Abstract: We have witnessed a rapid increase in the use of Web-based 'collaborationware' in recent years. These Web 2.0 applications, particularly wikis, blogs and podcasts, have been increasingly adopted by many online health-related professional and educational services. Because of their ease of use and rapidity of deployment, they offer the opportunity for powerful information sharing and ease of collaboration. Wikis are Web sites that can be edited by anyone who has access to them. The word 'blog' is a contraction of 'Web Log' – an online Web journal that can offer a resource rich multimedia environment. Podcasts are repositories of audio and video materials that can be "pushed" to subscribers, even without user intervention. These audio and video files can be downloaded to portable media players that can be taken anywhere, providing the potential for "anytime, anywhere" learning experiences (mobile learning). Wikis, blogs and podcasts are all relatively easy to use, which partly accounts for their proliferation. The fact that there are many free and Open Source versions of these tools may also be responsible for their explosive growth. Thus it would be relatively easy to implement any or all within a Health Professions' Educational Environment. Paradoxically, some of their disadvantages also relate to their openness and ease of use. With virtually anybody able to alter, edit or otherwise contribute to the collaborative Web pages, it can be problematic to gauge the reliability and accuracy of such resources. While arguably, the very process of collaboration leads to a Darwinian type 'survival of the fittest' content within a Web page, the veracity of these resources can be assured through careful monitoring, moderation, and operation of the collaborationware in a closed and secure digital environment. Empirical research is still needed to build our pedagogic evidence base about the different aspects of these tools in the context of medical/health education. If effectively deployed, wikis, blogs and podcasts could offer a way to enhance students', clinicians' and patients' learning experiences, and deepen levels of learners' engagement and collaboration within digital learning environments. Therefore, research should be conducted to determine the best ways to integrate these tools into existing e-Learning programmes for students, health professionals and patients, taking into account the different, but also overlapping, needs of these three audience classes and the opportunities of virtual collaboration between them. Of particular importance is research into novel integrative applications, to serve as the "glue" to bind the different forms of Web-based collaborationware synergistically in order to provide a coherent wholesome learning experience.

Abstract: The number and the importance of Web applications have increased rapidly over the last years. At the same time, the quantity and impact of security vulnerabilities in such applications have grown as well. Since manual code reviews are time-consuming, error-prone and costly, the need for automated solutions has become evident. In this paper, we address the problem of vulnerable Web applications by means of static source code analysis. More precisely, we use flow-sensitive, interprocedural and context-sensitive dataflow analysis to discover vulnerable points in a program. In addition, alias and literal analysis are employed to improve the correctness and precision of the results. The presented concepts are targeted at the general class of taint-style vulnerabilities and can be applied to the detection of vulnerability types such as SQL injection, cross-site scripting, or command injection. Pixy, the open source prototype implementation of our concepts, is targeted at detecting cross-site scripting vulnerabilities in PHP scripts. Using our tool, we discovered and reported 15 previously unknown vulnerabilities in three Web applications, and reconstructed 36 known vulnerabilities in three other Web applications. The observed false positive rate is at around 50% (i.e., one false positive for each vulnerability) and therefore, low enough to permit effective security audits.

Abstract: Web applications typically interact with a back-end database to retrieve persistent data and then present the data to the user as dynamically generated output, such as HTML web pages. However, this interaction is commonly done through a low-level API by dynamically constructing query strings within a general-purpose programming language, such as Java. This low-level interaction is ad hoc because it does not take into account the structure of the output language. Accordingly, user inputs are treated as isolated lexical entities which, if not properly sanitized, can cause the web application to generate unintended output. This is called a command injection attack, which poses a serious threat to web application security. This paper presents the first formal definition of command injection attacks in the context of web applications, and gives a sound and complete algorithm for preventing them based on context-free grammars and compiler parsing techniques. Our key observation is that, for an attack to succeed, the input that gets propagated into the database query or the output document must change the intended syntactic structure of the query or document. Our definition and algorithm are general and apply to many forms of command injection attacks. We validate our approach with SqlCheckS, an implementation for the setting of SQL command injection attacks. We evaluated SqlCheckS on real-world web applications with systematically compiled real-world attack data as input. SqlCheckS produced no false positives or false negatives, incurred low runtime overhead, and applied straightforwardly to web applications written in different languages.

