DOCSLIB.ORG

On Cross-Site Scripting, Fallback Authentication and Privacy Im Web Applications

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
On Cross-Site Scripting, Fallback Authentication and Privacy Im Web Applications On Cross-Site Scripting, Fallback Authentication and Privacy in Web Applications Ashar Javed (Place of birth: Bahawalpur (Pakistan)) [email protected] 13th November 2015 Ruhr-University Bochum Horst G¨ortzInstitute for IT-Security Chair for Network and Data Security Dissertation zur Erlangung des Grades eines Doktor-Ingenieurs der Fakult¨atf¨urElektrotechnik und Informationstechnik an der Ruhr-Universit¨atBochum Submission Date: 09-04-2015 Oral Exam Date: 08-07-2015 First Supervisor: Prof. Dr. rer. nat. J¨orgSchwenk Second Supervisor: Prof. Dr. rer. nat. Joachim Posegga www.nds.rub.de Contents 1 Introduction 15 1.1 Cross-Site Scripting ......................... 15 1.1.1 Facts and Figures ...................... 15 1.2 Account Recovery .......................... 16 1.2.1 Facts and Figures ...................... 16 1.3 Third-Party Tracking......................... 17 1.4 Motivation .............................. 17 1.5 Organization of Thesis........................ 18 2 Fundamentals 21 2.1 Web Application ........................... 21 2.2 Hypertext Transfer Protocol (HTTP) ............... 21 2.2.1 Types of an HTTP Requests ................ 24 2.3 Uniform Resource Locator (URL).................. 24 2.4 Same-Origin Policy.......................... 26 2.4.1 Same-Origin Policy for JavaScript By Example . 26 2.5 Content Injection Attack....................... 27 2.6 Cross-Site Scripting ......................... 28 2.6.1 Reflected XSS......................... 29 2.6.2 Stored XSS.......................... 31 2.6.3 Self-XSS............................ 32 2.7 Cookie Theft ............................. 32 2.7.1 XSS Exploitation | Exemplified at Cookie Theft . 33 2.8 Common XSS Mitigation Approaches ............... 34 2.8.1 Input Filtering........................ 35 2.8.2 Output Encoding....................... 36 2.8.3 Security Policy........................ 37 2.9 Fallback Authentication....................... 38 2.10 Privacy ................................ 40 2.10.1 HTTP Cookies........................ 40 2.10.2 Online Advertising...................... 41 3 XSS and Mobile Web Applications 43 3.1 Introduction.............................. 45 3.2 Case Studies ............................. 45 3.2.1 Example 1: The New York Times.............. 45 3.2.2 Example 2: StatCounter................... 46 3.3 Survey................................. 49 3 3.3.1 Methodology of Testing Websites.............. 50 3.3.2 Ethical Considerations.................... 50 3.3.3 HTML Usage on Mobile Sites................ 51 3.3.4 JavaScript Usage on Mobile Sites.............. 51 3.4 Overview of XSS Filtering Approach................ 51 3.4.1 Regular Expressions..................... 52 3.4.2 Black-list Approach ..................... 52 3.4.3 Community-Input ...................... 52 3.4.4 Threat Model......................... 53 3.4.5 Limitations of Regular Expressions Used in Wassermann et al.'s stop xss function.................. 53 3.5 XSS Filter............................... 56 3.5.1 Category 1 Improvements.................. 56 3.5.2 Category 2 Improvements.................. 57 3.5.3 Category 3 Improvements.................. 58 3.5.4 Miscellaneous Additions................... 58 3.5.5 Limitations.......................... 58 3.6 Implementation and Testing..................... 59 3.6.1 Implementation........................ 59 3.6.2 Testing ............................ 59 3.7 Evaluation............................... 60 3.7.1 Evaluation in Terms of Time and Memory......... 60 3.7.2 Execution Time of XSS Filter JavaScript Function . 61 3.7.3 False Positives Evaluation.................. 61 3.7.4 Adoption ........................... 64 3.8 Related Work............................. 65 3.9 Comparison to Other Approaches.................. 65 3.10 Conclusion .............................. 66 3.11 Acknowledgements.......................... 66 4 XSS and PHP 67 4.1 Abstract................................ 