Showing papers on "Client-side scripting published in 2014"

Breaking and Fixing Origin-Based Access Control in Hybrid Web/Mobile Application Frameworks.

Abstract: Hybrid mobile applications (apps) combine the features of Web applications and “native” mobile apps. Like Web applications, they are implemented in portable, platform-independent languages such as HTML and JavaScript. Like native apps, they have direct access to local device resources—file system, location, camera, contacts, etc. Hybrid apps are typically developed using hybrid application frameworks such as PhoneGap. The purpose of the framework is twofold. First, it provides an embedded Web browser (for example, WebView on Android) that executes the app's Web code. Second, it supplies “bridges” that allow Web code to escape the browser and access local resources on the device. We analyze the software stack created by hybrid frameworks and demonstrate that it does not properly compose the access-control policies governing Web code and local code, respectively. Web code is governed by the same origin policy, whereas local code is governed by the access-control policy of the operating system (for example, user-granted permissions in Android). The bridges added by the framework to the browser have the same local access rights as the entire application, but are not correctly protected by the same origin policy. This opens the door to fracking attacks, which allow foreign-origin Web content included into a hybrid app (e.g., ads confined in iframes) to drill through the layers and directly access device resources. Fracking vulnerabilities are generic: they affect all hybrid frameworks, all embedded Web browsers, all bridge mechanisms, and all platforms on which these frameworks are deployed. We study the prevalence of fracking vulnerabilities in free Android apps based on the PhoneGap framework. Each vulnerability exposes sensitive local resources—the ability to read and write contacts list, local files, etc.—to dozens of potentially malicious Web domains. We also analyze the defenses deployed by hybrid frameworks to prevent resource access by foreign-origin Web content and explain why they are ineffectual. We then present NoFrak, a capability-based defense against fracking attacks. NoFrak is platform-independent, compatible with any framework and embedded browser, requires no changes to the code of the existing hybrid apps, and does not break their advertising-supported business model.

Performance Comparison and Evaluation of Web Development Technologies in PHP, Python, and Node.js

Abstract: Large scale, high concurrency, and vast amount of data are important trends for the new generation of website. Node.js becomes popular and successful to build data-intensive web applications. To study and compare the performance of Node.js, Python-Web and PHP, we used benchmark tests and scenario tests. The experimental results yield some valuable performance data, showing that PHP and Python-Web handle much less requests than that of Node.js in a certain time. In conclusion, our results clearly demonstrate that Node.js is quite lightweight and efficient, which is an idea fit for I/O intensive websites among the three, while PHP is only suitable for small and middle scale applications, and Python-Web is developer friendly and good for large web architectures. To the best of our knowledge, this is the first paper to evaluate these Web programming technologies with both objective systematic tests (benchmark) and realistic user behavior tests (scenario), especially taking Node.js as the main topic to discuss.

WebCore: architectural support for mobileweb browsing

Abstract: The Web browser is undoubtedly the single most impor- tant application in the mobile ecosystem. An average user spends 72 minutes each day using the mobile Web browser. nWeb browser internal engines (e.g., WebKit) are also growing in importance because they provide a common substrate for developing various mobile Web applications. In a user-driven, interactive, and latency-sensitive environment, the browser's performance is crucial. However, the battery-constrained nature of mobile devices limits the performance that we can de- liver for mobile Web browsing. As traditional general-purpose techniques to improve performance and energy efficiency fall short, we must employ domain-specific knowledge while still maintaining general-purpose flexibilityIn this paper, we first perform design-space exploration to identify appropriate general-purpose architectures that uniquely fit the characteristics of a popular Web browsing engine. Despite our best effort, we discover sources of energy inefficiency in these customized general-purpose architectures. To mitigate these inefficiencies, we propose, synthesize, and evaluate two new domain-specific specializations, called the Style Resolution Unit and the Browser Engine Cache. Our opti- mizations boost energy efficiency and at the same time improve mobile Web browsing performance. As emerging mobile work- loads increasingly rely more on Web browser technologies, the type of optimizations we propose will become important in the future and are likely to have lasting widespread impact

