應用剖面導向技術研製網路應用程式之可設定式細緻化存取控管

林經緯, Lin,Ching Wei

Unknown Date

存取控管(Access Control)是網路應用程式(Web Applications)安全防護中的核心課題。貫徹存取控管的程式碼往往必須嵌入到應用系統的各個模組中，具有橫跨(cross-cutting)的特性，卻也因此常常造成系統中反覆出現類似的程式碼以及不同需求的程式碼夾雜不清的現象。所以學界業界紛紛提出了許多可設定式(configurable)的存取控管機制來解決此一問題。但這些機制都著重在一般功能性(function-level)的存取控管，對於較細緻化(fine-grained)的資料存取(data-level)控管，並未提供設定式的控管方式，還是得透過程式化(programmatic)的方式處理，所以仍然有程式橫跨性的問題。 最近興起的剖面導向程式設計(Aspect-Oriented Programming)基於關注分離的原則(Separation of Concerns)，針對像安全橫跨性的需求，倡議在原有的物件或函式模組外，另以剖面作為這些橫跨性需求的模組單位，既可集中開發又可依規則將安全程式碼整合至系統的各個模組。因此本研究將以AOP技術來設計與製作一套可設定式的細緻化存取控管服務與工具。 / Security is attracting more and more concerns in the development of Web applications. However, it is not easy to derive a robust security implementation for Web applications. The principle difficulty in designing security such as access control into an application system is that it is a concern that permeates through all the different modules of a system. As a result, security concerns in an application are often implemented with scattered and tangled code, which is not only error-prone but also makes it difficult to verify its correctness and perform the needed maintenance. Aspect-Oriented Programming (AOP) is a relative new design method that allows a programmer to isolate some of the code that crosscuts his program modules into a separate module, and thus realizes the concept of Separation of Concerns. AOP offers significant advantages to programming over traditional OO techniques in implementing crosscutting concerns such as access control. In this thesis, we define an XML schema for specifying fine-grained access control rules for Web applications in a configuration file and devise an aspect-oriented implementation scheme. Specifically, we develop an aspect synthesis tool that generates concrete access control aspects automatically from access control rules. These aspects, after woven into the base application, will enforce proper access control in a highly modular manner. As a result, we get a configurable implementation of access control that is not only adaptive but also effective.

網路應用程式

宣告式存取控管機制

以角色為基礎之存取控管

資料層次存取控管

剖面導向程式設計

web applications

data-level access control

Role-based access control

MVC

Aspect-oriented programming

Ανάπτυξη υπολογιστικής μεθοδολογίας εξόρυξης, ανάλυσης και παρουσίασης δεδομένων πρωτεωμικής καρκινικών δειγμάτων

