Showing papers on "Client-side scripting published in 2007"

BrowserShield: Vulnerability-driven filtering of dynamic HTML

Abstract: Vulnerability-driven filtering of network data can offer a fast and easy-to-deploy alternative or intermediary to software patching, as exemplified in Shield [Wang et al. 2004]. In this article, we take Shield's vision to a new domain, inspecting and cleansing not just static content, but also dynamic content. The dynamic content we target is the dynamic HTML in Web pages, which have become a popular vector for attacks. The key challenge in filtering dynamic HTML is that it is undecidable to statically determine whether an embedded script will exploit the browser at runtime. We avoid this undecidability problem by rewriting web pages and any embedded scripts into safe equivalents, inserting checks so that the filtering is done at runtime. The rewritten pages contain logic for recursively applying runtime checks to dynamically generated or modified web content, based on known vulnerabilities. We have built and evaluated BrowserShield, a general framework that performs this dynamic instrumentation of embedded scripts, and that admits policies for customized runtime actions like vulnerability-driven filtering. We also explore other applications on top of BrowserShield.

Categorization of a Mobile User Profile Based on Browse Behavior

Abstract: In embodiments, the present invention provides a method and system for using wireless provider data to ascertain a web browser activity, recording a user's mobile web browser activity performed on a mobile communication facility, storing a plurality of mobile web browser activities relating to the user, analyzing the plurality of mobile web browser activities to determine a relationship among web browser activities, creating a category of user profile based at least in part on the analysis, associating the category of user profile with the user, and presenting a content to the mobile communication facility based at least in part on the category of user profile.

Exposing private information by timing web applications

Abstract: We show that the time web sites take to respond to HTTP requests can leak private information, using two different types of attacks. The first, direct timing, directly measures response times from a web site to expose private information such as validity of an username at a secured site or the number of private photos in a publicly viewable gallery. The second, cross-site timing, enables a malicious web site to obtain information from the user's perspective at another site. For example, a malicious site can learn if the user is currently logged in at a victim site and, in some cases, the number of objects in the user's shopping cart. Our experiments suggest that these timing vulnerabilities are wide-spread. We explain in detail how and why these attacks work, and discuss methods for writing web application code that resists these attacks.

Visual web page analytics

Abstract: A method and system for tracking user utilization of a web page The invention can use a tracking script, which can be a client-based Javascript code in some embodiments The tracking script can be executed in a visitor's web browser (14) when the customer's web page is loaded on the visitors' computer (11) The tracking script can be unique to each customer because it can be determined by the elements on the customer's web page and can be generated via a dynamic web server process In at least some embodiments, when the customer's web page loads on the visitor's computer (11), the visitor's browser requests the tracking script from a server (12) The server can then transmit the tracking script to the visitor's browser (13) and the tracking script can register itself (14) and 'passively' listens to various browser events (15).

Switching search providers within a browser search box

Abstract: A Web browser includes a quick pick search provider menu that provides a user interface which provides a user with the ability to quickly select a new search provider which appears when the user places focus in the Web browser's search box. In one or more embodiments, the Web browser's search box comprises a native part of the Web browser and is not a search box associated with an installed tool bar. In other embodiments, search box functionality is provided as an extension to the Web browser. Further, various embodiments enable the user to switch between search providers in an easy and intuitive way. Yet other embodiments provide an opportunity for users to switch between search providers using keywords in the search box. Further embodiments enable users to define collections of search providers to which individual searches can be sent.

Platform for the interactive contextual augmentation of the web

Abstract: A method for increasing the usefulness of hypertext in a browser accessed web site by providing means to augment hyperlinks and other notable page content with additional metacontent and contextually appropriate tools by inserting a script into browser accessed document that when rendered by a web browser causes the link objects within a Document Object to be augmented with extra information relevant to the linked URL, said information obtained from a different domain than the one on which the document resides.