A client-side web application for interactive environmental simulation modeling

Abstract: Recent developments in web technologies including evolution of web standards, improvements in browser performance, and the emergence of free and open-source software (FOSS) libraries are driving a general shift from server-side to client-side web applications where a greater share of the computational load is transferred to the browser. Modern client-side approaches allow for improved user interfaces that rival traditional desktop software, as well as the ability to perform simulations and visualizations within the browser. We demonstrate the use of client-side technologies to create an interactive web application for a simulation model of biochemical oxygen demand and dissolved oxygen in rivers called the Web-based Interactive River Model (WIRM). We discuss the benefits, limitations and potential uses of client-side web applications, and provide suggestions for future research using new and upcoming web technologies such as offline access and local data storage to create more advanced client-side web applications for environmental simulation modeling. A client-side web application of an environmental simulation model is presented.Client-side computation and visualization support high interactivity and usability.URL-based model access and a commenting system promote user collaboration.Web-based simulation models are more accessible to non-technical users.

System and method for web application security

Abstract: A system for detection and mitigation of client-side initiated security attack(s) to a web application is disclosed. A server component (SC) of the system is configured to intercept at least partially a web application code and/or data exchanged between a web server and one or more web browsers running on client devices respectively. The SC installs a script in the web application code intercepted from a web server before forwarding a transformed web application code to the a web browser. The CS when executed in a web browser of a client, causes the web browser to execute a loop which sweeps the document object model (DOM) structure of the webpage. Further, the CS sends a report containing the DOM structure and/or details on data to the SC. Using the received reports, SC concludes if tampering occurred at the client-side.

Learning PHP, MySQL & JavaScript: With jQuery, CSS & HTML5

Abstract: Build interactive, data-driven websites with the potent combination of open-source technologies and web standards, even if you only have basic HTML knowledge. With this popular hands-on guide, you'll tackle dynamic web programming with the help of today's core technologies: PHP, MySQL, JavaScript, jQuery, CSS, and HTML5. Explore each technology separately, learn how to use them together, and pick up valuable web programming practices along the way. At the end of the book, you'll put everything together to build a fully functional social networking site, using XAMPP or any development stack of your choice. Learn PHP in-depth, along with the basics of object-oriented programming Explore MySQL, from database structure to complex queries Use the MySQLi Extension, PHP's improved MySQL interface Create dynamic PHP web pages that tailor themselves to the user Manage cookies and sessions, and maintain a high level of security Master the JavaScript language - and enhance it with jQuery Use Ajax calls for background browser/server communication Acquire CSS2 & CSS3 skills for professionally styling your web pages Implement all the new HTML5 features, including geolocation, audio, video, and the canvas

Industrial automation device with editor and graphical object mobile visualization

Abstract: A remote visualization editing and monitoring system facilitates development, management, and deployment of graphical web pages that can be stored on industrial devices (e.g., industrial controllers, drives, etc.) and remotely accessed by mobile devices using a web browser. The remote visualization editing and monitoring system can leverage web technologies to provide simple but powerful graphical web-based HMIs that can be accessed using a client device. The system allows a user to develop and deploy both web-based human-machine interfaces for monitoring of an industrial process, as well as web pages that render graphical representations of the control program executing on the industrial device.

Pythy: improving the introductory python programming experience

Abstract: Pythy is a web-based programming environment for Python that eliminates software-related barriers to entry for novice programmers, such as installing an IDE or the Python runtime. Using only a web browser, within minutes students can begin writing code, watch it run, and access support materials and tutorials. While there are a number of web-based Python teaching tools, Pythy differs in several respects: it manages student assignment work, including deadlines, turn-in, and grading; it supports live, interactive code examples that instructors can write and students can explore; it provides auto-saving of student work in the cloud, with full, transparent version control; and it supports media-computation-style projects that manipulate images and sounds. Pythy provides a complete ecosystem for student learning, with a user interface that follows a more familiar web browsing model, rather than a developer-focused IDE interface. An evaluation compares student perceptions of Pythy in relation to JES, another student-friendly beginner Python environment. Classroom experiences indicate that Pythy does reduce the novice obstacles that it aims to address.

Client-side personal voice web navigation

Abstract: A system running on a mobile device such as a smartphone is configured to expose a user interface (UI) to enable a user to specify web pages that can be pinned to a start screen of the device. Once pinned, the user may launch a web page by voice command from any location on the UI or from within any experience that is currently being supported on the device. Thus, the user can be on a call with a friend talking about a new video game and then use a voice command to launch a web browser application on the mobile device that navigates to a pinned web page having information about the game's release date. Web pages can be readily pinned and unpinned from the start screen through the UI. When a web page is unpinned from the start screen, the system disables voice web navigation for it.