Abstract: In this paper, we investigate how detailed tracking of user interaction can be monitored using standard web technologies. Our motivation is to enable implicit interaction and to ease usability evaluation of web applications outside the lab. To obtain meaningful statements on how users interact with a web application, the collected information needs to be more detailed and fine-grained than that provided by classical log files. We focus on tasks such as classifying the user with regard to computer usage proficiency or making a detailed assessment of how long it took users to fill in fields of a form. Additionally, it is important in the context of our work that usage tracking should not alter the user's experience and that it should work with existing server and browser setups. We present an implementation for detailed tracking of user actions on web pages. An HTTP proxy modifies HTML pages by adding JavaScript code before delivering them to the client. This JavaScript tracking code collects data about mouse movements, keyboard input and more. We demonstrate the usefulness of our approach in a case study.

Abstract: We present a static analysis algorithm for detecting security vulnerabilities in PHP, a popular server-side scripting language for building web applications. Our analysis employs a novel three-tier architecture to capture information at decreasing levels of granularity at the intrablock, intraprocedural, and interprocedural level. This architecture enables us to handle dynamic features of scripting languages that have not been adequately addressed by previous techniques. We demonstrate the effectiveness of our approach on six popular open source PHP code bases, finding 105 previously unknown security vulnerabilities, most of which we believe are remotely exploitable.

Abstract: Web applications are becoming the dominant way to provide access to on-line services. At the same time, web application vulnerabilities are being discovered and disclosed at an alarming rate. Web applications often make use of JavaScript code that is embedded into web pages to support dynamic client-side behavior. This script code is executed in the context of the user's web browser. To protect the user's environment from malicious JavaScript code, a sand-boxing mechanism is used that limits a program to access only resources associated with its origin site. Unfortunately, these security mechanisms fail if a user can be lured into downloading malicious JavaScript code from an intermediate, trusted site. In this case, the malicious script is granted full access to all resources (e.g., authentication tokens and cookies) that belong to the trusted site. Such attacks are called cross-site scripting (XSS) attacks.In general, XSS attacks are easy to execute, but difficult to detect and prevent. One reason is the high flexibility of HTML encoding schemes, offering the attacker many possibilities for circumventing server-side input filters that should prevent malicious scripts from being injected into trusted sites. Also, devising a client-side solution is not easy because of the difficulty of identifying JavaScript code as being malicious. This paper presents Noxes, which is, to the best of our knowledge, the first client-side solution to mitigate cross-site scripting attacks. Noxes acts as a web proxy and uses both manual and automatically generated rules to mitigate possible cross-site scripting attempts. Noxes effectively protects against information leakage from the user's environment while requiring minimal user interaction and customization effort.

Abstract: This article describes the Web Application Description Language (WADL). An increasing number of Web-based enterprises (Google, Yahoo, Amazon, Flickr - to name but a few) are developing HTTP-based applications that provide access to their internal data using XML. Typically these applications are described using a combination of textual protocol descriptions combined with XML schema-based data format descriptions; WADL is designed to provide a machine processable protocol description format for use with such HTTP-based Web applications, especially those using XML.

Abstract: Das „Open Web Application Security Project” (OWASP) wurde im Jahr 2004 mit dem Ziel initiiert, Unternehmen und Organisationen bei der Entwicklung und Pflege vertrauenswürdiger Anwendungen zu unterstützen. OWASP ist eine unternehmensunabhängige Organisation. Um einen langfristigen Fortbestand sicher zu stellen, wurde die OWASP Foundation gegründet, der Einzelpersonen und Unternehmen beitreten können (jährlicher Mitgliedsbeitrag: 100 bis 9.000 US$). Alle Einnahmen und finanziellen Unterstützungen werden direkt in OWASP-Projekte investiert. Die Aktivitäten und Ergebnisse von OWASP werden in einem Wiki dokumentiert (d. h. einem Open-Source Content Management System, das von jedem Besucher auch inhaltlich verändert und weiterentwickelt werden kann). Ähnlich zahlreichen Open-Source-Projekten entstehen die meisten OWASP-Materialien in einem offenen Kooperationsprozess. Auf den jährlichen, zweitägigen OWASP AppSec Konferenzen (eine in den USA, eine in Europa) werden die neuesten Entwicklungen im Gebiet der Anwendungssicherheit vorgestellt und diskutiert.

