Security of Web Mashups: A Survey

Ryck, Philippe De; Decat, Maarten; Desmet, Lieven; Piessens, Frank; Joosen, Wouter

doi:10.1007/978-3-642-27937-9_16

Cited by 23 publications

(20 citation statements)

References 17 publications

(15 reference statements)

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Unfortunately, this is usually the case: many mashup developers today [14] don't have enough knowledge to take security issues into account when they implement mashups [10,32]. Poorly implemented mashup applications provide a great opportunity for hackers.…”

Section: B Secure Enterprise Mashupsmentioning

confidence: 99%

See 1 more Smart Citation

Enhancing Secure Web Mashups Development in Enterprise Environments

2014

2014 Enterprise Systems Conference

View full text Add to dashboard Cite

Mashups are web applications that combine content from different sources in a new way, generating valuable information, useful new applications or services. As more and more enterprises are engaged in mashup initiatives, developing secure mashup applications becomes necessary to ensure that enterprises can receive the maximum benefits from their mashup applications and reduce potential security breaches or attacks. In this paper, we propose a framework that uses a case library and worked examples to develop training resources for secure web mashup development in the enterprise environment.

show abstract

Section: B Secure Enterprise Mashupsmentioning

confidence: 99%

“…Despite these benefits, there are many security and privacy concerns associated with Web mashups. In particular, security is a big concern for enterprise mashups [10,11,12,13]. Many mashup applications often include components from third parties.…”

Section: Introductionmentioning

confidence: 99%

Enhancing Secure Web Mashups Development in Enterprise Environments

2014

2014 Enterprise Systems Conference

View full text Add to dashboard Cite

show abstract

“…A recent survey of the area [38] identifies a number of approaches ranging from isolation of components to their full integration. The focus of this paper is tight yet secure integration for scenarios when isolation is too restrictive and full integration is insecure.…”

Section: Introductionmentioning

confidence: 99%

Information-Flow Security for a Core of JavaScript

Hedin

Sabelfeld

2012

2012 IEEE 25th Computer Security Foundations Symposium

133

155

View full text Add to dashboard Cite

Abstract-Tracking information flow in dynamic languages remains an important and intricate problem. This paper makes substantial headway toward understanding the main challenges and resolving them. We identify language constructs that constitute a core of JavaScript: objects, higher-order functions, exceptions, and dynamic code evaluation. The core is powerful enough to naturally encode native constructs as arrays, as well as functionalities of JavaScript's API from the document object model (DOM) related to document tree manipulation and event processing. As the main contribution, we develop a dynamic type system that guarantees information-flow security for this language.

show abstract

“…The state of the art in web mashup security [24] leaves the question open. A range of approaches from separation to full integration has been suggested, tailored to web mashup scenarios such as online ads, where access-control policies are sufficient.…”

Section: Introductionmentioning

confidence: 99%

Boosting the Permissiveness of Dynamic Information-Flow Tracking by Testing

Birgisson

Hedin

Sabelfeld

2012

Computer Security – ESORICS 2012

View full text Add to dashboard Cite

Abstract. Tracking information flow in dynamic languages remains an open challenge. It might seem natural to address the challenge by runtime monitoring. However, there are well-known fundamental limits of dynamic flow-sensitive tracking of information flow, where paths not taken in a given execution contribute to information leaks. This paper shows how to overcome the permissiveness limit for dynamic analysis by a novel use of testing. We start with a program supervised by an informationflow monitor. The security of the execution is guaranteed by the monitor. Testing boosts the permissiveness of the monitor by discovering paths where the monitor raises security exceptions. Upon discovering a security error, the program is modified by injecting an annotation that prevents the same security exception on the next run of the program. The elegance of the approach is that it is sound no matter how much coverage is provided by the testing. Further, we show that when the mechanism has discovered the necessary annotations, then we have an accuracy guarantee: the results of monitoring a program are at least as accurate as flow-sensitive static analysis. We illustrate our approach for a simple imperative language with records and exceptions. Our experiments with the QuickCheck tool indicate that random testing accurately discovers annotations for a collection of scenarios with rich information flows.

show abstract

Security of Web Mashups: A Survey

Cited by 23 publications

References 17 publications

Enhancing Secure Web Mashups Development in Enterprise Environments

Enhancing Secure Web Mashups Development in Enterprise Environments

Information-Flow Security for a Core of JavaScript

Boosting the Permissiveness of Dynamic Information-Flow Tracking by Testing

Contact Info

Product

Resources

About