Exposure of remotely invokable method through a webpage to an application outside web browser

Abstract: Web browsing environments are commonly used to facilitate user interaction with data over the Internet. A web browser is a tool used to view and interact with a webpage. A webpage may interface with a web service to provide remote functionality that the webpage does not locally provide. An effective method for specifying and consuming remote functionality that an application invokes outside of the web browser is disclosed herein. A webpage exposes remote functionality (e.g., web service) that a web browser and/or browser extensions may discover through browsing the webpage. A browser extension associated with an application determines whether the application is compatible with the remote functionality. Once a compatible application is determined, it may be executed so as to connect to and invoke the remote functionality outside of the web browser. The application may provide a more robust experience with the remote functionality compared to the web browsing environment.

Software engineering for the web: the state of the practice

Abstract: Today’s web applications increasingly rely on client-side code execution. HTML is not just created on the server, but manipulated extensively within the browser through JavaScript code. In this paper, we seek to understand the software engineering implications of this. We look at deviations from many known best practices in such areas of performance, accessibility, and correct structuring of HTML documents. Furthermore, we assess to what extent such deviations manifest themselves through client-side code manipulation only. To answer these questions, we conducted a large scale experiment, involving automated client-enabled crawling of over 4000 web applications, resulting in over 100,000,000 pages analyzed, and close to 1,000,000 unique client-side user interface states. Our findings show that the majority of sites contain a substantial number of problems, making sites unnecessarily slow, inaccessible for the visually impaired, and with layout that is unpredictable due to errors in the dynamically modified DOM trees.

HTML Device Tags to Control Operational Features of Devices in an Internet of Things

Abstract: A web browser executes on a device that has controllable operational features, such as sensor, actuator, and process-related features, and that is connected to other devices via a network. The web browser receives a HyperText Markup Language (HTML) document including HTML device tags. Each of the HTML device tags includes a command configured to control a corresponding one of the operational features of the device. The web browser determines, based on each HTML device tag, the command therein to control the corresponding operational feature. The web browser issues the determined command to the corresponding operational feature so as to control the operational feature.

Prediction of Cross-Site Scripting Attack Using Machine Learning Algorithms

Abstract: Dynamic web pages are widely used by web applications to provide better user experience and to attract more web users. The web applications use the client side and server side scripts to provide dynamic behavior to the web pages. Cross-Site Scripting (XSS) attack uses malicious scripts and links injected into the trusted web pages to steal sensitive data from the victims. In this paper, we present the experimental results obtained using three machine learning algorithms (Naive Bayes, Support Vector Machine and J48 Decision Tree) for the prediction of Cross-site scripting attack. This is done using the features based on normal and malicious URLs and JavaScript. J48 gave better results than Naive Bayes and Support Vector Machine based on the features extracted from URL and Java Script code. All the algorithms gave comparatively better results with discretized attributes but noticeable difference in performance was seen only in the case of SVM.

How Much Can We Micro-Cache Web Pages?

Abstract: Browser caches are widely used to improve the performance of Web page loads. Unfortunately, current object-based caching is too coarse-grained to minimize the costs associated with small, localized updates to a Web object. In this paper, we evaluate the benefits if caching were performed at a finer granularity and at different levels (i.e., computed layout and compiled JavaScript). By analyzing Web pages gathered over two years, we find that both layout and code are highly cacheable, suggesting that our proposal can radically reduce time to first paint. We also find that mobile pages are similar to their desktop counterparts in terms of the amount and composition of updates.

Method and apparatus for determining user browsing behavior

Abstract: A computer implemented method and an apparatus for determining user browsing behavior are provided. The method comprises associating one or more web pages corresponding to a web domain with tags to configure one or more tagged web pages. The method further comprises facilitating downloading of a control file on a user device upon detecting a first web page access event corresponding to a tagged web page from among the one or more tagged web pages. The control file is configured to facilitate recording of user activity related to a web domain on one or more tabs of a web browser associated with the user device. Furthermore, the method comprises receiving recorded user activity corresponding to at least one web browsing session and determining a user browsing behavior based on the recorded user activity.

Exploiting Web Browsing Activities for User Needs Identification

Abstract: Browsing sessions are rich in elements useful to build profiles of user interests, but at the same time HTML pages include noise data, such as ads and navigation menus. Moreover, pages might cover several different topics. For these reasons they are often ignored in personalized approaches. We propose a novel approach for implicitly recognizing valuable text descriptions of current user needs based on the implicit feedback revealed through web browsing interactions.