Αλεξανδρίδου, Αναστασία

17 September 2012

Τα πεπτίδια, είτε ως πρωτεϊνικά θραύσματα είτε ως φυσικές οντότητες, χαρακτηρίζονται από την ακολουθία τους και από τα λειτουργικά τους χαρακτηριστικά. Ο σκοπός αυτής της Διδακτορικής Διατριβής είναι η ανάπτυξη μιας μεθοδολογίας εξόρυξης δεδομένων για μοναδικά tags και πεπτιδικά/πρωτεϊνικά χαρακτηριστικά του ανθρώπινου πρωτεώματος καθώς επίσης η ανάλυση και η εφαρμογή αυτών των βιολογικών δεδομένων σε πρωτεϊνες που σχετίζονται με τον καρκίνο. Δημιουργήθηκε μια αποθήκη αρχείων η οποία περιέχει μοριακά βάρη με ακρίβεια 0.01 Da που συνδέονται με τις αντίστοιχες πεπτιδικές ακολουθίες ανθρώπινων πρωτεϊνών της Swiss-Prot βάσης. Αυτές οι πρωτεϊνες διασπάστηκαν εξαντλητικά παρέχοντας ανεξαρτησία στις πεπτιδικές ακολουθίες από άλλες μεθόδους που βασίζονται στην ενζυματική διάσπαση. Από αυτήν την αποθήκη δεδομένων, διαχωρίστηκαν τα μοριακά βάρη που είναι μοναδικά και φτάνουν μέχρι τα 10 kDa καθώς και οι μοναδικές πεπτιδικές ακολουθίες (μέχρι 10 kDa). Στα πλαίσια της αξιοποίησης των δεδομένων εξόρυξης για την ταυτοποίηση των πρωτεϊνών, αναπτύχθηκε μια ευρέως διαθέσιμη διαδικτυακή εφαρμογή όπου γίνεται η αντιστοίχιση των μοριακών βαρών υψηλής ανάλυσης με πεπτίδια και πρωτεϊνες. Μια ακόμη διαδικτυακή εφαρμογή αναπτύχθηκε για να προσφέρει την πληροφορία της μοναδικότητας των μοριακών βαρών και των πεπτιδικών ακολουθιών στο ανθρώπινο πρωτέωμα. Η εφαρμογή μπορεί να αναζητήσει μοναδικά πρωτεϊνικά θραύσματα που προκύπτουν από την εζυματική διάσπαση πρωτεϊνών και να προσφέρει την πληροφορία για όλα τα μοναδικά μοριακά βάρη και τις μοναδικές πεπτιδικές ακολουθίες που περιέχονται σε μια πρωτεϊνη. Πολλές φορές χρειάζεται η μαζική διαχείριση των πεπτιδίων από λίστες. Για το σκοπό αυτό, αναπτύχθηκε ένας web server ο οποίος διαχειρίζεται τις πεπτιδικές λίστες, αναλύοντας τα χαρακτηριστικά των πεπτιδίων και ομαδοποιώντας τα πεπτίδια σύμφωνα μα αυτά τα χαρακτηριστικά, ενώ οπτικοποιείται η ομαδοποίηση με την χρήση ενός java applet. Το PepServe είναι ένα χρήσιμο εργαλείο για την κατανόηση της κατανομής των πεπτιδικών χαρακτηριστικών για ένα σύνολο πεπτιδίων. Τέλος, αναλύθηκαν σύνολα πρωτεϊνών που σχετίζονται με διάφορες περιπτώσεις καρκίνων, για πεπτιδικά χαρακτηριστικά. Αυτή η ανάλυση έχει σκοπό την εύρεση πιθανών προτιμήσεων σε χαρακτηριστικά και την εύρεση μοναδικών tags των πρωτεϊνών που σχετίζονται με καρκίνους. Τα μοναδικά tags μπορούν να χρησιμοποιηθούν στην ανακάλυψη βιοδεικτών και την ανάπτυξη νεων φαρμάκων για την πιο αποτελεσματική διάγνωση και θεραπεία. / Peptides, either as protein fragments or as naturally occurring entities are characterized by their sequence and function features. The purpose of the present Ph.D. thesis is to develop a datamining method for unique tags and peptide/protein characteristics in the human proteome and to analyze and apply the derived biological data in cancer-related proteins. A file repository has been created, containing indexed information that relates molecular masses with an accuracy of 0.01 Da to the corresponding peptides existing in human proteins. These proteins have been deposited in a completely digested protein database (Swiss-Prot) providing independence from any specific enzyme/digestion method. From this repository, the unique molecular masses, ranging from 1 to 10 kDa, and the unique peptide sequences from all the possible sequence fragments (up to 10 kDa) have been mined. A publicly available web application has been developed which facilitates a high resolution mapping of measured molecular masses to peptides and proteins, irrespectively of the enzyme/digestion method used. Μulti-filtering may be applied in terms of measured mass tolerance, molecular mass and isoelectric point range as well as pattern matching to refine the results In addition, another publicly available web application has been developed that offers information concerning the uniqueness of molecular masses and peptide sequences in the human proteome. The application is able to search for unique protein fragments derived computationally from enzymatic digestion driven by certain enzymes. Furthermore, the application can list all the unique masses and peptides of a given protein. Through this application, researchers are able to find unique tags, either on a molecular mass level or on a sequence level. A web server has beed developed that manages peptide lists in terms of feature analysis as well as interactive clustering and visualization of the given peptides. PepServe is a useful tool towards understanding peptide feature distribution among a group of peptides. Finally, cancer-related proteins have been analyzed producing peptide features and peptide feature’s sequence uniqueness resulting in some feature preferences and peptide unique tags. These unique tags can be used in biomarker discovery, and novel drug development for an efficient diagnosis and treatment.

Φασματογράφος μάζας

Αποθήκες αρχείων

Μελανώματα

Οστεοσαρκώματα

Perl διαδικασίες

Protein identification

Mass spectroscopy

Unique molecular weight

Unique peptide sequence

Web applications

Peptide clustering

File repositories

Melanomas

Osteosarcomas

Cancer biomarkers

Perl cgi procedures

Java applet

SQL database

PHP

The influence of Web 2.0 technologies on the use of public libraries in Mangaung Metropolitan Municipality, South Africa

