Abstract: Web applications are popular targets of security attacks. One common type of such attacks is SQL injection, where an attacker exploits faulty application code to execute maliciously crafted database queries. Bothstatic and dynamic approaches have been proposed to detect or prevent SQL injections; while dynamic approaches provide protection for deployed software, static approaches can detect potential vulnerabilities before software deployment. Previous static approaches are mostly based on tainted information flow tracking and have at least some of the following limitations: (1) they do not model the precise semantics of input sanitization routines; (2) they require manually written specifications, either for each query or for bug patterns; or (3) they are not fully automated and may require user intervention at various points in the analysis. In this paper, we address these limitations by proposing a precise, sound, and fully automated analysis technique for SQL injection. Our technique avoids the need for specifications by consideringas attacks those queries for which user input changes the intended syntactic structure of the generated query. It checks conformance to this policy byconservatively characterizing the values a string variable may assume with a context free grammar, tracking the nonterminals that represent user-modifiable data, and modeling string operations precisely as language transducers. We have implemented the proposed technique for PHP, the most widely-used web scripting language. Our tool successfully discovered previously unknown and sometimes subtle vulnerabilities in real-world programs, has a low false positive rate, and scales to large programs (with approx. 100K loc).

Abstract: Given a set of machines and a set of Web applications with dynamically changing demands, an online application placement controller decides how many instances to run for each application and where to put them, while observing all kinds of resource constraints. This NP hard problem has real usage in commercial middleware products. Existing approximation algorithms for this problem can scale to at most a few hundred machines, and may produce placement solutions that are far from optimal when system resources are tight. In this paper, we propose a new algorithm that can produce within 30seconds high-quality solutions for hard placement problems with thousands of machines and thousands of applications. This scalability is crucial for dynamic resource provisioning in large-scale enterprise data centers. Our algorithm allows multiple applications to share a single machine, and strivesto maximize the total satisfied application demand, to minimize the number of application starts and stops, and to balance the load across machines. Compared with existing state-of-the-art algorithms, for systems with 100 machines or less, our algorithm is up to 134 times faster, reduces application starts and stops by up to 97%, and produces placement solutions that satisfy up to 25% more application demands. Our algorithm has been implemented and adopted in a leading commercial middleware product for managing the performance of Web applications.

Abstract: Mashup is a hallmark of Web 2.0 and attracts both industry and academia. It refers to an ad hoc composition technology of Web applications that allows users to draw upon content retrieved from external data sources to create entirely new services. Compared to traditional "developer-centric" composition technologies, e.g., BPEI and WSCI, mashup provides a flexible and easy-of-use way for service composition on Web. It makes the consumers free to compose services as they wish as well as simplifies the composition task. This paper makes two contributions. Firstly, we propose the mashup architecture, extend current SOA model with mashup and analyze how it facilitates service composition. Secondly, we propose a mashup component model to help developers leverage to create their own composite services. A case study is given to illustrate how to do service composition by mashup. This paper also discusses about some interesting topics about mashup.

Abstract: Previous studies have examined various aspects of user behavior on the Web, including general information-seeking patterns, search engine use, and revisitation habits. Little research has been conducted to study how users navigate and interact with their Web browser across different information-seeking tasks. We have conducted a field study of 21 participants, in which we logged detailed Web usage and asked participants to provide task categorizations of their Web usage based on the following categories: Fact Finding, Information Gathering, Browsing, and Transactions. We used implicit measures logged during each task session to provide usage measures such as dwell time, number of pages viewed, and the use of specific browser navigation mechanisms. We also report on differences in how participants interacted with their Web browser across the range of information-seeking tasks. Within each type of task, we found several distinguishing characteristics. In particular, Information Gathering tasks were the most complex; participants spent more time completing this task, viewed more pages, and used the Web browser functions most heavily during this task. The results of this analysis have been used to provide implications for future support of information seeking on the Web as well as direction for future research in this area. © 2007 Wiley Periodicals, Inc.