System and method for synchronized co-browsing by users in different web sessions

Abstract: A system and method for enabling co-browsing between two or more users accessing a website in separate sessions. Each of the users operates a web browser instance to browse the website. The website comprises one or more web pages, at least a portion of which includes embedded software code or script. A collaboration manager, established after the users consent to co-browsing, associates the sessions of the users. As the users navigate to new web addresses in the website or enter data into their browser instances, the software code or script embedded within the web pages rendered in the browser instances causes each user's browser to communicate changes in the web addresses or data to the collaboration manager. The collaboration manager receives the communicated changes and provides them to other co-browsing users. Synchronization of cursors, scroll-bar positions and other browser events is also supported.

Predictive asynchronous web pre-fetch

Abstract: A web server receives an asynchronous pre-request of data from a web browser resulting from the web browser predicting a user action based on the user's interaction with the web browser. The web server pre-fetches the pre-requested data based on the asynchronous pre-request of data.

Csurf: a context-driven non-visual web-browser

Abstract: Web sites are designed for graphical mode of interaction. Sighted users can "cut to the chase" and quickly identify relevant information in Web pages. On the contrary, individuals with visual disabilities have to use screen-readers tobrowse the Web. As screen-readers process pages sequentially and read through everything, Web browsing can become strenuous and time-consuming. Although, the use ofshortcuts and searching offers some improvements, the problem still remains. In this paper, we address the problemof information overload in non-visual Web access using thenotion of context. Our prototype system, CSurf, embodyingour approach, provides the usual features of a screen-reader.However, when a user follows a link, CSurf captures thecontext of the link using a simple topic-boundary detectiontechnique, and uses it to identify relevant information onthe next page with the help of a Support Vector Machine, astatistical machine-learning model. Then, CSurf reads the Web page starting from the most relevant section, identifiedby the model. We conducted a series experiments to evaluate the performance of CSurf against the state-of-the-artscreen-reader, JAWS. Our results show that the use of context can potentially save browsing time and substantiallyimprove browsing experience of visually disabled people.

Automatically instrumenting a set of web documents

Abstract: Embodiments of the invention provide a method and system for automatically instrumenting a set of web documents, such as web pages, as well as embedding structures that present advertising content via the web pages. The instrumentation automatically embeds tags that enable usage information associated with the web documents to be tracked and recorded. Many hundreds or thousands of web pages can be automatically modified without user intervention, enabling comprehensive reporting and tracking to be performed on each page. The web pages are analyzed and insertion points intelligently located. Changes can be verified to ensure that no undesirable effects resulted from embedding the content. The tags can receive parameters customized to the level of users and pages. The tags, insertion information, and other configuration information can be stored in a central repository to make subsequent tagging easier.

MashupOS: operating system abstractions for client mashups

Abstract: Web browser support has evolved piecemeal to balance the security and interoperability requirements of client-side script services. This evolution has led to an inadequate security model that forces Web applications to choose between security and interoperation. We draw an analogy between Web sites' sharing of browser resources and users' sharing of operating system resources, and use this analogy as a guide to develop protection and communication abstractions in MashupOS: a set of abstractions that isolate mutually-untrusting web services within the browser, while allowing safe forms of communication.

PageTailor: reusable end-user customization for the mobile web

Abstract: Most pages on the Web are designed for the desktop environment and render poorly on the small screens available on handheld devices. We introduce Reusable End-User Customization (REUC), a technique that lets end users adapt the layout of Web pages by removing, resizing and moving page elements. REUC records the user's customizations and automatically reapplies them on subsequent visits to the same page or to other, similar pages, on the same Web site. We present PageTailor, a REUC prototype based on the Minimo Web browser that runs on Windows Mobile PDAs. We show that users can utilize PageTailor to adapt sophisticated Web sites, such as Amazon, BBC and MSN, for browsing on a PDA. Moreover, the customizations remain effective for up to a year, even as the content of pages is updated, and can be reused across similar pages, limiting the customization effort required to browse a site.

Mobile web browsing: usability study

Abstract: The mobile phones are increasingly used to access different kind of information other than just to make voice calls. However, browsing large web pages which is not adapted for small-screen viewing is still very inconvenient. Web browsers are emerging which try to solve the interaction problems that occur when small-screen devices are used to access web pages designed for large screen viewing. This paper presents the results of the usability study in which users' mobile web browsing experience was evaluated in comparison to desktop Web browsing. The results indicate the users' performance was poor on mobile browser as users expected similar experience as on desktop; however for some users familiarity of web on desktop helped instead to navigate easily on mobile browser. The main problem participants had was difficulty of locating the content in long narrow page, which in turn caused extensive scrolling. This research suggests some improvement for mobile web browser and important consideration in designing mobile friendly websites that could help limit a lot of scrolling and increase the readability.