Matobako, Molaodi Margaret

06 1900

Recent innovations and advances in information and communication technologies (ICTs) have resulted into radical changes in the way information resources are provided, and have also brought about several options to handle a wide-range of information services effortlessly. Web 2.0 or social media is one of these innovations which expands the option in information services provision. Against this backdrop, this study intended to investigate the use of Web 2.0 technologies in the public libraries in the Mangaung Metropolitan Municipality in South Africa. The study was guided by mixed-methods of quantitative and qualitative approaches, because the approach enables the researcher to cover a wide variety of issues. The study adopted a sample survey research design to guide selection of subjects. Two data collection tools namely: a self-administered questionnaire were used for collecting data from 248 library users, while unstructured interview schedules were used to collect qualitative data from 16 library officials. The response rate for the survey of library users was 69%, a good rate for an unsolicited survey. The findings revealed that Mangaung Metropolitan Municipality libraries have ICT equipment with access to Web 2.0 technologies and that these technologies are also highly utilised. However, lack of training, low bandwidth, and short time allowed to access WIFI makes it difficult for the library users and staff to fully benefit from the web-based services offered by these libraries. Other factors include poor staff attitudes, technical problems, and challenges in marketing of online public access and catalogue, restrictions of social networking sites, non-linkage of the library OPAC to social media, geographical distances, and load shedding. The study concluded by recommending allocation of sufficient funds to cater for ICT trainings, free WIFI, uninterrupted power supply, increased bandwidth, amongst others which will enhance the quick and effective service that will meet the information needs of their users. / Information Science / M.A. (Information Science)

Web 2.0

Social media

Public libraries

Mangaung Metropolitan Municipality

ICTs

South Africa

027.46853102854678

Web 2.0 -- Case studies

A pattern-driven and model-based vulnerability testing for Web applications / Une approche à base de modèles et de patterns pour le test de vulnérabilités d'applications Web

Vernotte, Alexandre

29 October 2015

Cette thèse propose une approche originale de test de vulnérabilité Web à partir de modèles etdirigée par des patterns de tests, nommée PMVT. Son objectif est d’améliorer la capacité de détectionde quatre types de vulnérabilité majeurs, Cross-Site Scripting, Injections SQL, Cross-Site RequestForgery, et Privilege Escalation. PMVT repose sur l’utilisation d’un modèle comportemental del’application Web, capturant ses aspects fonctionnels, et sur un ensemble de patterns de test devulnérabilité qui adressent un type de vulnérabilité de manière générique, quelque soit le type del’application Web sous test.Par l’adaptation de technologies MBT existantes, nous avons développé une chaîne outillée complèteautomatisant la détection des quatre types de vulnérabilité. Ce prototype a été exprimenté et évaluésur deux applications réelles, actuellement utiliseés par plusieurs dizaines de milliers d’utilisateurs.Les résultats d’expérimentation démontrent la pertinence et de l’efficience de PMVT, notamment enaméliorant de façon significative la capacité de détection de vulnérabilités vis à vis des scannersautomatiques d’applications Web existants. / This thesis proposes an original approach, dubbed PMVT for Pattern-driven and Model-basedVulnerability Testing, which aims to improve the capability for detecting four high-profile vulnerabilitytypes, Cross-Site Scripting, SQL Injections, CSRF and Privilege Escalations, and reduce falsepositives and false negatives verdicts. PMVT relies on the use of a behavioral model of theapplication, capturing its functional aspects, and a set of vulnerability test patterns that addressvulnerabilities in a generic way. By adapting existing MBT technologies, an integrated toolchain that supports PMVT automates thedetection of the four vulnerability types in Web applications. This prototype has been experimentedand evaluated on two real-life Web applications that are currently used by tens of thousandsusers. Experiments have highlighted the effectiveness and efficiency of PMVT and shown astrong improvement of vulnerability detection capabilities w.r.t. available automated Web applicationscanners for these kind of vulnerabilities.

Test de Vulnérabilité

Test à partir de Modèles

Patterns de Test de Vulnérabilité

Applications Web

Cross-Site Scripting

Injections SQL

Cross-Site Request Forgery

Privilege Escalation

Vulnerability Testing

Model-Based Testing

Vulnerability Test Patterns

Web applications

Cross- Site Scripting

SQL Injections

Cross-Site Request Forgery

Privilege Escalation

004.678

Metodika analýzy a návrhu webu (MANW) / The web analysis and design methodology MANW

Karlec, Jakub

January 2009

The main subject of this thesis is to prepare the web analysis and design methodology, MANW. The first part of the thesis is dedicated to the definition of the methodological framework on the basis of which the methodology will be built. The framework comes out from the methodological framework MEFIS which has been accustomed to comply with specific needs of the web application and websites development. The second part of the thesis is dedicated to the research of existing methodologies for web project implementation. Based on the research, the elements of the methodologies suitable for analysis and design are selected and then incorporated into the MANW methodology. The last part of the thesis is the description of the methodology itself and description of its characteristics and elements. The goal of the diploma thesis is to prepare a simple methodology for websites and web applications analysis and design which can be used in agile web development. The methodology is described by its phases, processes, roles, inputs and outputs and other elements which are defined in the elaborated methodological framework. The output of methodology processes are the data for implementation, deployment and operation of web solutions. It was necessary to define the term methodology and define a methodological framework first in order to work out the methodology itself successfully. Another starting point for methodology design was the research of existing methodologies which also serves as an introduction to the problems of web projects implementation and provides an overview of existing tools. Output of the thesis is the MANW methodology which is a synthesis of the working experience and of a methodological framework theory. This methodology is easily modifiable and thanks to the clear process definition it can provide the companies with an effective solution of web products analysis and design.