Abstract: Ruby on Rails is an open source framework developed to increase programmer productivity and reduce entry barriers to programming Web applications. Ruby on Rails is a novel Web 2.0 framework that attempts to combine PHP's simple immediacy with Java's architecture, purity, and quality. RoR is based on the dynamically typed, object-oriented Ruby programming language.

Abstract: The author introduces a set of integrated developments in Web application software, networking, data citation standards, and statistical methods designed to increase scholarly recognition for data contributions; to put some of the universe of data and data-sharing practices on firmer ground; and to facilitate the public distribution of persistent, authorized, and verifiable data, with powerful and easy-to-use technology, even when the data are confidential or proprietary. The goal is to solve some of the political and sociological problems of data sharing via technological means, with the result intended to benefit both the scientific community and the sometimes apparently contradictory goals of individual researchers.

Abstract: World Wide Web technologies have transformed the design, development, implementation and deployment of decision support systems. This article reviews and summarizes recent technology developments, current usage of Web-based DSS, and trends in the deployment of such systems. Many firms use the Web as a medium to convey information about DSS products or to distribute DSS software. The use of Web-based computation to provide product demonstrations or to deploy DSS applications for remote access remains less common. The academic literature on Web-based DSS is largely focused on applications and implementations, and only a few articles examine architectural issues or provide design guidelines based on empirical evidence.

Abstract: A common perception is that there are two competing visions for the future evolution of the Web: the Semantic Web and Web 2.0. A closer look, though, reveals that the core technologies and concerns of these two approaches are complementary and that each field can and must draw from the other's strengths. We believe that future web applications will retain the Web 2.0 focus on community and usability, while drawing on Semantic Web infrastructure to facilitate mashup-like information sharing. However, there are several open issues that must be addressed before such applications can become commonplace. In this paper, we outline a semantic weblogs scenario that illustrates the potential for combining Web 2.0 and Semantic Web technologies, while highlighting the unresolved issues that impede its realization. Nevertheless, we believe that the scenario can be realized in the short-term. We point to recent progress made in resolving each of the issues as well as future research directions for each of the communities.

Abstract: Users have come to expect instant access to up-to-date geographical information, with global coverage - presented at widely varying levels of detail, as digital and paper products; customisable data that can readily combined with other geographic information These requirements present an immense challenge to those supporting the delivery of such services (National Mapping Agencies (NMA), Government Departments, and private business "Generalisation of Geographic Information: Cartographic Modelling and Applications" provides detailed review of state of the art technologies associated with these challenges, including the most recent developments in cartometric analysis techniques able to support high levels of automation among multi scale derivation techniques The book illustrates the application of these ideas within existing and emerging technologiesIn addition to providing a comprehensive theoretical underpinning, the book demonstrates how theoretical developments have translated into commercial systems deployed within NMAs The book explores relevance of open systems in support of collaborative research and open source web based map services It features state of the art review on multi scale representation techniques It provides detailed consideration of database requirements and object modeling in support of emerging applications (3D, mobile) and innovative delivery (map generalisation services) It provides illustration through existing map production environment implementations It contains consolidated bibliography (680 entries), 200 illustrations, author and subject index

Abstract: Almost 60% of American households were connected to the Internet in 2001, when the Millennium Cohort Study, the largest longitudinal study ever undertaken by the Department of Defense, was launched. To facilitate survey completion, increase data integrity, and encourage cohort retention while maintaining the highest standards of participant privacy, an online questionnaire was made available on the World Wide Web in addition to a traditional paper questionnaire sent via US mail. Over 50% of 77,047 participants chose to enroll in the study via the Web, affording substantial cost savings to the project. Using multivariable logistic regression, the authors compared the demographic and health characteristics of Web responders with those of paper responders. Web responders were slightly more likely to be male, to be younger, to have a high school diploma or college degree, and to work in information technology or another technical occupation. Web responders were more likely to be obese and to smoke more cigarettes and were less likely to be problem alcohol drinkers and to report occupational exposures. Question completion rates were 98.3%, on average, for both Web and paper responders. Web responders provided more complete contact information, including their e-mail addresses. These results demonstrate the value of survey research conducted over the Internet in concert with traditional mail survey strategies.