Secure web site authentication using web site characteristics, secure user credentials and private browser

Abstract: A secure authentication process detects and prevents phishing and pharming attacks for specific web sites. The process is based on a dedicated secure hardware store for user sign-in credentials, a database of information about specific web sites, and a private secure browser. All user web activity is monitored by an agent program. The agent program checks to make sure that user attempts to send any sign-in credentials stored in secure hardware store of user sign-in credentials, to any web site accessed by the user, is allowed only if the IP address of the web site accessed by the user matches at least one of the IP addresses stored web site database associated with the sign-in credential the user is attempting to send. The process also detects mismatches between a URL and the actual IP address of the web site associated with the URL.

Web mashup scripting language

Abstract: The Web Mashup Scripting Language (WMSL) enables an end-user (you) working from his browser, e.g. not needing any other infrastructure, to quickly write mashups that integrate any two, or more, web services on the Web. The end-user accomplishes this by writing a web page that combines HTML, metadata in the form of mapping relations, and small piece of code, or script. The mapping relations enable not only the discovery and retrieval of the WMSL pages, but also affect a new programming paradigm that abstracts many programming complexities from the script writer. Furthermore, the WMSL Web pages or scripts that disparate end-users (you) write, can be harvested by Crawlers to automatically generate the concepts needed to build lightweight ontologies containing local semantics of a web service and its data model, to extend context ontologies or middle ontologies, and to develop links, or mappings, between these ontologies. This enables an open-source model of building ontologies based on the WMSL Web page or scripts that end users (you) write.

Methods for organizing information accessed through a web browser

Abstract: Methods are provided for assisting in the organization of information accessed through a web browser. At least one item of information accessed through the web browser is captured and visually represented in a defined organizational area of a display. A relevance index is calculated for each item of information that is visually represented to a current web-browsing behavior. The relevance index is conveyed for each item of information to the current web-browsing behavior to a user of the web browser.

Apparatus and methods for providing network-based information suitable for audio output

Abstract: The invention is directed to techniques for navigating a network based on audio input to retrieve information from a network. A user enters audio commands into a two-way communication device to access information located on a network, such as the Internet. For example, a user enters a voice request for a web page into a telephone, which sends the request to a proxy browser for the World Wide Web which in turn provides the request to a web navigation application executing on an application server. The web navigation application generates a text-based request based on the voice request and retrieves a web page from the World Wide Web based on the text-based request. The web navigation application uses a script or an XML page to generate a file suitable for audio output from the retrieved web page. The web navigation application then produces an audio output file from the generated file, which it sends to the proxy browser to provide audio output signals to the user over the telephony connection to the user's telephone.

Enterprise web browser extension

Abstract: Systems, methodologies, media, and other embodiments associated with web browsers are described. One exemplary embodiment includes a browser extension for a web browser that can communicate with a remote web service from an enterprise application to retrieve content. The content can then be displayed in sidebar window panes within the browser.

The HearSay non-visual web browser

Abstract: This paper describes HearSay, a non-visual Web browser, featuring context-directed browsing, a unique and innovative Web accessibility feature, and an extensible VoiceXML dialog interface The browser provides most of the standard browsing functionalities, including flexible navigation and form-filling The paper also outlines future work aiming to make the Web more accessible for individuals with visual impairments

Method and system for delivering and interactively displaying three-dimensional graphics

Abstract: A method is provided whereby the user can view and interact with live, realtime 3D content using just a web browser, requiring no extra downloads or third party 3D plugins. The invention uses W3C standard bitmap formats, typically JPEG or PNG, as the delivery vehicle for server side rendered 3D content. The invention provides a 3D rendering application that runs on a web server and responds to commands from the user's web browser to manipulate, re-render and deliver new 3D rendered scenes back to the users' browser. The invention preferably uses Ajax - Asynchronous Javascript and XML to create the client side Web 3D scene manipulation tool set.

