The Experts below are selected from a list of 6531 Experts worldwide ranked by ideXlab platform
Soheil Khodayari - One of the best experts on this subject based on the ideXlab platform.
-
Cross-Origin State Inference (COSI) Attacks: Leaking Web Site States through XS-Leaks
arXiv: Cryptography and Security, 2019Co-Authors: Avinash Sudhodanan, Soheil Khodayari, Juan CaballeroAbstract:In a Cross-Origin State Inference (COSI) attack, an attacker convinces a victim into visiting an attack Web page, which leverages the cross-origin interaction features of the victim's Web browser to infer the victim's state at a Target Web Site. Multiple instances of COSI attacks have been found in the past under different names such as login detection or access detection attacks. But, those attacks only consider two states (e.g., logged in or not) and focus on a specific browser leak method (or XS-Leak). This work shows that mounting more complex COSI attacks such as deanonymizing the owner of an account, determining if the victim owns sensitive content, and determining the victim's account type often requires considering more than two states. Furthermore, robust attacks require supporting a variety of browsers since the victim's browser cannot be predicted apriori. To address these issues, we present a novel approach to identify and build complex COSI attacks that differentiate more than two states and support multiple browsers by combining multiple attack vectors, possibly using different XS-Leaks. To enable our approach, we introduce the concept of a COSI attack class. We propose two novel techniques to generalize existing COSI attack instances into COSI attack classes and to discover new COSI attack classes. We systematically apply our techniques to existing attacks, identifying 40 COSI attack classes. As part of this process, we discover a novel XS-Leak based on window.postMessage. We implement our approach into Basta-COSI, a tool to find COSI attacks in a Target Web Site. We apply Basta-COSI to test four stand-alone Web applications and 58 popular Web Sites, finding COSI attacks against each of them.
-
A Framework for Testing Web Applications for Cross-Origin State Inference (COSI) Attacks
2019Co-Authors: Soheil KhodayariAbstract:In a Cross-Origin State Inference (COSI) attack, an attacker convinces a victim into visiting an attack Web page, which leverages the cross-origin interaction features of the victim's Web browser to infer the victim's state at a Target Web Site. COSI attacks can have serious consequences including determining if the victim has an account or is the administrator of a prohibited Target Site, or if the victim owns sensitive content hosted at the Target Site. In this paper, we perform the first systematic study of COSI attacks and present the first tool for detecting them. We study the mechanisms behind 25 COSI attacks, classify them into 10 leak methods and 38 attack classes, identify a novel COSI attack class based on window.postMessage, and design a novel approach for detecting COSI attacks. We implement our detection approach into Basta-COSI, a tool that produces attack Web pages that demonstrate the existence of COSI attacks in a given Target Web Site. We apply Basta-COSI to four popular stand-alone Web applications (GitHub, GitLab, HotCRP, OpenCart) and five live Sites, (linkedin.com, blogger.com, amazon.com, drive.google.com, pinterest.com), fnding COSI attacks against each of them. Finally, we discuss the countermeasures that can be taken by browser vendors and Site administrators against COSI attacks.
John Domingue - One of the best experts on this subject based on the ideXlab platform.
-
OntoWeaver: an ntology-based approach to the design of dataintensive Web Sites
Journal of Web Engineering, 2005Co-Authors: YUANGUI LEI, Enrico Motta, John DomingueAbstract:Building a data-intensive Web Site is a complex task. Ad hoc rapid prototyping approaches easily lead to unsatisfactory results, e.g. poor maintainability and extensibility. To address this problem, a number of model-based approaches have been proposed, which attempt to simplify the design and development of data-intensive Web Sites. However, these approaches typically lack expressive meta-models and, as a result, suffer from a number of limitations, e.g. the lack of appropriate support for the creation of complex user interfaces, for the specification of layouts and presentation styles, and for customization. In this paper we describe a new software tool OntoWeaver, which uses ontologies to drive the design and development of data-intensive Web Sites. OntoWeaver overcomes the problems of current approaches by providing a Site view ontology, a presentation ontology, and a customization framework. Specifically, the Site view ontology provides fine-grained modelling support for the creation of complex user interfaces and navigation structures. The presentation ontology captures the features of layouts and presentation styles of user interface elements. These two explicit meta-models allow the Target Web Site to be represented in a declarative and re-usable format, thus enabling high level support for design, maintenance, and customization. The customization framework exploits this advantage and provides comprehensive customization support for the Target Web Site at design as well as run time.
-
EKAW - An Ontology-Driven Approach to Web Site Generation and Maintenance
Knowledge Engineering and Knowledge Management: Ontologies and the Semantic Web, 2002Co-Authors: YUANGUI LEI, Enrico Motta, John DomingueAbstract:Building and maintaining a data-intensive Web Site is costly and time-consuming and a number of approaches have addressed this problem using a model-based methodology. This paper presents IIPS (Intelligent Information Presentation System), a system that uses an ontology-driven approach to Site generation and management. IIPS provides a suite of visual tools, which make it possible to model a data-intensive Web Site at a conceptual level, using Site, interface and domain ontologies. As a result, the Site designer can focus on the conceptual structure of the Target Web Site and associated resources, independently of its realization. IIPS also provides explicit mapping mechanisms, which make it possible to generate quickly Site implementations from the conceptual model. IIPS improves over existing model-based approaches to Web design, by providing knowledge-level support for all aspects of Web design, including Site and resource specification, presentation and domain data.