Abstract: SIF (Servlet Information Flow) is a novel software framework for building high-assurance web applications, using language-based information-flow control to enforce security. Explicit, end-to-end confidentiality and integrity policies can be given either as compile-time program annotations, or as run-time user requirements. Compile-time and run-time checking efficiently enforce these policies. Information flow analysis is known to be useful against SQL injection and cross-site scripting, but SIF prevents inappropriate use of information more generally: the flow of confidential information to clients is controlled, as is the flow of low-integrity information from clients. Expressive policies allow users and application providers to protect information from one another. SIF moves trust out of the web application, and into the framework and compiler. This provides application deployers with stronger security assurance. Language-based information flow promises cheap, strong information security. But until now, it could not effectively enforce information security in highly dynamic applications. To build SIF, we developed new language features that make it possible to write realistic web applications. Increased assurance is obtained with modest enforcement overhead.

Abstract: Context-aware, multi-channel Web applications are more and more gaining consensus among both content providers and consumers, but very few proposals exist for their conceptual modeling. This article illustrates a conceptual framework that provides modeling facilities for context-aware, multichannel Web applications; it also shows how high-level modeling constructs can drive the application development process through automatic code generation. Our work stresses the importance of user-independent, context-triggered adaptation actions, in which the context plays the role of a “first class” actor, operating independently of users on the same hypertext the users navigate. Modeling concepts are based on WebML (Web Modeling Language), an already established conceptual model for data-intensive Web applications, which is also accompanied by a development method and a CASE tool. However, given their general validity, the concepts of this article shape up a complete framework that can be adopted independently of the chosen model, method, and tool.

Abstract: Web applications are typically developed with hard time constraints and are often deployed with security vulnerabilities. Automatic web vulnerability scanners can help to locate these vulnerabilities and are popular tools among developers of web applications. Their purpose is to stress the application from the attacker's point of view by issuing a huge amount of interaction within it. Two of the most widely spread and dangerous vulnerabilities in web applications are SQL injection and cross site scripting (XSS), because of the damage they may cause to the victim business. Trusting the results of web vulnerability scanning tools is of utmost importance. Without a clear idea on the coverage and false positive rate of these tools, it is difficult to judge the relevance of the results they provide. Furthermore, it is difficult, if not impossible, to compare key figures of merit of web vulnerability scanners. In this paper we propose a method to evaluate and benchmark automatic web vulnerability scanners using software fault injection techniques. The most common types of software faults are injected in the web application code which is then checked by the scanners. The results are compared by analyzing coverage of vulnerability detection and false positives. Three leading commercial scanning tools are evaluated and the results show that in general the coverage is low and the percentage of false positives is very high.

Abstract: A Web application is an application that is invoked with a Web browser over the Internet. Ever since 1994 when the Internet became available to the public and especially in 1995 when the World Wide Web put a usable face on the Internet, the Internet has become a platform of choice for a large number of ever-more sophisticated and innovative Web applications. In just one decade, the Web has evolved from being a repository of pages used primarily for accessing static, mostly scientific, information to a powerful platform for application development and deployment. New Web technologies, languages, and methodologies make it possible to create dynamic applications that represent a new model of cooperation and collaboration among large numbers of users. Web application development has been quick to adopt software engineering techniques of component orientation and standard components. For example, search, syndication, and tagging have become standard components of a new generation of collaborative applications and processes. Future developments in Web applications will be driven by advances in browser technology, Web Internet infrastructure, protocol standards, software engineering methods, and application trends.

Abstract: Recently SQL injection attack (SIA) has become a major threat to Web applications. Via carefully crafted user input, attackers can expose or manipulate the back-end database of a Web application. This paper proposes the construction and outlines the design of a static analysis framework (called SAFELI) for identifying SIA vulnerabilities at compile time. SAFELI statically inspects MSIL bytecode of an ASP.NET Web application, using symbolic execution. At each hotspot that submits SQL query, a hybrid constraint solver is used to find out the corresponding user input that could lead to breach of information security. Once completed, SAFELI has the future potential to discover more delicate SQL injection attacks than black-box Web security inspection tools.