Recommendations based on actions performed on multiple remote servers

Abstract: A content provider system interacts with a network of web sites to provide behavior-based content to users. Operators of the web sites add widgets to selected web pages of their sites. The widgets, when executed on the computing devices of users who view the selected web pages, report user-generated events to the content provider system. The content provider system analyses the reported events to detect behavioral associations between particular web sites, web pages, products, and/or other types of items. The widgets may also retrieve and display behavior-based content that is based on these item-to-item behavioral associations. For example, when a user views a particular web page, a widget on that page may request and display descriptions of, and links to, other sites or pages that are (a) behaviorally related to the page being viewed or an item represented thereon, and/or (b) behaviorally related to the past browsing activities of the particular user.

Using Server Pages to Unify Clones in Web Applications: A Trade-Off Analysis

Abstract: Server page technique is commonly used for implementing web application user interfaces. Server pages can represent many similar web pages in a generic form. Yet our previous study revealed high rates of repetitions in web applications, particularly in the user interfaces. Code duplication, commonly known as "cloning', signals untapped opportunities to achieve simpler, smaller, more generic, and more maintainable web applications. Using PHP Server page technique, we conducted a case study to explore how far Server page technique can be pushed to achieve clone-free web applications. Our study suggests that clone unification using Server pages affects system qualities (e.g., runtime performance) to an extent that may not be acceptable in many project situations. Our paper discusses the trade-offs we observed when applying Server pages to unify clones in web applications. We expect our findings to help in developing and validating complementary techniques that can unify clones without incurring such trade-offs.

Extensible Web Browser Security

Abstract: In this paper we examine the security issues in functionality extension mechanisms supported by web browsers. Extensions (or "plug-ins") in modern web browsers enjoy unlimited power without restraint and thus are attractive vectors for malware. To solidify the claim, we take on the role of malware writers looking to assume control of a user's browser space. We have taken advantage of the lack of security mechanisms for browser extensions and have implemented a piece of malware for the popular Firefox web browser, which we call browserSpy , that requires no special privileges to be installed. Once installed, browserSpy takes complete control of a user's browser space and can observe all the activity performed through the browser while being undetectable. We then adopt the role of defenders to discuss defense strategies against such malware. Our primary contribution is a mechanism that uses code integrity checking techniques to control the extension installation and loading process. We also discuss techniques for runtime monitoring of extension behavior that provide a foundation for defending threats due to installed extensions.

Synchronization of locally and remotely stored browser data

Abstract: A computer implemented method, apparatus, and computer program product for displaying information within a browser. Server browser information is stored on a web server. The server browser information includes a set of first category categories and a set of second category categories. An indication of whether a user is on a public system or a private system is received by the web server. Responsive to receiving the indication that the user is on a public system, only the set of public categories of the browser information is displayed to the user.

Pixel cluster transit monitoring for detecting click fraud

Abstract: Detecting click fraud that includes a client device capable of accessing a server hosting a web page containing an advertisement. The client device includes a network interface allowing access to the server and code on the client device. The code accesses and displays a web page containing an advertisement, provides mechanisms (e.g., an applet, an ActiveX control, a plugin, a JavaScript, a browser scripting language, browser extensions, or code native to the browser) associated with each pixel cluster where each mechanism captures information regarding the transit of the pixel cluster by a cursor on the web page, and collects information based on the capturing by each associated mechanism regarding the transit of the pixel cluster by a cursor on the web page.

Dynamic online surveys and experiments with the free open-source softwaredynQuest

Abstract: With computers and the World Wide Web widely available, collecting data through Web browsers is an attractive method utilized by the social sciences. In this article, conducting PC- and Web-based trials with the software packagedynQuest is described. The software manages dynamic questionnaire-based trials over the Internet or on single computers, possibly as randomized control trials (RCT), if two or more groups are involved. The choice of follow-up questions can depend on previous responses, as needed for matched interventions. Data are collected in a simple text-based database that can be imported easily into other programs for postprocessing and statistical analysis. The software consists of platform-independent scripts written in the programming language PERL that use the common gateway interface between Web browser and server for submission of data through HTML forms. Advantages ofdynQuest are parsimony, simplicity in use and installation, transparency, and reliability. The program is available as open-source freeware from the authors.