68 4.2 Introduction.............................. 69 4.2.1 Markup Injection and Cross-Site-Scripting (XSS) . 69 4.2.2 Context-aware Encoding and CFC Characters . 70 4.2.3 False Positives ........................ 71 4.2.4 Bypasses ........................... 71 4.2.5 Systematic CFC-based Approach.............. 72 4.2.6 Prefix Enforcement...................... 73 4.2.7 Applications of the Methodology.............. 73 4.2.8 Contribution ......................... 74 4.3 Background.............................. 74 4.3.1 JavaScript Embeddings ................... 74 4.3.2 Contexts for Reflecting User-provided Input . 75 4.3.3 PHP|Hypertext Preprocessor ............... 75 4.3.4 Whitebox testing of PHP based mitigations . 76 4.4 Formal Model............................. 76 4 4.4.1 Parser Model......................... 77 4.4.2 Prefix Enforcement...................... 78 4.5 Determining the CFC Sets of Different Contexts ......... 78 4.5.1 HTML context........................ 79 4.5.2 Attribute context....................... 79 4.5.3 Script context......................... 80 4.5.4 Style context ......................... 81 4.5.5 URI context.......................... 82 4.6 XSS Attack Methodology ...................... 82 4.6.1 Basic Setup.......................... 82 4.6.2 HTML Context........................ 83 4.6.3 Attribute Context ...................... 84 4.6.4 URI Context ......................... 85 4.6.5 Script Context ........................ 87 4.6.6 Style Context......................... 88 4.7 Evaluation Results.......................... 89 4.7.1 PHP's Built-In Functions .................. 89 4.7.2 Customized Solutions .................... 90 4.7.3 Web Frameworks....................... 93 4.8 Alexa Top 10 × 10 Sites ....................... 98 4.9 Novel Context-Aware XSS Sanitizer ................ 98 4.9.1 HTML Context Filter .................... 99 4.9.2 Attribute Context Filter................... 99 4.9.3 Script Context Filter.....................100 4.9.4 Style Context Filter .....................100 4.9.5 URL Context Filter .....................101 4.9.6 Community Feedback ....................102 4.9.7 False Positives ........................102 4.9.8 Adoption ...........................102 4.10 Related Work.............................103 4.11 Conclusion and Future Work ....................105 5 XSS and WYSIWYG Editors 107 5.1 Introduction..............................107 5.2 How WYSIWYG Editors Work? . 111 5.3 Methodology .............................112 5.3.1 Testing Methodology.....................112 5.3.2 Attack Methodology.....................112 5.4 Evaluation of Attack Methodology . 115 5.4.1 XSS in Twitter Translation Forum's WYSIWYG editor 115 5.4.2 XSSes in TinyMCE's WYSIWYG editor . 117 5.4.3 XSSes in Froala's WYSIWYG editor . 117 5.5 Statistical Evaluation ........................118 5.6 Practical and Low Cost Countermeasures . 119 5.6.1 HttpOnly Cookies ......................119 5.6.2 Iframe's \sandbox"......................119 5.6.3 Content Security Policy ...................119 5 5.6.4 Guidelines for Developers of WYSIWYG editors . 120 5.7 Conclusion ..............................120 6 A Policy Language 121 6.1 Introduction..............................122 6.1.1 Related Work.........................123 6.1.2 Design Goals .........................128 6.1.3 Our Approach ........................128 6.1.4 Contributions.........................130 6.1.5 Running Example ......................130 6.2 SIACHEN Policy Language .....................131 6.2.1 Syntax.............................132 6.2.2 SIACHEN's Directives....................132 6.3 Implementation............................136 6.3.1 Technical Details.......................136 6.3.2 ECMAScript's Object Freezing Functions . 137 6.3.3 XSS Filter...........................138 6.3.4 Output Encoding.......................138 6.3.5 Protection Against XSS Attack Variants . 139 6.3.6 The script-nonce & Firefox Browser's Modification . 140 6.4 Evaluation...............................141 6.4.1 General Methodology ....................141 6.5 Testing ................................143 6.6 Survey.................................144 6.6.1 Prevalence of XSS ......................144 6.6.2 Identification of Potential SIACHEN Venues . 