functionality,which is available in Wasm.The three steps in the NTT-based polynomial multiplication have been parallelized with Wasm SIMD intrinsic functions.Our software outperforms the latest reference implementation of Kyber developed in JavaScript by×4.02(resp.×4.32 and×4.1),×3.42(resp.×3.52 and×3.44),and×3.41(resp.×3.44 and×3.38)in terms of key generation,encapsulation,and decapsulation on Google Chrome(resp.Firefox,and Microsoft Edge).As far as we know,this is the first software implementation of Kyber with Wasm technology in the web environment.