CHIEv

Researchers and practitioners in the fields of testing, security assessment and web development seeking to evaluate a given web application often have to rely on the existence of a model of the respective system, which is then used as input to task-specific tools. Such models may include information on HTTP endpoints and their parameters, available user actions/event listeners and required assets. Unfortunately, this data is often unavailable in practice, as only rigorous development practices or manual analysis guarantee their existence and correctness. Crawlers based on static analysis have traditionally been used to extract required information from existing sites. Regrettably, these tools can not accurately account for the dynamic behavior introduced by technologies such as JavaScript that are prevalent on modern sites. While methods based on dynamic analysis exist, they are often not fully capable of identifying event listeners and their effects. In an earlier work, we presented XIEv, an approach for dynamic analysis of web applications that produces an execution trace usable for the extraction of navigation graphs, identification of bugs at runtime and enumeration of resources. It offers improved recognition and selection of event listeners as well as a greater range of observed effects compared to existing approaches. While the evaluation of our research prototype implementation confirmed the capabilities of XIEv, it was generally out-performed by static crawlers in terms of speed. This work introduces CHIEv, an approach that augments XIEv by enabling concurrent processing as well as incorporating the results of a static crawler in real-time. Our results indicate a significant increase in performance, particularly when applied to larger sites.

Download Full-text

THE USE OF WEB APPLICATIONS FOR THE SELECTION OF CROP GROWING TECHNOLOGIES

Siberian Herald of Agricultural Science ◽

10.26898/0370-8799-2018-3-11 ◽

2018 ◽

Vol 48 (3) ◽

pp. 84-90 ◽

Cited By ~ 1

Author(s):

E. A. Lapchenko ◽

S. P. Isakova ◽

T. N. Bobrova ◽

L. A. Kolpakova

Keyword(s):

Web Application ◽

Crop Production ◽

Web Applications ◽

Weather Forecast ◽

Technical Institute ◽

Software Complex ◽

Agricultural Enterprise ◽

Weather Situation ◽

The Web ◽

Selection Of

It is shown that the application of the Internet technologies is relevant in the selection of crop production technologies and the formation of a rational composition of the machine-and-tractor fl eet taking into account the conditions and production resources of a particular agricultural enterprise. The work gives a short description of the web applications, namely “ExactFarming”, “Agrivi” and “AgCommand” that provide a possibility to select technologies and technical means of soil treatment, and their functions. “ExactFarming” allows to collect and store information about temperature, precipitation and weather forecast in certain areas, keep records of information about crops and make technological maps using expert templates. “Agrivi” allows to store and provide access to weather information in the fi elds with certain crops. It has algorithms to detect and make warnings about risks related to diseases and pests, as well as provides economic calculations of crop profi tability and crop planning. “AgCommand” allows to track the position of machinery and equipment in the fi elds and provides data on the weather situation in order to plan the use of agricultural machinery in the fi elds. The web applications presented hereabove do not show relation between the technologies applied and agro-climatic features of the farm location zone. They do not take into account the phytosanitary conditions in the previous years, or the relief and contour of the fi elds while drawing up technological maps or selecting the machine-and-tractor fl eet. Siberian Physical-Technical Institute of Agrarian Problems of Siberian Federal Scientifi c Center of AgroBioTechnologies of the Russian Academy of Sciences developed a software complex PIKAT for supporting machine agrotechnologies for production of spring wheat grain at an agricultural enterprise, on the basis of which there is a plan to develop a web application that will consider all the main factors limiting the yield of cultivated crops.