The Firegoose: two-way integration of diverse data from different bioinformatics web resources with desktop applications

Abstract: Background: Information resources on the World Wide Web play an indispensable role in modern biology. But integrating data from multiple sources is often encumbered by the need to reformat data files, convert between naming systems, or perform ongoing maintenance of local copies of public databases. Opportunities for new ways of combining and re-using data are arising as a result of the increasing use of web protocols to transmit structured data. Results: The Firegoose, an extension to the Mozilla Firefox web browser, enables data transfer between web sites and desktop tools. As a component of the Gaggle integration framework, Firegoose can also exchange data with Cytoscape, the R statistical package, Multiexperiment Viewer (MeV), and several other popular desktop software tools. Firegoose adds the capability to easily use local data to query KEGG, EMBL STRING, DAVID, and other widely-used bioinformatics web sites. Query results from these web sites can be transferred to desktop tools for further analysis with a few clicks. Firegoose acquires data from the web by screen scraping, microformats, embedded XML, or web services. We define a microformat, which allows structured information compatible with the Gaggle to be embedded in HTML documents. We demonstrate the capabilities of this software by performing an analysis of the genes activated in the microbe Halobacterium salinarum NRC-1 in response to anaerobic environments. Starting with microarray data, we explore functions of differentially expressed genes by combining data from several public web resources and construct an integrated view of the cellular processes involved. Conclusion: The Firegoose incorporates Mozilla Firefox into the Gaggle environment and enables interactive sharing of data between diverse web resources and desktop software tools without maintaining local copies. Additional web sites can be incorporated easily into the framework using the scripting platform of the Firefox browser. Performing data integration in the browser allows the excellent search and navigation capabilities of the browser to be used in combination with powerful desktop tools.

Behavior based web page evaluation

Abstract: This paper describes our efforts to investigate factors in user browsing behavior to automatically evaluate Web pages that the user shows interest in. To evaluate Web pages automatically, we developed a client-side logging/analyzing tool: the GINIS Framework. We do not focus on just clicking, scrolling, navigation, or duration of visit alone, but we propose integrating these patterns of interaction to recognize and evaluate user response to a given Web page. Unlike most previous Web studies analyzing access through proxies or servers, this work focuses primarily on client-side user behavior using a customized Web browser. First, GINIS unobtrusively gathers logs of user behavior through the user's natural interaction with the Web browser. Then, it analyses the logs and extracts effective rules to evaluate Web pages using a C4.5 machine learning system. Eventually, GINIS becomes able to automatically evaluate Web pages using these learned rules, after which the evaluation can be utilized for a variety of user profiling applications. We successfully confirmed, for example, that time spent on a Web page is not the most important factor in predicting interest from behavior, which conflicts with the findings of most previous studies.

Widget-assisted content personalization based on user behaviors tracked across multiple web sites

Abstract: A content provider system interacts with a network of web sites to provide behavior-based content to users. Operators of the web sites add widgets to selected web pages of their sites. The widgets, when executed on the computing devices of users who view the selected web pages, report user-generated events to the content provider system. The content provider system analyses the reported events to detect behavioral associations between particular web sites, web pages, products, and/or other types of items. The widgets may also retrieve and display behavior-based content that is based on these item-to-item behavioral associations. For example, when a user views a particular web page, a widget on that page may request and display descriptions of, and links to, other sites or pages that are (a) behaviorally related to the page being viewed or an item represented thereon, and/or (b) behaviorally related to the past browsing activities of the particular user.

Browser extension for web form capture

Abstract: Methods and other embodiments associated with a web browser extension are described. One example browser extension includes a web form capture logic that identifies a web page that includes a form and an editable field on the form. The capture logic may acquire information about the field and about the form. This acquisition may include interacting with a user through a graphical user interface. The browser extension may also include a template logic to create a form-fill template based on the acquired information and a web form storage logic to store the template. The template may be referenced when a subsequent web page view involves a form-fill operation.