Distributed split browser content inspection and analysis

Abstract: Distributed split browser content inspection and analysis are described. A server, comprising a browser engine, stores a definition of sets of browser policies. A definition of one or more sets of users is stored. The server stores an association with a respective set of browser policies for the one or more sets of users. A request is received from a client browser associated with a user, wherein the client browser is configured to communicate with the server browser engine. The server determines which set of users the user is associated with. The server identifies a first set of browser policies that is associated with the determined set of users and applies the identified first set of browser policies to the request. A determination is made, for one or more browser processes, which browser processes are to be executed by the server browser engine and which browser processes are to be executed by the client browser.

Quick Live Coding Collaboration In The Web Browser.

Abstract: With the growing adoption of internet connectivity across the world, online collaboration is still a difficult and slow endeavor. Many amazing languages and tools such as SuperCollider, ChucK, and Max/MSP all facilitate networking and collaboration, however these languages and tools were not created explicitly to make group performances simple and intuitive. New web standards such as Web Audio and Web GL introduce the capability for web browsers to duplicate many of the features in computer music tools. This paper introduces Lich.js, an effort to bring musicians together over the internet with minimal effort by leveraging web technologies.

The Browser Hacker's Handbook

Abstract: Hackers exploit browser vulnerabilities to attack deep within networksThe Browser Hacker's Handbook gives a practical understanding of hacking the everyday web browser and using it as a beachhead to launch further attacks deep into corporate networks. Written by a team of highly experienced computer security experts, the handbook provides hands-on tutorials exploring a range of current attack methods. The web browser has become the most popular and widely used computer "program" in the world. As the gateway to the Internet, it is part of the storefront to any business that operates online, but it is also one of the most vulnerable entry points of any system. With attacks on the rise, companies are increasingly employing browser-hardening techniques to protect the unique vulnerabilities inherent in all currently used browsers. The Browser Hacker's Handbook thoroughly covers complex security issues and explores relevant topics such as: Bypassing the Same Origin Policy ARP spoofing, social engineering, and phishing to access browsers DNS tunneling, attacking web applications, and proxyingall from the browser Exploiting the browser and its ecosystem (plugins and extensions)Cross-origin attacks, including Inter-protocol Communication and Exploitation The Browser Hacker's Handbook is written with a professional security engagement in mind. Leveraging browsers as pivot points into a target's network should form an integral component into any social engineering or red-team security assessment. This handbook provides a complete methodology to understand and structure your next browser penetration test.

Visual designation of a zone in rendered code

Abstract: A method for visually designating a placeholder in a web page calls for executing a client-side script by a web browser upon the web page being displayed in the web browser. The executing steps are to analyze a tag structure in a source code of the web page, to establish a Document Object Model (DOM) of the web page; create a Graphical User Interface (GUI) for visually designating the placeholder; detect a user selection, made using the GUI, of a location in a graphical view of the web page; update the DOM of the web page on the fly, to render the web page and display the placeholder in accordance with the user selection; compose instructions for injecting a content element in the location of the user selection; and transmit the instructions to a remote server.

System and method for annotating webpages

Abstract: A system and method for annotating webpages including a method of annotating webpages from a personal device by opening a web browser on the personal device, the web browser including a commentary service Web Edit button; opening a website in the web browser; actuating the commentary service Web Edit button: to automatically capture a screenshot of the opened website, to open a commentary service browser window in the web browser, (the commentary service browser window including editing tools and a commentary service Web Publish button), and to display the automatically captured screenshot in the opened commentary service browser window; editing the screenshot with the editing tools within the commentary service browser window to generate an edited screenshot; and actuating the commentary service Web Publish button to save the edited screenshot associated with the website to commentary service remote storage.

Chapter 28 – Man-in-the-Browser Attacks in Modern Web Browsers

Abstract: Man-in-the-browser is a Trojan that infects a Web browser. A Trojan has the ability to modify Web pages and online transaction content, or insert itself in a covert manner, without the user noticing anything suspicious. This chapter presents a study of several man-in-the-browser attacks that tamper with the user’s transactions and examines different attack vectors on several software layers. We conclude that there are many possible points of attack on different software layers and components of a Web browser, as the user’s transaction data flows through these layers. We also propose some countermeasures to mitigate these attacks. Our conceptual solution is based on cryptographic identification and integrity monitoring of software components.