Abstract: Cross Site Scripting Attacks starts by defining the terms and laying out the ground work. It assumes that the reader is familiar with basic web programming (HTML) and JavaScript. First it discusses the concepts, methodology, and technology that makes XSS a valid concern. It then moves into the various types of XSS attacks, how they are implemented, used, and abused. After XSS is thoroughly explored, the next part provides examples of XSS malware and demonstrates real cases where XSS is a dangerous risk that exposes internet users to remote access, sensitive data theft, and monetary losses. Finally, the book closes by examining the ways developers can avoid XSS vulnerabilities in their web applications, and how users can avoid becoming a victim. The audience is web developers, security practitioners, and managers. *XSS Vulnerabilities exist in 8 out of 10 Web sites *The authors of this book are the undisputed industry leading authorities *Contains independent, bleeding edge research, code listings and exploits that can not be found anywhere else

Abstract: Systems and methods for automatically locating web-based social network members are provided. According to one embodiment, contact content including an associated GPS identifier and status for web-based social network members located at or near the same location automatically appears on a GPS-enabled device. A further exemplary system includes a GPS-enabled device configured to receive a GPS identifier and a status representing a location and a current state for a web-based social network member, a processing module that associates the received GPS-identifier and the received status, and a communications module that sends the associated GPS-identifier and status to a server comprising a web-based social network database. Contact content in a web-based social network database record in the web-based social network database is updated to include the associated GPS identifier and status for the web-based social network member.

Abstract: Increasing reliance on the web for decision-making combined with higher demand on technologies that can efficiently deal with large volumes of data make visualization an important decision-making tool. Spatial decision support systems (SDSS) using the latest advances in geographic information systems (GIS) could be the appropriate approach in making DSS available to mass web-users for making decisions that have spatial components. Hence, it is important to explore the factors that impact perceived successful use of web-based SDSS. In this paper, we synthesize task-technology, goal setting, and self-efficacy theories in developing a conceptual model and the subsequent empirical study for exploring the perceptual factors impacting the perceived performance of web-based SDSS.

Abstract: Combining data and code from third-party sources has enabled a new wave of web mashups that add creativity and functionality to web applications. However, browsers are poorly designed to pass data between domains, often forcing web developers to abandon security in the name of functionality. To address this deficiency, we developed Subspace, a cross-domain communication mechanism that allows efficient communication across domains without sacrificing security. Our prototype requires only a small JavaScript library, and works across all major browsers. We believe Subspace can serve as a new secure communication primitive for web mashups.

Abstract: The development of collaborative studies in learning has led to a renewed interest in the field of Web-based education. In this experimental study a highly interactive and collaborative virtual teaching environment has been created by supporting Moodle LMS with collaborative learning tool GREWPtool. The aim of this experimental study has been to find out the success rate of students when using an advanced and a standard collaborative tool in teaching programming languages over the Internet. The system has been tested with a total of 58 students whose aim was to learn the programming language Java. Success rate of students have been measured using two different assessments. Our results show a higher success rate when an LMS system is combined with an advanced collaborative tool during the teaching of programming languages in a Web-based environment.

Abstract: Most online activities are associated with geographical locations. For example, people write personal blogs about interesting places they have ever been to; read news about important local events; and search the web to find delicious restaurants. Mining geographical knowledge from these online activities can greatly benefit lots of web applications. In this paper, we propose a Location Aware Topic Model (LATM), a probabilistic graphical model, to explicitly model the relationships between locations and words. Experiments on several data sets, including news and blogs, showed satisfactory results.

Abstract: A method for confirming a request for an association with an organization by a user of a web-based social network is disclosed. In one embodiment, the request includes an e-mail address not controlled by the organization. The request may also be part of an application for membership with the web-based social network. A determination is made whether the request is accepted based at least partially on a specified number of prior requests for association with the organization or being identified as a member of the organization by another user already a member of the organization. The organization may be a high school, a college, a university, a business, a non-profit company, or any other group of people who may desire to associate with each other.