Abstract: As the popularity of the web increases and web applications become tools of everyday use, the role of web security has been gaining importance as well. The last years have shown a significant increase in the number of web-based attacks. For example, there has been extensive press coverage of recent security incidences involving the loss of sensitive credit card information belonging to millions of customers.Many web application security vulnerabilities result from generic input validation problems. Examples of such vulnerabilities are SQL injection and Cross-Site Scripting (XSS). Although the majority of web vulnerabilities are easy to understand and to avoid, many web developers are, unfortunately, not security-aware. As a result, there exist many web sites on the Internet that are vulnerable.This paper demonstrates how easy it is for attackers to automatically discover and exploit application-level vulnerabilities in a large number of web applications. To this end, we developed SecuBat, a generic and modular web vulnerability scanner that, similar to a port scanner, automatically analyzes web sites with the aim of finding exploitable SQL injection and XSS vulnerabilities. Using SecuBat, we were able to find many potentially vulnerable web sites. To verify the accuracy of SecuBat, we picked one hundred interesting web sites from the potential victim list for further analysis and confirmed exploitable flaws in the identified web pages. Among our victims were well-known global companies and a finance ministry. Of course, we notified the administrators of vulnerable sites about potential security problems. More than fifty responded to request additional information or to report that the security hole was closed.

Abstract: The use of 3D information in the field of cultural heritage is increasing year by year. From this field comes a large demand for cheaper and more flexible ways of 3D reconstruction. This paper describes a web-based 3D reconstruction service, developed to relieve those needs of the cultural heritage field. This service consists of a pipeline that starts with the user uploading images of an object or scene(s) he wants to reconstruct in 3D. The automatic reconstruction process, running on a server connected to a cluster of computers, computes the camera calibration, as well as dense depth (or range-) maps for the images. This result can be downloaded from an ftp server and visualized with a specific tool running on the user’s PC.

Abstract: The present invention generally relates to computer systems, and more particularly apparatus, a visual method and a system for rapid construction and delivery of to an distributed applications, such as web applications and web services.

Abstract: Purpose – The proliferation and advance of web‐based technologies create expanded opportunities for retailers to gain a better understanding of their customers. However, the success of these web‐based discussion boards depends solely on whether customers are willing to share their knowledge and experience with other customers in these discussion boards. Thus, this study aims at identifying the factors that drive knowledge sharing among customers in web‐based discussion boards.Design/methodology/approach – An exploratory study with 104 respondents was conducted to identify and categorize the key factors of customer knowledge sharing in web‐based discussion boards.Findings – The results indicate that the enjoyment of helping others is the most frequently cited reason for customer knowledge sharing in web‐based discussion boards. On the other hand, the lack of knowledge self‐efficacy is the mostly cited reason explaining why customers do not want to share knowledge with others.Research limitations/implicatio...

Abstract: Software testing is a difficult task and testing Web-based applications may be even more difficult, due to the peculiarities of such applications. In the last years, several problems in the field of Web-based applications testing have been addressed by research work, and several methods and techniques have been defined and used to test Web-based applications effectively. This paper will present the main differences between Web-based applications and traditional ones, how these differences impact the testing of the former ones, and some relevant contributions in the field of Web application testing developed in recent years. The focus is mainly on testing the functionality of a Web-based application, even if some discussion about the testing of non-functional requirements is provided too. Some indications about future trends in Web application testing are also outlined in the paper.

Abstract: A web application is more efficiently analyzed by intelligently generating attack sequences to be used in the assessment. Rather than simply sending a canned list of static strings at a web application, the operation of the web application is analyzed to determine the filtering and acceptance characteristics of the web site. As this information is ascertained, a vocabulary of allowed symbols is created. This vocabulary is used in the building of attack strings and as such, the number of attack strings fired at the web application is greatly reduced, as well as the number of false positives.

Abstract: A system and method for protection of Web based applications are described. The techniques described provide an enterprise wide approach to preventing attacks of Web based applications. Individual computer networks within the enterprise monitor network traffic to identify anomalous traffic. The anomalous traffic can be identified by comparing the traffic to a profile of acceptable user traffic when interacting with the application. The anomalous traffic, or security events, identified at the individual computer networks are communicated to a central security manager. The central security manager correlates the security events at the individual computer networks to determine if there is an enterprise wide security threat. The central security manager can then communicate instructions to the individual computer networks so as to provide an enterprise wide solution to the threat.

Abstract: The Web has become an indispensable part of our lives. Unfortunately, as our dependency on the Web increases, so does the interest of attackers in exploiting Web applications and Web-based information systems. Previous work in the field of Web application security has mainly focused on the mitigation of cross site scripting (XSS) and SQL injection attacks. In contrast, cross site request forgery (XSRF) attacks have not received much attention. In an XSRF attack, the trust of a Web application in its authenticated users is exploited by letting the attacker make arbitrary HTTP requests on behalf of a victim user. The problem is that Web applications typically act upon such requests without verifying that the performed actions are indeed intentional. Because XSRF is a relatively new security problem, it is largely unknown by Web application developers. As a result, there exist many Web applications that are vulnerable to XSRF. Unfortunately, existing mitigation approaches are time-consuming and error-prone, as they require manual effort to integrate defense techniques into existing systems. In this paper, we present a solution that provides a completely automatic protection from XSRF attacks. More precisely, our approach is based on a server-side proxy that detects and prevents XSRF attacks in a way that is transparent to users as well as to the Web application itself. We provide experimental results that demonstrate that we can use our prototype to secure a number of popular open-source Web applications, without negatively affecting their behavior