Download Full-text

Developing Web-Application’s Automated Testing Technique

Vestnik NSU Series Information Technologies ◽

10.25205/1818-7900-2019-17-3-93-110 ◽

2019 ◽

Vol 17 (3) ◽

pp. 93-110

Author(s):

A. V. Tkachev ◽

D. V. Irtegov

Keyword(s):

Web Application ◽

Development Process ◽

Web Applications ◽

Assessment System ◽

Automated Testing ◽

Automatic Assessment ◽

Testing Technique ◽

Code Coverage ◽

Client Side ◽

User Actions

The article is devoted to the technique of automated testing of NSUts – automatic assessment system for programming tasks developed at NSU. The main priority for this technique is to test both the old and the new versions of the application, so that the same or minimally modified tests could be executed on two versions of the system with different architectures. This could be useful while organizing the development process for other applications with a long life cycle. To test not only the server but also the client side of the web application, we suggest using tools like Selenium WebDriver to simulate user actions by sending commands to real browsers. We use the well-known Page Object design pattern to handle differences in HTML layout and functionality, and describe a number of ways to make developed tests less fragile and easily adapt those to work with the new version of the system. The article also describes the use of this technique to organize automated testing of the NSUts system and analyzes its effectiveness. The analysis shows that the estimated code coverage by these tests is quite high, and therefore the technique can be considered effective and applied to other similar web applications.

Download Full-text

AndroShield: Automated Android Applications Vulnerability Detection, a Hybrid Static and Dynamic Analysis Approach

Information ◽

10.3390/info10100326 ◽

2019 ◽

Vol 10 (10) ◽

pp. 326 ◽

Cited By ~ 3

Author(s):

Amr Amin ◽

Amgad Eldessouki ◽

Menna Tullah Magdy ◽

Nouran Abdeen ◽

Hanan Hindy ◽

...

Keyword(s):

Dynamic Analysis ◽

Static Analysis ◽

Mobile Applications ◽

Web Application ◽

Hybrid Approach ◽

High Rate ◽

Vulnerability Detection ◽

Security Testing ◽

Static And Dynamic Analysis ◽

Android Applications

The security of mobile applications has become a major research field which is associated with a lot of challenges. The high rate of developing mobile applications has resulted in less secure applications. This is due to what is called the “rush to release” as defined by Ponemon Institute. Security testing—which is considered one of the main phases of the development life cycle—is either not performed or given minimal time; hence, there is a need for security testing automation. One of the techniques used is Automated Vulnerability Detection. Vulnerability detection is one of the security tests that aims at pinpointing potential security leaks. Fixing those leaks results in protecting smart-phones and tablet mobile device users against attacks. This paper focuses on building a hybrid approach of static and dynamic analysis for detecting the vulnerabilities of Android applications. This approach is capsuled in a usable platform (web application) to make it easy to use for both public users and professional developers. Static analysis, on one hand, performs code analysis. It does not require running the application to detect vulnerabilities. Dynamic analysis, on the other hand, detects the vulnerabilities that are dependent on the run-time behaviour of the application and cannot be detected using static analysis. The model is evaluated against different applications with different security vulnerabilities. Compared with other detection platforms, our model detects information leaks as well as insecure network requests alongside other commonly detected flaws that harm users’ privacy. The code is available through a GitHub repository for public contribution.

Download Full-text

On the Prospects and Concerns of Pattern-Oriented Web Engineering

Web Engineering Advancements and Trends ◽

10.4018/978-1-60566-719-5.ch006 ◽

2010 ◽

pp. 97-128

Author(s):

Pankaj Kamthan

Keyword(s):

Web Application ◽

Process Model ◽

Web Applications ◽

Future Research ◽

Design Phase ◽

Quality Model ◽

Web Engineering ◽

Support Decision Making ◽

Development And Evolution ◽

Selection Of

In this chapter, the development and evolution of Web Applications is viewed from an engineering perspective that relies on and accommodates the knowledge inherent in patterns. It proposes an approach in the direction of building a foundation for pattern-oriented Web Engineering. For that, a methodology for pattern-oriented Web Engineering, namely POWEM, is described. The steps of POWEM include selection of a suitable development process model, construction of a semiotic quality model, namely PoQ, and selection and mapping of suitable patterns to quality attributes in PoQ. To support decision making and to place POWEM in context, the feasibility issues involved in each step are discussed. For the sake of is illustration, the use of patterns during the design phase of a Web Application are highlighted. Finally, some directions for future research, including those for Web Engineering education and Social Web Applications, are given.