-
An Ontology-Driven Approach to Web Site Generation and Maintenance
Knowledge Engineering and Knowledge Management: Ontologies and the Semantic Web, 2002Co-Authors: YUANGUI LEI, Enrico Motta, John DomingueAbstract:Building and maintaining a data-intensive Web Site is costly and time-consuming and a number of approaches have addressed this problem using a model-based methodology. This paper presents IIPS (Intelligent Information Presentation System), a system that uses an ontology-driven approach to Site generation and management. IIPS provides a suite of visual tools, which make it possible to model a data-intensive Web Site at a conceptual level, using Site, interface and domain ontologies. As a result, the Site designer can focus on the conceptual structure of the Target Web Site and associated resources, independently of its realization. IIPS also provides explicit mapping mechanisms, which make it possible to generate quickly Site implementations from the conceptual model. IIPS improves over existing model-based approaches to Web design, by providing knowledge-level support for all aspects of Web design, including Site and resource specification, presentation and domain data.
Juan Caballero - One of the best experts on this subject based on the ideXlab platform.
-
Cross-Origin State Inference (COSI) Attacks: Leaking Web Site States through XS-Leaks
arXiv: Cryptography and Security, 2019Co-Authors: Avinash Sudhodanan, Soheil Khodayari, Juan CaballeroAbstract:In a Cross-Origin State Inference (COSI) attack, an attacker convinces a victim into visiting an attack Web page, which leverages the cross-origin interaction features of the victim's Web browser to infer the victim's state at a Target Web Site. Multiple instances of COSI attacks have been found in the past under different names such as login detection or access detection attacks. But, those attacks only consider two states (e.g., logged in or not) and focus on a specific browser leak method (or XS-Leak). This work shows that mounting more complex COSI attacks such as deanonymizing the owner of an account, determining if the victim owns sensitive content, and determining the victim's account type often requires considering more than two states. Furthermore, robust attacks require supporting a variety of browsers since the victim's browser cannot be predicted apriori. To address these issues, we present a novel approach to identify and build complex COSI attacks that differentiate more than two states and support multiple browsers by combining multiple attack vectors, possibly using different XS-Leaks. To enable our approach, we introduce the concept of a COSI attack class. We propose two novel techniques to generalize existing COSI attack instances into COSI attack classes and to discover new COSI attack classes. We systematically apply our techniques to existing attacks, identifying 40 COSI attack classes. As part of this process, we discover a novel XS-Leak based on window.postMessage. We implement our approach into Basta-COSI, a tool to find COSI attacks in a Target Web Site. We apply Basta-COSI to test four stand-alone Web applications and 58 popular Web Sites, finding COSI attacks against each of them.
Leszek Borzemski - One of the best experts on this subject based on the ideXlab platform.
-
Testing, Measuring, and Diagnosing Web Sites from the User's Perspective
Electronic Business, 2009Co-Authors: Leszek BorzemskiAbstract:Users perceive good Internet performance as characterized by low latency, high throughput and high availability. When browsing the Web, users are concerned with the performance of entire pages. Understanding and identifying the sources of the performance problems are very important issues, especially for e-business. Therefore, there is the need to have a service for testing and measuring e-business Web Site performance from the perspective of the end-users. We present our contribution in this area, that is, the Wing free service that has been developed for the purpose of Web transaction visualization. Our Web client that probes a Target Web Site is a real Web browser (MS IE), so the user can observe how a particular browser uses the network. Such known tools use their own Web browsing methods. Therefore, the solutions can be different from that used by real browsers, and the results can be inadequate. Wing helps identify inefficient network usage by the browser and helps to tune Web pages to use the network efficiently. Therefore, Wing can be a good analysis tool for Web page and network application developers.
-
Testing, Measuring, and Diagnosing Web Sites from the Users' Perspective
International Journal of Enterprise Information Systems, 2006Co-Authors: Leszek BorzemskiAbstract:Users perceive good Internet performance as characterized by low latency, high throughput and high availability. When browsing the Web, users are concerned with the performance of entire pages. Understanding and identifying the sources of the performance problems are very important issues, especially for e-business. Therefore, there is the need to have a service for testing and measuring e-business Web Site performance from the perspective of the end-users. We present our contribution in this area, that is, the Wing free service that has been developed for the purpose of Web transaction visualization. Our Web client that probes a Target Web Site is a real Web browser (MS IE), so the user can observe how a particular browser uses the network. Such known tools use their own Web browsing methods. Therefore, the solutions can be different from that used by real browsers, and the results can be inadequate. Wing helps identify inefficient network usage by the browser and helps to tune Web pages to use the network efficiently. Therefore, Wing can be a good analysis tool for Web page and network application developers.