Screen sharing using scripting computer language code directly executable by web browser

Abstract: Techniques are disclosed for facilitating browser-based screen sharing using scripting computer language codes that are directly executable by a web browser. An example method comprises loading a presentation webpage in a presenter's web browser. The presentation webpage includes scripting language codes that are configured to cause the presenter's web browser to capture a screen image without requiring the presenter's web browser to load an applet. The method further includes receiving data indicative of the captured screen image from the presenter device, wherein the data is generated by the scripting language codes, processing the received data to form a processed screen image that is in an image format natively displayable to a viewer's web browser, and transmitting a viewer webpage including the processed screen image to the viewer's web browser.

A voice-controlled web browser to navigate hierarchical hidden menus of web pages in a smart-tv environment

Abstract: This paper proposes a new voice web browser that can be operated in smart TV environments. Previous voice web browsers had the limitation of being run under limited conditions; for example, a list of the specific contents of a page was outputted by voice, or the user entered a search term by voice. In our method proposed in this paper, all the hierarchical menu areas on a web page are recognized and controlled with voice keywords so that page navigation according to a menu can be conveniently done in a voice supported web browser. Although many studies have been conducted on web page menu recognition, most of them provide insufficient information to recognize the hierarchical menu structure. In other words, most web pages in recent browsers showed submenus only as a result of a specific user interaction, since these previous studies had no way of recognizing or controlling the submenus. Therefore, in the web browser proposed in this study, a hierarchical menu structure, which is inserted dynamically via user interaction, is recognized and selected by voice, thus making it possible to maneuver on the web page. Furthermore, the core code of the browser is implemented in JavaScript, so it can be flexibly used not only for a web browser on Smart TVs, but also as functional extensions of existing web browsers in a PC environment.

Browser JS Guard: Detects and defends against Malicious JavaScript injection based drive by download attacks

Abstract: In the recent times, most of the systems connected to Internet are getting infected with the malware and some of these systems are becoming zombies for the attacker. When user knowingly or unknowingly visits a malware website, his system gets infected. Attackers do this by exploiting the vulnerabilities in the web browser and acquire control over the underlying operating system. Once attacker compromises the users web browser, he can instruct the browser to visit the attackers website by using number of redirections. During the process, users web browser downloads the malware without the intervention of the user. Once the malware is downloaded, it would be placed in the file system and responds as per the instructions of the attacker. These types of attacks are known as Drive by Download attacks. Now-a-days, Drive by Download is the major channel for delivering the Malware. In this paper, Browser JS Guard an extension to the browser is presented for detecting and defending against Drive by Download attacks via HTML tags and JavaScript.

System and methods for accessing multi-origin content from web browser and application to web application testing

Abstract: The present invention discloses a system and method to allow a browser frame, tab, or window to communicate with an arbitrary number of application hosts in different domains while keeping its location constant on a client host. The invention allows all communications to occur between the web browser and any of the applications hosts and the client host while the hosts do not to have any knowledge of each other and cannot exchange data between them. The present invention thereby allows the frame, tag, or window to persist arbitrary data and programs. The system specifically allows sending arbitrary HTTP messages to the application hosts and allows receiving the associated responses, while allowing every interaction with the client host that the user browser supports (e.g. HTTP, Ajax), and allowing continuous execution of a program in the user browser frame, tab, or window.

A Hybrid Segmentation of Web Pages for Vibro-Tactile Access on Touch-Screen Devices

Abstract: Navigating the Web is one of important missions in the field of computer accessibility. Many specialized techniques for Visually Impaired People (VIP) succeed to extract the visual and textual information displayed on digital screens and transform it in a linear way: either through a written format on special Braille devices or a vocal output using text-to-speech syn-thesizers. However, many researches confirm that perception of the layout of web pages en-hances web navigation and memorization. But, most existing screen readers still fail to trans-form the 2-dimension structures of web pages into higher orders. In this paper, we propose a new framework to enhance VIP web accessibility by affording a "first glance" web page overview, and by suggesting a hybrid segmentation algorithm to afford nested and easy navi-gation of web pages. In particular, the web page layout is transformed into a coarse grain structure, which is then converted into vibrating pages using a graphical vibro-tactile lan-guage. First experiments with blind users show interesting issues on touch-screen devices.