144 6.7 Limitations of SIACHEN and Future Work . 146 6.8 Conclusion ..............................146 7 Fallback Authentication 147 7.1 Introduction..............................147 7.1.1 Related Work.........................148 7.2 Facebook Trusted Friends......................150 7.2.1 Invoking Trusted Friends ..................151 7.2.2 Trusted Friends Authentication . 151 7.2.3 Trusted Contacts.......................152 7.3 Trusted Friend Attack........................152 7.3.1 Recovery Flow of an Attacker . 152 7.3.2 POST Data Manipulation..................153 7.3.3 URL Manipulation......................154 7.3.4 Applicability .........................155 7.3.5 Chained Trusted Friends Attack . 155 7.4 Facebook Security Measures and Bypasses . 155 7.4.1 Security Alert via Email or Mobile SMS . 155 7.4.2 24 Hour Locked-out Period . 156 7.4.3 Temporarily Locked .....................156 7.5 Other Means of Fallback Authentication . 157 6 7.5.1 Recovery by Email to a Support Team . 157 7.5.2 Recovery by SMS.......................157 7.5.3 Recovery by Answering Security Questions . 157 7.6 Conclusion ..............................158 7.7 Acknowledgments...........................158 8 Trusted Third-Party Cookie 159 8.1 Introduction..............................159 8.1.1 Cookies ............................161 8.1.2 Online Advertising......................161 8.1.3 Contributions.........................161
Load more

Recommended publications
  • Integrating CMS Features Into the HTML Markup Language
    Integrating CMS Features Into The HTML Markup Language Ismaila Ikani Sule Zaafirah Web and Media Design, Aberdeen, Scotland, United Kingdom Abstract - This paper looks at the concept idea for further coders, another trend gained popularity in recent times. developing the HTML markup language by introducing The creation of editing tools for the web site owners and attributes and tags which would enable content editing and users themselves who generally have little or no knowledge management by final web page users while making it easier of the HTML and CSS aspects of their web pages has been for designers and developers to build Content Management booming. System features into their codes. One editor page would This class of people aren't interested in the codes for their work with a corresponding web page and CSS file to display web pages – they are interested in the content of their web editable content to the user. The web designer/developer would code pages as usual setting out editable portions pages. So emerged the era of Content Management Systems within the HTML to be accessed by the user merely calling (CMS) allowing them to edit the web pages produced for up the editor versions of the same pages on his/her browser. them by others or even use set templates to produce the pages on their own. Keywords - HTML, content management, CMS, CSS, web browser, code. 2 The CMS Challenge Web designers and developers worldwide today have 1 Introduction to meet the demands of their clients to come up web pages which can be edited and updated through some form of Web designing has come a long way over the past CMS or the other, ever more frequently.
    [Show full text]
  • Childnodes 1
    Index Home | Projects | Docs | Jargon Bugzilla | LXR | Tree Status | Checkins Feedback | FAQ | Search A - B - C - D - E - F - G - H - I - J - K - L - M - N - O - P - Q - R - S - T - U - V - W - X - Y - Z Index Symbols _content 1 A addEventListener 1 alert() 1 align 1 alinkColor 1 anchors 1 appCodeName 1 appendChild 1 applets 1 appName 1 appVersion 1 attributes 1, 2 http://www.mozilla.org/docs/dom/domref/dom_shortIX.html (1 de 20) [09/06/2003 9:55:09] Index availLeft 1 availTop 1 availWidth 1 B back() 1 bgColor 1 blur 1 blur() 1 body 1 C captureEvents() 1 characterSet 1 childNodes 1 clear 1 clearInterval() 1 clearTimeout() 1 click 1 cloneContents 1 cloneNode 1 cloneRange 1 close 1 http://www.mozilla.org/docs/dom/domref/dom_shortIX.html (2 de 20) [09/06/2003 9:55:09] Index close() 1 closed 1 collapse 1 collapsed 1 colorDepth 1 commonAncestorContainer 1 compareBoundaryPoints 