Figure 9 - uploaded by Shun-Wen Hsiao
Content may be subject to copyright.
Source publication
A web mashup is a web application that integrates content from heterogeneous sources to provide users with a more integrated and seamless browsing experience. Client-side mashups differ from server-side mashups in that the content is integrated in the browser using the client-side scripts. However, the legacy same origin policy (SOP) implemented by...
Context in source publication
Context 1
... we make a mashup request. Although the result is highly dependent on the parameter selected, the im- plementation of the browsers and the network delay, it gives us a high-level overview of system performance. We also measure the loading time of a mashup without the Squid proxy, as well as the loading time with the Squid but eCAP is disabled. Fig. 9 shows the average mashup loading times under the compared browsers. In Chrome 6, Firefox 3 and IE 8, the aver- age overhead of our design (compared with that of the non- proxy architecture) is about 743, 1049, and 1225 milliseconds, respectively. However, we notice that the overhead is caused primarily by the Squid proxy, not our eCAP ...
Similar publications
Recent updates of Vulnerability reports of the Open Web Application Security Project confirm that Cross Site Scripting (XSS) is one of the most common and severe web security defects. Cross-Site Scripting occurs when an application takes data from the user and sends it back to a web browser without validation or encoding. It occurs when the web app...
![Figure 1: Persistent XSS scenario [5]](profile/Nayeem-Khan/publication/308306636/figure/fig1/AS:408064172806147@1474301488821/Persistent-XSS-scenario-5_Q320.jpg)
![Figure 2: Non-Persistent XSS scenario [5]](profile/Nayeem-Khan/publication/308306636/figure/fig2/AS:408064172806148@1474301488968/Non-Persistent-XSS-scenario-5_Q320.jpg)
Cross Site Scripting (XSS) is popular security vulnerability in modern web applications. XSS attacks are malicious scripts which are embedded by attackers into the source code of web page to be executed at client side by browsers. Researchers have proposed many techniques for detection and prevention of XSS, but eliminating XSS still remains a chal...
Citations
... A CDN consists of many different devices and hence IP addresses which requires access to many different computers and domains. For this reason, Cross Domain Origin Policy (CORS) [18,30] has been configured to avoid access inconsistencies. ...
The expansion of the online video content continues in every area of the modern connected world and the need for measuring and predicting the Quality of Experience (QoE) for online video systems has never been this important. This paper has designed and developed a machine learning based methodology to derive QoE for online video systems. For this purpose, a platform has been developed where video content is unicasted to users so that objective video metrics are collected into a database. At the end of each video session, users are queried with a subjective survey about their experience. Both quantitative statistics and qualitative user survey information are used as training data to a variety of machine learning techniques including Artificial Neural Network (ANN), K-nearest Neighbours Algorithm (KNN) and Support Vector Machine (SVM) with a collection of cross-validation strategies. This methodology can efficiently answer the problem of predicting user experience for any online video service provider, while overcoming the problematic interpretation of subjective consumer experience in terms of quantitative system capacity metrics.
... An example of a mashup extracted from "A Secure Proxy-Based Cross-Domain Communication for Web Mashups" (Hsiao et al. 2011). The housing data feed is integrated with Google Maps to show the position of each entry. ...
Glycoscience is a rapidly developing and emerging scientific discipline. Like many other scientific disciplines, glycoscience is adapting to the exciting rise of accessible scientific data, which now impacts research and modifies its practice. The accumulation of information along with the development of enabling technologies has laid the foundation of a rich computational toolbox tailored for the detection and high-resolution determination of complex glycans. In parallel, a variety of online resources essentially in the form of databases covering glycan and glycoproteins structures have been developed by independent research groups worldwide. At present, more than 150 entries are freely available on the internet yet these often produced independently of one another. With the aim of facilitating glycoscience research, we have clustered these different tools according to their major field of applications. As a result, the following entries can be accessed :
Portals. Genome and Glycome
Representations
Experimental Results
Glycans
Glycoproteomics
Functional Glycomics
Glycolipids
CAZYmes
Polysaccharides
Cross-talk between these computational resources is needed. To illustrate this point, one section of the chapter is devoted to the practical usage of integrative tools to guide the traveler in the navigation, investigation and the quest for correlations between structure and function in glycobiology.
Some fundamental principles of bioinformatics about data handling are presented in three consecutive annexes. These cover Data Integration, Data Integration Strategies and their implementation in Bioinformatics.
... After the final confirmation of the detection system, about 10,000 to 30,000 URLs are harmful. In addition, the University of Washington, there are some scholars in the study of spyware on the Web; the main idea is based on reptiles [13][14][15][18][19][20][21]. ...
In the virus world of Internet, it is a challenging and urgent problem that how can we ensure the safety of search engines. A security subsystem of the search engine based on the research of content-based image search engine system V2.0 is developed. A malicious URL (Uniform Resource Locator) detection method based on BM (Boyer-Moore) pattern matching is proposed. The main research contents and results are as follows: Many malicious URLs could be downloaded by web image search, which may cause unnecessary loses to the users. So the malicious URL detection algorithm based on BM pattern matching is proposed. This method is to let the URL source code match the virus characteristics in the database to confirm whether the URL is safe or not. Web image search detects 203 malicious URLs based on this method. By kaspersky scanning,we confirmed 189 URLs to be malicious URLs, and the error rate is 6.9%, and the accurate rate is 93.1%. The experimentalresults show that the malicious URL detection algorithm provides secure URLs for web image search engine.