Abstract: In this study, we explore the competencies required for a project manager to be effective in the workplace. We used a Web-based Delphi method to lead experienced project managers through an anonymous consensus-building process consisting of two rounds of surveys. The Round I analysis of 147 respondents, all with 20 or more years of project management experience, yielded 117 project management success factors, 78 of which were identified as trainable competencies. The Round II analysis confirmed 42 of the 78 competencies (53.8%) as very important to extremely important to project manager success. Important contributions of this study include: (a) reporting on project manager competencies that can inform the literature and guide the development of educational programs for instructional designers and other professionals, and (b) demonstrating the Web-based Delphi technique to be an efficient methodology for conducting afront-end analysis, a core process of instructional design (ID) work.

Abstract: The number and the importance of web applications have increased rapidly over the last years. At the same time, the quantity and impact of security vulnerabilities in such applications have grown as well. Since manual code reviews are time-consuming, error-prone and costly, the need for automated solutions has become evident. In this paper, we address the problem of vulnerable web applications by means of static source code analysis. To this end, we present a novel, precise alias analysis targeted at the unique reference semantics commonly found in scripting languages. Moreover, we enhance the quality and quantity of the generated vulnerability reports by employing a novel, iterative two-phase algorithm for fast and precise resolution of file inclusions.We integrated the presented concepts into Pixy~\cite{jovanovic06:pixy_short}, a high-precision static analysis tool aimed at detecting cross-site scripting vulnerabilities in PHP scripts. To demonstrate the effectiveness of our techniques, we analyzed three web applications and discovered 106 vulnerabilities. Both the high analysis speed as well as the low number of generated false positives show that our techniques can be used for conducting effective security audits.

Abstract: This paper describes the architecture and implementation of the Tahoma Web browsing system. Key to Tahoma is the browser operating system (BOS), a new trusted software layer on which Web browsers execute. The benefits of this architecture are threefold. First, the BOS runs the client-side component of each Web application (e.g., on-line banking, Web mail) in its own virtual machine. This provides strong isolation between Web services and the user's local resources. Second, Tahoma lets Web publishers limit the scope of their Web applications by specifying which URLs and other resources their browsers are allowed to access. This limits the harm that can be caused by a compromised browser. Third, Tahoma treats Web applications as first-class objects that users explicitly install and manage, giving them explicit knowledge about and control over downloaded content and code. We have implemented a prototype of Tahoma using Linux and the Xen virtual machine monitor. Our security evaluation shows that Tahoma can prevent or contain 87% of the vulnerabilities that have been identified in the widely used Mozilla browser. In addition, our measurements of latency, throughput, and responsiveness demonstrate that users need not sacrifice performance for the benefits of stronger isolation and safety.

Abstract: Preface. Foreword. 1. An Introduction to Web Engineering (Gerti Kappel, Birgit Proll, Siegfried Reich, Werner Retschitzegger). 2. Requirements Engineering for Web Applications (Paul Grunbacher). 3. Modeling Web Applications (Wieland Schwinger, Nora Koch). 4. Web Application Architectures (Christian Eichinger). 5. Technology-aware Web Application Design (Gerhard Austaller, Andreas Hartl, Markus Lauff, Fernando Lyardet, Max Muhlhauser). 6. Technologies for Web Applications (Martin Nussbaumer, Martin Gaedke). 7. Testing Web Applications (Christoph Steindl, Rudolf Ramler, Josef Altmann). 8. Operation and Maintenance of Web Applications (Arno Ebner, Birgit Proll, Hannes Werthner). 9. Web Project Management (Herwig Mayr). 10. The Web Application Development Process (Gregor Engels, Marc Lohmann, Annika Wagner). 11. Usability of Web Applications (Martin Hitz, Gerhard Leitner, Rudolf Melcher). 12. Performance of Web Applications (Gabriele Kotsis). 13. Security for Web Applications (Martin Wimmer, Alfons Kemper, Stefan Seltzsam). 14. The Semantic Web-The Network of Meanings in the Network of Documents (Wernher Behrendt, Nitin Arora). Glossary. Author Biographies. Bibliography. Credits. Index.