1 Components 1 confirm() 1 contentDocument 1, 2 contentWindow 1, 2 controllers 1 cookie 1 cookieEnabled 1 createAttribute 1 createDocumentFragment 1 createElement 1 createRange 1 createTextNode 1 crypto 1 cssRule 1 cssRule Object 1 http://www.mozilla.org/docs/dom/domref/dom_shortIX.html (3 de 20) [09/06/2003 9:55:09] Index cssRules 1 cssText 1 D defaultStatus 1 deleteContents 1 deleteRule 1 detach 1 directories 1 disabled 1 dispatchEvent 1 doctype 1 document 1 documentElement 1 DOM 1, 2 DOM 2 Range Interface 1 DOM window Interface 1 domain 1 dump() 1 E Elements Interface 1 embeds 1 http://www.mozilla.org/docs/dom/domref/dom_shortIX.html (4 de 20) [09/06/2003 9:55:09]
    [Show full text]
  • Style Sheets CSS
    P1: OSO/OVY P2: OSO/OVY QC: OSO/OVY T1: OSO GTBL013-03 GTBL013-Jackson-v10 July 12, 2006 10:36 CHAPTER 3 Style Sheets CSS As we have learned, HTML markup can be used to indicate both the semantics of a document (e.g., which parts are elements of lists) and its presentation (e.g., which words should be italicized). However, as noted in the previous chapter, it is advisable to use markup predominantly for indicating the semantics of a document and to use a separate mechanism to determine exactly how information contained in the document should be presented. Style sheets provide such a mechanism. This chapter presents basic information about Cascading Style Sheets (CSS), a style sheet technology designed to work with HTML and XML documents. CSS provides a great deal of control over the presentation of a document, but to exercise this control intelligently requires an understanding of a number of features. And, while you as a software developer may not be particularly interested in getting your web page to look “just so,” many web software developers are members of teams that include professional web page designers, some of whom may have precise presentation require- ments. Thus, while I have tried to focus on what I consider key features of CSS, I’ve also included a number of finer points that I believe may be more useful to you in the future than you might expect on first reading. While CSS is used extensively to style HTML documents, it is not the only style- related web technology.
    [Show full text]
  • 3.4 Nette Framework Pro PHP
    VYSOKÉ UČENÍ TECHNICKÉ V BRNĚ BRNO UNIVERSITY OF TECHNOLOGY FAKULTA INFORMAČNÍCH TECHNOLOGIÍ ÚSTAV POČÍTAČOVÉ GRAFIKY A MULTIMÉDIÍ FACULTY OF INFORMATION TECHNOLOGY DEPARTMENT OF COMPUTER GRAPHICS AND MULTIMEDIA SYSTÉM PRO SPRÁVU VOLNOČASOVÝCH A VZDĚLÁVACÍCH PROGRAMŮ DIPLOMOVÁ PRÁCE MASTER‘S THESIS AUTOR PRÁCE BC. MIROSLAV TŘÍSKA AUTHOR BRNO 2011 VYSOKÉ UČENÍ TECHNICKÉ V BRNĚ BRNO UNIVERSITY OF TECHNOLOGY FAKULTA INFORMAČNÍCH TECHNOLOGIÍ ÚSTAV POČÍTAČOVÉ GRAFIKY A MULTIMÉDIÍ FACULTY OF INFORMATION TECHNOLOGY DEPARTMENT OF COMPUTER GRAPHICS AND MULTIMEDIA SYSTÉM PRO SPRÁVU VOLNOČASOVÝCH A VZDĚLÁVACÍCH PROGRAMŮ OUTDOOR ACTIVITY MANAGER DIPLOMOVÁ PRÁCE MASTER‘S THESIS AUTOR PRÁCE BC. MIROSLAV TŘÍSKA AUTHOR VEDOUCÍ PRÁCE ING. VÍTĚZSLAV BERAN, Ph.D. SUPERVISOR BRNO 2011 Abstrakt Cílem této diplomové práce je navrhnout dynamické uţivatelské rozhraní pro nástroj zabývající se správou volnočasových a vzdělávacích aktivit jako webovou aplikaci s důrazem na frekventované úkony tvorby denních programů. Bude umoţněno sofistikované vyhledávání aktivit, ze kterých lze vytvořit denní program nebo na základě zadaných parametrů provést automatický návrh programu. Vyuţity k tomu budou dostupné moderní webové technologie. Záměrem tohoto projektu je tyto technologie nastudovat a realizovat jimi efektivní uţivatelské rozhraní reflektující potřeby cílové skupiny uţivatelů. Abstract The aim of this master‘s thesis is to propose a dynamic user interface for a tool engaged in administration of leisure time and educational activities as a web application with an emphasis on frequented operations of daily programmes creation. This will be provided with a sophisticated searching of activities from which you can make a daily programme or on which basis of designated parameters can be achieved an automatical proposition of the programme. I intend to use accessible web technologies to make this real.