... Here, we provide postMsg, a function simulated as postMessage API [58] specified by HTML 5, to safely enable asynchronous communication between DOM windows [22]. It is supported by modern browsers, such as Internet Explorer, Firefox, Opera, and Safari. ...
The rendering mechanism plays an indispensable role in browser-based Web application. It generates active webpages dynamically and provides human-readable layout through template engines, which are used as a standard programming model to separate the business logic and data computations from the webpage presentation. The client-side rendering mechanism, owing to the advances of rich application technologies, has been widely adopted. The adoption of client side rendering brings not only various merits but also new problems. In this paper, we propose and construct "pagelet", a segment-based template engine for developing flexible and extensible Web applications. By presenting principles, practice and us-age experience of pagelet, we conduct a comprehensive analysis of possible advantages and disadvantages brought by client-side rendering mechanism from the viewpoints of both developers and end-users.
... One popular integration pattern organizations use to integrate services from multiple sources into a seamless user browsing experience is through the use of web services and web APIs [2]. However, the process of combining content from multiple sources is often complicated by a web browser security implementation called the Same Origin Policy (SOP) [2]. ...
... One popular integration pattern organizations use to integrate services from multiple sources into a seamless user browsing experience is through the use of web services and web APIs [2]. However, the process of combining content from multiple sources is often complicated by a web browser security implementation called the Same Origin Policy (SOP) [2]. ...
The upfront cost to deploy a Software as a Service (SaaS) application has been drastically reduced with the advent of cloud computing. This has significantly lowered the entry barrier allowing many small businesses and start-ups to become providers of SaaS applications. However, getting past the entry barrier quickly leads to other challenges. Perhaps the largest challenge for many organizations involves selecting the right architecture and technologies for enabling their SaaS application to easily integrate with customers’ existing software.
This paper proposes a high-level architecture and technology selection that supports the rapid development of Community Software as a Service (CSaaS) cloud based application that can be easily integrated into a customer’s existing web property. The prototype application developed for this paper is a CSaaS focusing in providing community functionality to customer/third-party websites. However, the architecture and integration models used could easily be applied to any type of SaaS that needs to be integrated into another web application (e.g. a Customer Relationship Management (CRM) service that needs to be integrated with a customer support website).
Browser functionality can be widely extended by browser extensions. One of the key features that make browser extensions so powerful is that they run with “high” privileges. As a consequence, a vulnerable or malicious extension might expose the resources to possible attacks such as privilege escalation, information stealing, and session hijacking. We consider as resources the browser components or the system resources accessed through the browser extensions. In addition, an extension can even interact with other installed extensions to perform various tasks such as share information, notify events, and change preferences.
In this paper, we extend the concept of colluding extension discussed in the literature. Furthermore, we demonstrate a new attack that can leverage this concept and cause privacy leakage in a web browser. The communication between extensions permit two extensions to collude with each other, and share objects that are allocated in the same address space. As improvement on the work discussed in the literature, we show the way in which colluding extensions can communicate over overt and covert communication channels for executing colluding attacks. In addition, we test the effectiveness of newly identified attacks against representative state-of-art techniques for browser extensions. In particular, we identify: (a) object reference sharing; (b) event notification; and (c) preference overriding as the vulnerable points in the browser extension system. We illustrate the effectiveness of the proposed attack through colluding extensions using various attack scenarios, and we provide a proof-of-concept implementation for web domains including the banking and shopping domains. We believe that the use-case scenarios we consider in our demonstration further underlines the severity of the presented attack. Finally, we discuss possible mitigation techniques to address the given colluding attack.
Mashups are next generation of Web applications; they integrate and remix different sources on the Web in a creative approach to provide rich and novel experiences for users. Furthermore, mashups introduce a new class of integration technologies for implementing situational applications (i.e. applications that come together for solving some immediate business problems). While mashup services provide flexibility and speed in delivering new valuable services to consumers, the issue of accountability associated with the mashups remains largely ignored by the industry. Pushing mashups to enterprises without attention to accountability problems involves many risks. In this paper, a new model is proposed to resolve accountability issues in mashup services. The proposed model uses PKI (public key infrastructure) in conjunction with logically hierarchical meta Web services to support identification and traceability of Web services in mashups and consequently provides a trusted environment for enterprise mashups.
Web service technologies are best exploited by composing services, and BPEL (Web Services Business Process Execution Language) is adopted industrial-wide as the de facto service composition standard. However, a BPEL composite service is typically treated as a fully automated service flow that orchestrates multiple web services and in- volves no user interactions - a desirable feature for service delivery, and is presently not included in the BPEL standard. In this work, we propose an extension to BPEL to infuse user interactions into composite services along three dimensions: (1) to develop two BPEL extension activities to describe the inner workings of user interactions in BPEL service and the rendering of service user interfaces; (2) to provide a wizard-style mecha- nism to guide the user to interact with the service flow in accordance with the sequence of service execution; and (3) to devise a UI service communication protocol to facilitate secure cross-domain communication among UI services from various domains. An en- hanced BPEL engine with a service UI rendering engine has been accordingly devel- oped.