Download Full-text

DETECTING SERVER-SIDE ENDPOINTS IN WEB APPLICATIONS BASED ON STATIC ANALYSIS OF CLIENT-SIDE JavaScript CODE

PRIKLADNAYa DISKRETNAYa MATEMATIKA ◽

10.17223/20710410/53/3 ◽

2021 ◽

pp. 32-54

Author(s):

D. A. Sigalov ◽

◽

A. A. Khashaev ◽

D. Yu. Gamayunov ◽

◽

...

Keyword(s):

Static Analysis ◽

Web Application ◽

Web Applications ◽

Security Analysis ◽

Endpoint Detection ◽

Security Testing ◽

Application Security ◽

Server Side ◽

Dynamic Web ◽

Client Side

The problem of server-side endpoint detection in the context of blackbox security analysis of dynamic web applications is considered. We propose a method to increase coverage of server-side endpoint detection using static analysis of client-side JavaScript code to find functions which generate HTTP requests to the server-side of the application and reconstruct parameters for those functions. In the context of application security testing, static analysis allows to find such functions even in dead or unreachable JavaScript code, which cannot be achieved by dynamic crawling or dynamic code analysis. Evaluation of the proposed method and its implementation has been done using synthetic web application with endpoints vulnerable to SQL injections, and the same application was used to compare the proposed method with existing solutions. Evaluation results show that adding JavaScript static analysis to traditional dynamic crawling of web applications may significantly improve server-side endpoint coverage in blackbox application security analysis.

Download Full-text

Static analysis for discovering IoT vulnerabilities

International Journal on Software Tools for Technology Transfer ◽

10.1007/s10009-020-00592-x ◽

2020 ◽

Author(s):

Pietro Ferrara ◽

Amit Kr Mandal ◽

Agostino Cortesi ◽

Fausto Spoto

Keyword(s):

Static Analysis ◽

Web Application ◽

Web Applications ◽

Security Vulnerabilities ◽

Web Application Security ◽

Robust Solution ◽

Representative Case ◽

Application Security ◽

Industrial Analyzer ◽

The Relationship

AbstractThe Open Web Application Security Project (OWASP), released the “OWASP Top 10 Internet of Things 2018” list of the high-priority security vulnerabilities for IoT systems. The diversity of these vulnerabilities poses a great challenge toward development of a robust solution for their detection and mitigation. In this paper, we discuss the relationship between these vulnerabilities and the ones listed by OWASP Top 10 (focused on Web applications rather than IoT systems), how these vulnerabilities can actually be exploited, and in which cases static analysis can help in preventing them. Then, we present an extension of an industrial analyzer (Julia) that already covers five out of the top seven vulnerabilities of OWASP Top 10, and we discuss which IoT Top 10 vulnerabilities might be detected by the existing analyses or their extension. The experimental results present the application of some existing Julia’s analyses and their extension to IoT systems, showing its effectiveness of the analysis of some representative case studies.

Download Full-text

A Research of the Essence of SQL Injection Attacks Vulnerability

Applied Mechanics and Materials ◽

10.4028/www.scientific.net/amm.719-720.935 ◽

2015 ◽

Vol 719-720 ◽

pp. 935-940

Author(s):

Min Wan ◽

Kun Liu

Keyword(s):

Static Analysis ◽

Web Application ◽

Web Applications ◽

Semantic Information ◽

Semantic Gap ◽

Sql Injection ◽

Injection Attacks ◽

Web System ◽

Sql Injection Attacks ◽

Filtering Techniques

Semantic Gap problem is the essence of the SQL Injection Attacks vulnerability in Web applications. Web application loses the semantic information while the SQL statement is constructed dynamically. This paper analyzes the cause of the SQLIA vulnerability. And then it analyzes several suggested techniques, such as the filtering techniques and the static analysis, and points out their drawbacks in the SOLIA prevention, which leads to the conclusion that the key problem for the eradication of SQLIA is to solve the semantic gap problem causing by the unstructured SQL statement in the process of constructing a Web system dynamically.