    [Show full text]
  • Microsoft and Cray to Unveil $25,000 Windows-Based Supercomputer
    AAll About Microsoft: l lCodeTracker A monthly look at Microsoft’s codenames and what they Areveal about the direction of the company. b o u t M i c r o s o f t : All About Microsoft CodeTracker Keeping track of Microsoft's myriad codenames is an (almost) full-time occupation. I know, as I spend a lot of my work hours tracking down the latest names in the hopes of being able to better keep tabs on what's coming next from the Redmondians. Each month, I'll be releasing an updated, downloadable version of the CodeTracker. I'll add new codenames -- arranged in alphabetical order by codename -- of forthcoming Microsoft products and technologies. I also will note timing changes (date slips, the release of a new test build, the disappearance of a planned deliverable) for entries that are already part of the Tracker. Once Microsoft releases the final version of a product or technology I've been tracking, I will remove it from the Tracker. In that way, the CodeTracker will remain focused on futures. (An aside about the Tracker: A question mark in place of an entry means I have insufficient information to hazard even an educated guess about a particular category.) If you have suggested new entries or corrections to existing ones, please drop me an e-mail at mjf at microsofttracker dot com. Thanks! Mary Jo Foley, Editor, ZDNet's "All About Microsoft" blog This Month's Theme: Big iron needs love, too If you went by nothing but blog and publication headlines, you might think mobile phones and slates are where all the innovation is these days.
    [Show full text]
  • Administrator's Guide
    Administrator’s Guide Version 4.3 Updated February 14, 2017 Contents at a Glance 1. Welcome .................................................................................................................................................................6 2. Installing/Upgrading Gallery Server .................................................................................................................... 11 3. Running Gallery Server ........................................................................................................................................ 43 4. Working with Albums .......................................................................................................................................... 46 5. Working with Media Assets ................................................................................................................................. 60 6. Working with Galleries ........................................................................................................................................ 79 7. User Management and Security .......................................................................................................................... 87 8. Site Administration ............................................................................................................................................ 102 9. Membership Configuration ............................................................................................................................... 189 10.
    [Show full text]
  • Discovery Attender User Guide
    Welcome Sherpa Software's Discovery Attender is a software tool designed to automate the search and collection of electronically stored information across a variety of platforms. This dynamic solution sits behind the firewall and enables in-house talent to identify and gather responsive information in a timely, defensible manner. The Discovery Attender interface is designed to be intuitive and user friendly. The Welcome Screen (above) serves as the gateway to the product. From here you can directly open the PreSearch Tool or create a project. A project serves as a repository for a collection - related searches and associated result sets. Once a new pro- ject is created, the MAIN CONSOLE acts as the central hub to allow you to control the creation, processing, and organization of searches. From here, you can access a Search Wizard which guides you through the step-by- step process of creating a new search. The MAIN CONSOLE also provides access to the Result Management features to view, organize, export and report on the messages, attachments and files that are found during your custom searches. Where to Begin To effectively filter and produce data with Discovery Attender, you must first create a project . Once a project is created, follow the steps below to begin the process: Step Action Description 1 Create and Run A Search A setup wizard leads you through the process of selecting locations and criteria to include in your search. Once started, the chosen data stores are scanned to find items (called results) that match the selected criteria. Information and metadata from these results are stored in the search data- bases.