Abstract: Distributed programming has shifted from private networks to the public Internet and from using private and controlled services to increasingly using publicly available heterogeneous Web services (e.g., REST, SOAP, RSS, and Atom). This move enables the creation of innovative end-user-oriented composed services with user interfaces. These services mashupsare typically point solutions to specific (specialized) problems; however, what is missing is a programming model that facilitates and accelerates creation and deployment of mashups of diverseservices. In this paper we describe a domain-specific language that unifies the most common service models and facilitates service composition and integration into end-user-oriented Web applications. We demonstrate our approach with an implementation that leverages the Ruby on Rails framework.

Abstract: In recent years, web applications have become tremendously popular, and nowadays they are routinely used in security-critical environments, such as medical, financial, and military systems. As the use of web applications for critical services has increased, the number and sophistication of attacks against these applications have grown as well. Current approaches to securing web applications focus either on detecting and blocking web-based attacks using application-level firewalls, or on using vulnerability analysis techniques to identify security problems before deployment.The vulnerability analysis of web applications is made difficult by a number of factors, such as the use of scripting languages, the structuring of the application logic into separate pages and code modules, and the interaction with back-end databases. So far, approaches to web application vulnerability analysis have focused on single application modules to identify insecure uses of information provided as input to the application. Unfortunately, these approaches are limited in scope, and, therefore, they cannot detect multi-step attacks that exploit the interaction among multiple modules of an application.We have developed a novel vulnerability analysis approach that characterizes both the extended state and the intended workflow of a web application. By doing this, our analysis approach is able to take into account inter-module relationships as well as the interaction of an application's modules with back-end databases. As a result, our vulnerability analysis technique is able to identify sophisticated multi-step attacks against the application's workflow that were not addressed by previous approaches. We implemented our technique in a prototype tool, called MiMoSA, and tested it on several applications, identifying both known and new vulnerabilities.

Abstract: Systems and methods for communication between customer service representatives and users, for example, users of a website, are disclosed. In connection with rendering an informational resource, such as a World Wide Web page, on a browser, a user is provided with an indication that communication between a representative and the user is possible only if presence information for the representative indicates that the representative is available. If no representative is available, the user is provided with a null image, although the user may instead be shown the presence information for the representative expected to be available soonest. The ability to communicate with a representative may depend on the user's characteristics and history. The mode of communication offered to the user may vary, and may also depend on user characteristics, organizational preferences, and other factors. Users and representatives can also collaboratively co-browse web pages.

Abstract: Systems and methods providing users with a rich web experience are disclosed. In one embodiment, a client and at least one server are in communication using a dual communication link. In another embodiment, a markup language based instant messaging application is disclosed. The instant messaging application may include group instant messaging. The instant messaging application may also provide group member persistence and message persistence at the server. In another embodiment, a card based web application is disclosed, where the card information and character may be shared with other users or within a group. The cards may also be configurable by users.

Abstract: An internal gateway establishes persistent connections to an external gateway through permitted ports and protocols of a firewall. Software on the external gateway and the internal gateway collaborate in order to make available internal, firewall-protected resources to external clients securely and without having to modify network or firewall configurations. Any computing resource such as a web service, web application, or any other network addressable resource residing behind a firewall can be securely exposed in a generic fashion to clients on the external network. No special software is required by clients.

Abstract: AJAX applications are designed to have high user interactivity and low user-perceived latency. Real-time dynamic Web data such as news headlines, stock tickers, and auction updates need to be propagated to the users as soon as possible. However, AJAX still suffers from the limitations of the Web's request/response architecture which prevents servers from pushing real-time dynamic web data. Such applications usually use a pull style to obtain the latest updates, where the client actively requests the changes based on a predefined interval. It is possible to overcome this limitation by adopting a push style of interaction where the server broadcasts data when a change occurs on the server side. Both these options have their own trade-offs. This paper explores the fundamental limits of browser-based applications and analyzes push solutions for AJAX technology. It also shows the results of an empirical study comparing push and pull.