Abstract: The current study examined four factors affecting retention in Web-based community college courses. Analyses were conducted on student demographics, student learning styles, course communication and external factors. The results suggest that Web-based courses are more attractive to busy students who are also more likely to fail or drop the course. The combined results from the four factors provided evidence that time management and procrastination are the primary reasons that community college students fail or drop a Web-based course. The study also found evidence that inability to get feedback from instructors may contribute to student dropout and failure in Web-based community college courses.

Abstract: Ever in search of a silver bullet for automated functional testing for Web applications, many folks have turned to Selenium. Selenium is an open-source project for in-browser testing, originally developed by ThoughtWorks and now boasting an active community of developers and users. One of Selenium's stated goals is to become the de facto open-source replacement for proprietary tools such as WinRunner. Of particular interest to the agile community is that it offers the possibility of test-first design of Web applications, red-green signals for customer acceptance tests, and an automated regression test bed for the Web tier. This experience report describes the standard environment for testing with Selenium, as well as modifications we performed to incorporate our script pages into a wiki. It includes lessons we learned about continuous integration, script writing, and using the Selenium Recorder (renamed IDE). We also discuss how long it took to write and maintain the scripts in the iterative development environment, how close we came to covering all of the functional requirements with tests, how often the tests should be (and were) run, and whether additional automated functional testing below the GUI layer was still necessary and/or appropriate. While no silver bullet, Selenium has become a valuable addition to our agile testing toolkit, and is used on the majority of our Web application projects. It promises to become even more valuable as it gains widespread adoption and continues to be actively developed.

Abstract: Customers have proven to be a precious source of new solutions in various product categories and, by becoming directly involved in the innovation process, they can help companies better anticipate market changes. The web can greatly simplify these activities by making it easier to manage systematic interactions with a select group of customers at a low cost. However, empirical evidence regarding the actual diffusion of web-based tools supporting collaborative innovation remains weak. After reviewing the past findings on web-based tools for customer integration, this article presents an exploratory analysis of over 200 brand and corporate sites. It highlights the tools that firms mainly use and identifies some relevant industrial and firm specificities.

Abstract: Recently, a new web development technique for creating interactive web applications, dubbed AJAX, has emerged. In this new model, the single-page web interface is composed of individual components which can be updated/replaced independently. With the rise of AJAX web applications classical multi-page web applications are becoming legacy systems. If until a year ago, the concern revolved around migrating legacy systems to web-based settings, today we have a new challenge of migrating web applications to single-page AJAX applications. Gaining an understanding of the navigational model and user interface structure of the source application is the first step in the migration process. In this paper, we explore how reverse engineering techniques can help analyze classic web applications for this purpose. Our approach, using a schema-based clustering technique, extracts a navigational model of web applications, and identifies candidate user interface components to be migrated to a single-page AJAX interface. Additionally, results of a case study, conducted to evaluate our tool, are presented.

Abstract: Security testing a Web application or Web site requires careful thought and planning due to both tool and industry immaturity. Finding the right tools involves several steps, including analyzing the development environment and process, business needs, and the Web application's complexity. Here, we describe the different technology types for analyzing Web applications and Web services for security vulnerabilities, along with each type's advantages and disadvantages. At Foundstone, we work with some of the world's biggest banks and telecommunications companies to identify and resolve security issues. Together with our clients, we face challenging testing scenarios in the context of demanding applications and complex business environments. We've seen firsthand what works and what doesn't; what's marketing hype and what gets results. Our analysis here is based on our collective experiences and the lessons we've learned along the way

Abstract: The term Session Riding denotes a class of attacks on web applications that exploit implicit authentication processes. There are four distinct methods of implicit authentication found in today’s web applications: Cookies, http authentication, IP address based access control and client side SSL authentication. As many web applications fail to protect their users against Session Riding attacks we introduce RequestRodeo, a client side solution to counter this threat. With the exception of client side SSL, RequestRodeo implements protection against the exploitation of implicit authentication mechanisms. This protection is achieved by removing authentication information from suspicious requests.

Abstract: In this paper, we present a Web-based intelligent tutoring system, called BITS. The decision making process conducted in our intelligent system is guided by a Bayesian network approach to support students in learning computer programming. Our system takes full advantage of Bayesian networks, which are a formal framework for uncertainty management in Artificial Intelligence based on probability theory. We discuss how to employ Bayesian networks as an inference engine to guide the students' learning processes. In addition, we describe the architecture of BITS and the role of each module in the system. Whereas many tutoring systems are static HTML Web pages of a class textbook or lecture notes, our intelligent system can help a student navigate through the online course materials, recommend learning goals, and generate appropriate reading sequences.