    [Show full text]
  • Bakalářská Práce
    TECHNICKÁ UNIVERZITA V LIBERCI Fakulta mechatroniky, informatiky a mezioborových studií BAKALÁŘSKÁ PRÁCE Liberec 2013 Jaroslav Jakoubě Příloha A TECHNICKÁ UNIVERZITA V LIBERCI Fakulta mechatroniky, informatiky a mezioborových studií Studijní program: B2646 – Informační technologie Studijní obor: 1802R007 – Informační technologie Srovnání databázových knihoven v PHP Benchmark of database libraries for PHP Bakalářská práce Autor: Jaroslav Jakoubě Vedoucí práce: Mgr. Jiří Vraný, Ph.D. V Liberci 15. 5. 2013 Prohlášení Byl(a) jsem seznámen(a) s tím, že na mou bakalářskou práci se plně vztahuje zákon č. 121/2000 Sb., o právu autorském, zejména § 60 – školní dílo. Beru na vědomí, že Technická univerzita v Liberci (TUL) nezasahuje do mých autorských práv užitím mé bakalářské práce pro vnitřní potřebu TUL. Užiji-li bakalářskou práci nebo poskytnu-li licenci k jejímu využití, jsem si vědom povinnosti informovat o této skutečnosti TUL; v tomto případě má TUL právo ode mne požadovat úhradu nákladů, které vynaložila na vytvoření díla, až do jejich skutečné výše. Bakalářskou práci jsem vypracoval(a) samostatně s použitím uvedené literatury a na základě konzultací s vedoucím bakalářské práce a konzultantem. Datum Podpis 3 Abstrakt Česká verze: Tato bakalářská práce se zabývá srovnávacím testem webových aplikací psaných v programovacím skriptovacím jazyce PHP, které využívají různé knihovny pro komunikaci s databází. Hlavní důraz při hodnocení výsledků byl kladen na rychlost odezvy při zasílání jednotlivých požadavků. V rámci řešení byly zjišťovány dostupné metodiky určené na porovnávání těchto projektů. Byl také proveden průzkum zjišťující, které frameworky jsou nejvíce používané. Klíčová slova: Testování, PHP, webové aplikace, framework, knihovny English version: This bachelor’s thesis is focused on benchmarking of the PHP frameworks and their database libraries used for creating web applications.
    [Show full text]
  • Modern Web Application Frameworks
    MASARYKOVA UNIVERZITA FAKULTA INFORMATIKY Û¡¢£¤¥¦§¨ª«¬­Æ°±²³´µ·¸¹º»¼½¾¿Ý Modern Web Application Frameworks MASTER’S THESIS Bc. Jan Pater Brno, autumn 2015 Declaration Hereby I declare, that this paper is my original authorial work, which I have worked out by my own. All sources, references and literature used or ex- cerpted during elaboration of this work are properly cited and listed in complete reference to the due source. Bc. Jan Pater Advisor: doc. RNDr. Petr Sojka, Ph.D. i Abstract The aim of this paper was the analysis of major web application frameworks and the design and implementation of applications for website content ma- nagement of Laboratory of Multimedia Electronic Applications and Film festival organized by Faculty of Informatics. The paper introduces readers into web application development problematic and focuses on characte- ristics and specifics of ten selected modern web application frameworks, which were described and compared on the basis of relevant criteria. Practi- cal part of the paper includes the selection of a suitable framework for im- plementation of both applications and describes their design, development process and deployment within the laboratory. ii Keywords Web application, Framework, PHP,Java, Ruby, Python, Laravel, Nette, Phal- con, Rails, Padrino, Django, Flask, Grails, Vaadin, Play, LEMMA, Film fes- tival iii Acknowledgement I would like to show my gratitude to my supervisor doc. RNDr. Petr So- jka, Ph.D. for his advice and comments on this thesis as well as to RNDr. Lukáš Hejtmánek, Ph.D. for his assistance with application deployment and server setup. Many thanks also go to OndˇrejTom for his valuable help and advice during application development.
