|
Vol.9 No.1 March
1, 2010
Practical Elimination of External
Interaction Vulnerabilities in Web Applications
(pp001-024)
James Mille
and Toan Huynh
External Interaction Vulnerabilities (EIVs) are currently the most
common vulnerability for web applications. These vulnerabilities allow
attackers to use vulnerable web applications as a vessel to transmit
malicious code to external systems that interact with the web
applications. The malicious code will modify the semantic content of
the information sent to the external application. Current vulnerability
detection approaches are black-box oriented and do not take advantage of
the data flow information which is available in the source code. In
this paper, we introduce a white-box approach called EIV analysis to
eliminate web applications’ vulnerabilities. This strategy allows
investigators to accurately identify all inputs entering the web
application and model the input as it reaches external systems acting as
data sinks. The strategy is partially automated resulting in substantial
effort savings when compared with common industrial approaches; while
also providing superior performance in terms vulnerability detection. A
case study using a commercial, currently deployed, mission-critical web
application is presented to demonstrate the validity of these claims.
Investigating the Distributional
Property of the Session Workload
(pp025-047)
James Mille
and Toan Huynh
Companies now rely on the World Wide Web for
communication with their customers. As reliance on web servers grows,
the need for companies to better understand the workload placed upon
these servers also increases. The session workload unit is a popular
unit of measurement used to analyze recorded information from server
logs. In fact, many web applications, from shopping carts to online
banking systems, require session information to function correctly. Web
data mining is also dependent on session workload information. However,
the distributional properties of this session workload are not
understood. Whether the session workload can be described as a
short-tailed or heavy-tailed distribution is a fundamental question for
the investigation of the session workload unit. This paper empirically
explores claims that the session workload can be described using a
heavy-tailed distribution. The paper concludes that, for the samples
used in this paper, a method to accurately determine whether the session
workload is drawn from a heavy-tailed distribution does not exist.
Hence, the conclusion that they are drawn from such a distribution
cannot be made.
Augmenting a Web-Based Learning Environment through Blending Formative
Assessment Services
(pp048-065)
I-Ching
Chen, Dong-Her Shih, and Shuen-Cheng Hu
Web-based training gained popularity due to pervasive hypertext
information systems, as well as its flexibility of time and place.
However, the lack of orientation and interactions leads to higher
dropout rates in those self-directed learning environments. From the
perspectives of learners, formative assessment generates criticism and
suggestions that guide them toward ultimate learning goals, which
improves their sustaining rates in self-directed learning environments.
This research work aims to investigate how a Web-based learning platform
can blend external formative assessment services to foster learning
activities as well as facilitate interactions between learners and
mentors. Besides proposing a conceptual model, a proof-of-concept
prototype has been developed, in which both fully-automatic and
human-involved formative assessment works could be blended into a
self-paced, Web-mediated learning process. An experiment indicated that
the prototyped e-learning context did help to sustain learners. The
result of this research implies that, with abundant pedagogical Web
services in an open framework, high priced e-learning resources could be
easily shared and flexibly orchestrated to fulfill various educational
goals.
Empirically Assessing the Impact of DI on the Development of Web Service
Applications
(pp066-094)
Marco Crasso,
Cristian Mateos, Alejandro Zunino, and Marcelo Campo
Service-Oriented Computing (SOC) has been broadly conceived as the next
big thing in distributed software development. The software industry has
embraced SOC through Web Services --functionality that is accessible via
ubiquitous protocols such as HTTP. This technology provides the basis
for reuse and interoperability of applications across the WWW. However,
consuming Web Services is still an expensive task in terms of
development costs, since developers still have to invest much effort not
only into manually discovering services, but also on providing code to
invoke them, which leads to software that is polluted with service-aware
code and therefore is more difficult to modify and test. Recently, a
technique that has become very popular for building software is
Dependency Injection (DI), which allows applications to be far more
testable and maintainable. In this paper, we quantitatively analyze some
of the benefits and costs of DI for building Web Service applications.
We base our experiments on a refined version of DI that combines
text-mining, machine learning, and best practices from component-based
software development to simplify the way Web Services are discovered and
consumed. To our knowledge, this is the first study on the impacts of
using DI in the context of SOC.
Back
to JWE Online Front Page
|