Download Full-text

APPROACHES TO CLASSIFICATION AND CREATION OF APPLICATIONS

Academic Notes Series Pedagogical Science ◽

10.36550/2415-7988-2020-1-191-70-73 ◽

2020 ◽

Vol 1 (191) ◽

pp. 70-73

Author(s):

Olha Dushchenko ◽

Keyword(s):

Computer Science ◽

Science Teachers ◽

Mobile Applications ◽

Mobile Application ◽

Web Application ◽

Web Applications ◽

Internet Applications ◽

Internet Application ◽

Selection Of

Gadgets have become indispensable attributes of our lives, but also applications. Using applications simplifies and speeds up users. It is the future computer science teachers who must be able to create their own applications for professional duties, because the possession of tools for creating software products is one of the software learning outcomes of future computer science teachers. The concept of "application" is analyzed in the article. An "application" is defined as a software product that can run on a PC and / or mobile device due to installation or opening by a browser without installation. Types of applications are presented: desktop applications, mobile, web applications. The existing classifications of applications are given, with their characteristics, namely: web application, rich Internet application, Internet application, mobile application, hybrid mobile application, composite web application (mashup). Describes the classification of Internet applications and composite web applications. Examples of web applications are given. Statistics on the use of mobile applications of social networks and messengers, according to which the most popular application is the YouTube application. The author's classification of applications is offered: desktop applications (applications that are installed on a PC), mobile applications (applications that are installed on mobile devices), Internet applications (web applications, applications that do not require installation, but are opened by a browser and a certain mostly use the Internet). The platforms for creating applications are given. The stages of application creation are characterized: selection of the target audience, definition of purpose and functionality, type of application interface, selection of tools for application creation, application creation, application testing, improvement of the developed application. Examples of applications that can be created by future computer science teachers for further use in professional activities are offered: own website, testing system, reference book, application with presentations to educational material and tasks, guest book, forum, etc. The creation and use of applications by future computer science teachers ensures the formation of pupils' interest in computer science lessons, because pupils often use applications for personal needs, rather than educational.

Download Full-text

Automated Web Application ...

10.29007/vs62 ◽

2018 ◽

Author(s):

Priyank Bhojak ◽

Vatsal Shah ◽

Kanu Patel ◽

Deven Gol

Keyword(s):

Dynamic Analysis ◽

Open Source ◽

Web Application ◽

Web Applications ◽

Black Box ◽

Web Pages ◽

Software Bugs ◽

Hidden Web ◽

A New Technique ◽

Input Validation

The rate of web application threats is growing more and more now in days. The most of software bugs are result from inappropriate input validation. It should lead to attack of confidential information, breaking of knowledge integrity. We develop a scanner for detecting SQ injection and XSS type software-bugs which is based on hidden web crawl and make open source scanner with the aim of hidden web crawling which may be require authentication. In this research paper we presents a new technique to find vulnerability which include advantages of black-box analysis of different web pages. And at the end we shows evaluation table which mention comparison of our scanner with two other web scanner tool. So finally this paper additionally shows how easy it is to scan web application bugs with dynamic analysis and retrieve hidden web pages from web applications.

Download Full-text

Security Assessment of Web Application through Penetration System Techniques

10.31227/osf.io/n5wb2 ◽

2017 ◽

Author(s):

Andysah Putera Utama Siahaan

Keyword(s):

Web Application ◽

Web Applications ◽

Security Assessment ◽

Penetration Testing ◽

A Site ◽

Networking Security

The strength of a site can be tested in a way to attack. The test is penetration testing. Before a site is released, the security on network and web application must be completely safe and tested. This study aims to find loopholes and flaws in web applications. The object is a subject of research is the Universitas Pembangunan Panca Budi site (www.pancabudi.ac.id). This experiment used a simulated attack to test whether the site has adequate security. This penetration will collect information about the power of networking, security holes, and access. The result is the recommendation for security improvement. Concerning the results of penetration, the administrator can fix vulnerabilities that exist on the site.

Download Full-text