    [Show full text]
  • Detecting Conflicts Among Declarative UI Extensions
    Detecting Conflicts Among Declarative UI Extensions Benjamin S. Lerner Dan Grossman Brown University University of Washington [email protected] [email protected] Abstract shows a “Hello world” example written in XUL, a simple overlay We examine overlays, a flexible aspect-like mechanism for third- targeting it, and its composition with the base document. Appli- cations like Firefox use this ability heavily to modularize their UI party declarative extensions of declarative UIs. Overlays can be de- fined for any markup language and permit extensions to define new definitions into many smaller documents. Mozilla applications expose the overlay mechanism to third par- content that is dynamically woven into a base UI document. While powerful, overlays are inherently non-modular and may conflict ties and thereby enable a uniquely powerful extension mechanism. Such third party extensions can enhance or modify the program’s with each other, by defining duplicate or contradictory UI compo- nents. We construct an abstract language to capture core overlay se- base functionality in arbitrary ways; overlays are used to integrate mantics, and design an automatic analysis to detect inter-extension the extension’s UI into the existing UI. Moreover, end users can conflicts. We apply the analysis to a case study of Firefox exten- freely install extensions to customize their browser however they sions, finding several real-world bugs. Our analysis provides low- wish. This expressiveness has led to the widespread popularity level feedback to extension developers and high-level reports to end of Firefox extensions—hundreds of millions of users have down- users. Finally, we show how variants of overlays more expressive loaded extensions billions of times [13].
    [Show full text]
  • Interfacing Apache HTTP Server 2.4 with External Applications
    Interfacing Apache HTTP Server 2.4 with External Applications Jeff Trawick Interfacing Apache HTTP Server 2.4 with External Applications Jeff Trawick November 6, 2012 Who am I? Interfacing Apache HTTP Server 2.4 with External Applications Met Unix (in the form of Xenix) in 1985 Jeff Trawick Joined IBM in 1990 to work on network software for mainframes Moved to a different organization in 2000 to work on Apache httpd Later spent about 4 years at Sun/Oracle Got tired of being tired of being an employee of too-huge corporation so formed my own too-small company Currently working part-time, coding on other projects, and taking classes Overview Interfacing Apache HTTP Server 2.4 with External Applications Jeff Trawick Huge problem space, so simplify Perspective: \General purpose" web servers, not minimal application containers which implement HTTP \Applications:" Code that runs dynamically on the server during request processing to process input and generate output Possible web server interactions Interfacing Apache HTTP Server 2.4 with External Applications Jeff Trawick Native code plugin modules (uhh, assuming server is native code) Non-native code + language interpreter inside server (Lua, Perl, etc.) Arbitrary processes on the other side of a standard wire protocol like HTTP (proxy), CGI, FastCGI, etc. (Java and \all of the above") or private protocol Some hybrid such as mod fcgid mod fcgid as example hybrid Interfacing Apache HTTP Server 2.4 with External Applications Jeff Trawick Supports applications which implement a standard wire protocol, no restriction on implementation mechanism Has extensive support for managing the application[+interpreter] processes so that the management of the application processes is well-integrated with the web server Contrast with mod proxy fcgi (pure FastCGI, no process management) or mod php (no processes/threads other than those of web server).
    [Show full text]
  • 1 Introducing Symfony, Cakephp, and Zend Framework
    1 Introducing Symfony, CakePHP, and Zend Framework An invasion of armies can be resisted, but not an idea whose time has come. — Victor Hugo WHAT’S IN THIS CHAPTER? ‰ General discussion on frameworks. ‰ Introducing popular PHP frameworks. ‰ Design patterns. Everyone knows that all web applications have some things in common. They have users who can register, log in, and interact. Interaction is carried out mostly through validated and secured forms, and results are stored in various databases. The databases are then searched, data is processed, and data is presented back to the user, often according to his locale. If only you could extract these patterns as some kind of abstractions and transport them into further applications, the developmentCOPYRIGHTED process would be much MATERIAL faster. This task obviously can be done. Moreover, it can be done in many different ways and in almost any programming language. That’s why there are so many brilliant solutions that make web development faster and easier. In this book, we present three of them: Symfony, CakePHP, and Zend Framework. They do not only push the development process to the extremes in terms of rapidity but also provide massive amounts of advanced features that have become a must in the world of Web 2.0 applications. cc01.indd01.indd 1 11/24/2011/24/2011 55:45:10:45:10 PPMM 2 x CHAPTER 1 INTRODUCING SYMFONY, CAKEPHP, AND ZEND FRAMEWORK WHAT ARE WEB APPLICATION FRAMEWORKS AND HOW ARE THEY USED? A web application framework is a bunch of source code organized into a certain architecture that can be used for rapid development of web applications.
    [Show full text]