-
Measuring of Web Performance as Perceived by End-Users
Techniques and Tools for the Design and Implementation of Enterprise Information Systems, 1Co-Authors: Leszek BorzemskiAbstract:Users perceive good Internet performance as characterized by low latency, high throughput, and high availability. When browsing the Web, users are concerned with the performance of entire pages. Understanding and identifying the sources of the performance problems is a very important issue, especially for e-business. Therefore, there is the need to have a service for testing and measuring e-business Web Site performance from the perspective of the end-users. We present our contribution in this area, that is, the Wing free service that has been developed for the purpose of Web transaction visualization. Our Web client that probes a Target Web Site is a real Web browser (MS IE), so the user can observe how a particular browser uses the network. Such known tools use their own Web browsing methods. Therefore, the solutions can be different from that used by real browsers and the results can be inadequate. Wing helps identify inefficient network usage by the browser and helps to tune Web pages to use the network efficiently. Therefore, Wing can be a good analysis tool for Web page and network application developers. Wing was used in an extensive study of WUTs Web access characteristics using statistical and data mining analysis methods. We also introduce the MWING system, which is based on our experiences from Wing project. MWING is a generic automated distributed multiagent-based measurement framework for running different measurement, testing and diagnosing tasks related to Internet; for example, in Internet topology discovering, Web benchmarking, or Grid services performance studies. One of possible agents can be Winglike agents downloading different Web pages in periodic experiments from many agent locations.
YUANGUI LEI - One of the best experts on this subject based on the ideXlab platform.
-
OntoWeaver: an ntology-based approach to the design of dataintensive Web Sites
Journal of Web Engineering, 2005Co-Authors: YUANGUI LEI, Enrico Motta, John DomingueAbstract:Building a data-intensive Web Site is a complex task. Ad hoc rapid prototyping approaches easily lead to unsatisfactory results, e.g. poor maintainability and extensibility. To address this problem, a number of model-based approaches have been proposed, which attempt to simplify the design and development of data-intensive Web Sites. However, these approaches typically lack expressive meta-models and, as a result, suffer from a number of limitations, e.g. the lack of appropriate support for the creation of complex user interfaces, for the specification of layouts and presentation styles, and for customization. In this paper we describe a new software tool OntoWeaver, which uses ontologies to drive the design and development of data-intensive Web Sites. OntoWeaver overcomes the problems of current approaches by providing a Site view ontology, a presentation ontology, and a customization framework. Specifically, the Site view ontology provides fine-grained modelling support for the creation of complex user interfaces and navigation structures. The presentation ontology captures the features of layouts and presentation styles of user interface elements. These two explicit meta-models allow the Target Web Site to be represented in a declarative and re-usable format, thus enabling high level support for design, maintenance, and customization. The customization framework exploits this advantage and provides comprehensive customization support for the Target Web Site at design as well as run time.
-
EKAW - An Ontology-Driven Approach to Web Site Generation and Maintenance
Knowledge Engineering and Knowledge Management: Ontologies and the Semantic Web, 2002Co-Authors: YUANGUI LEI, Enrico Motta, John DomingueAbstract:Building and maintaining a data-intensive Web Site is costly and time-consuming and a number of approaches have addressed this problem using a model-based methodology. This paper presents IIPS (Intelligent Information Presentation System), a system that uses an ontology-driven approach to Site generation and management. IIPS provides a suite of visual tools, which make it possible to model a data-intensive Web Site at a conceptual level, using Site, interface and domain ontologies. As a result, the Site designer can focus on the conceptual structure of the Target Web Site and associated resources, independently of its realization. IIPS also provides explicit mapping mechanisms, which make it possible to generate quickly Site implementations from the conceptual model. IIPS improves over existing model-based approaches to Web design, by providing knowledge-level support for all aspects of Web design, including Site and resource specification, presentation and domain data.
-
An Ontology-Driven Approach to Web Site Generation and Maintenance
Knowledge Engineering and Knowledge Management: Ontologies and the Semantic Web, 2002Co-Authors: YUANGUI LEI, Enrico Motta, John DomingueAbstract:Building and maintaining a data-intensive Web Site is costly and time-consuming and a number of approaches have addressed this problem using a model-based methodology. This paper presents IIPS (Intelligent Information Presentation System), a system that uses an ontology-driven approach to Site generation and management. IIPS provides a suite of visual tools, which make it possible to model a data-intensive Web Site at a conceptual level, using Site, interface and domain ontologies. As a result, the Site designer can focus on the conceptual structure of the Target Web Site and associated resources, independently of its realization. IIPS also provides explicit mapping mechanisms, which make it possible to generate quickly Site implementations from the conceptual model. IIPS improves over existing model-based approaches to Web design, by providing knowledge-level support for all aspects of Web design, including Site and resource specification, presentation and domain data.