Exploring the use of social media tools in the University of South Africa Library

Molokisi, Sinah

01 1900

Text in English with abstracts in English, Zulu and Sotho / Social media have taken a lead in academic libraries; however, there are still questions on how libraries are using social media tools to enhance their service delivery. The aim of this exploratory study was to investigate the use of social media tools by library staff working in the University of South Africa’s (Unisa) main library on the Muckleneuk Campus. Since it was realised that not all staff members use social media tools in the execution of their daily tasks, the first objective was to establish which staff members do use social media tools and for which purpose the tools are being used. A further objective was to learn about the potential advantages of social media tools to improve service delivery. The study also endeavoured to acquire an understanding of the challenges that social media tools present to its users. Based on the literature review, it could be established that libraries, and specifically academic libraries, utilise social media for marketing, dissemination of information, reference services, and communication with users and to answer student queries. The reported findings of this study concur with the findings reported in the literature review. The empirical data, which were collected through a qualitative survey questionnaire and interviews with library staff who use social media tools, revealed that only staff who communicate with library patrons, namely information processors and marketing staff, use social media tools. The findings also showed that the Unisa Library has specific guidelines and policies that guide the use of social media tools to interact with users, market the library and communicate events and service delivery changes. / Izinkundla zokuxhumana komphakathi sezihamba phambili emitapweni yolwazi yasemanyuvesi, kodwa kusanemibuzo eminingi maqondana nokuthi imitapo yolwazi iwasebenzisa kanjani amathuluzi ezinkundla zokuxhumana komphakathi ukuthuthukisa ukuhlinzekwa kwezidingo. Inhloso yalolu cwaningo oluhlola kabanzi kwakungukubheka ukuthi abasebenzi basemtapweni wolwazi omkhulu waseNyuvesi YaseNingizimu Afrika (i-Unisa) ekamu laseMuckleneuk bawasebenzisa kanjani amathuluzi ezinkundla zokuxhumana komphakathi. Njengoba sekwabonakala ukuthi akuwona wonke amalungu angabasebenzi asebenzisa amathuluzi ezinkundla zokuxhumana komphakathi ekuqhutshweni kwemisebenzi yawo yansuku zonke, injongo yokuqala kwakungukubheka ukuthi yimaphi amalungu omphakathi asebenzisa amathuluzi ezinkundla zokuxhumana komphakathi futhi awasebenzisela ukwenzani. Enye injongo kwakungukufunda mayelana nokuhle okungadalwa ngamathuluzi ezinkundla zokuxhumana komphakathi ukuthuthukisa ukuhlinzekwa kwezidingo. Lolu cwaningo lwaluqonde nokuqonda izingqinamba abantu abasebenzisa amathuluzi ezinkundla zokuxhumana komphakathi ababhekana nazo. Kuncike ekuhlaziyweni kwemibhalo ekhona, kwatholakala ukuthi imitapo yolwazi, ikakhulukazi leyo yasemanyuvesi, isebenzisa izinkundla zokuxhumana komphakathi ukukhangisa, ukusabalalisa imininingwane, ukubheka imithombo, ukuxhumana nabayisebenzisayo kanye nokuphendula imibuzo yezitshudeni. Okwatholakela okubikiwe mayelana nalolu cwaningo kuyahambisana nokubikiwe okwatholakala ngokuhlaziya imibhalo. Imininingwane eyatholakala ngokubheka okwenzekayo, eyaqoqwa ngokusebenzisa iphephamibuzo lenhlolovo eqoqa imininingwane yamaqiniso kanye nezingxoxo ezabanjwa nabasebenzi bomtapo wolwazi abasebenzisa amathuluzi ezinkundla zokuxhumana komphakathi yaveza ukuthi abasebenzi abaxhumana nabasebenzisi bomtapo wolwazi, abaziwa ngokuthi ngama-information processors kanye nabasebenzi abakhangisayo yibona kuphela abasebenzisa amathuluzi ezinkundla zokuxhumana komphakathi. Okutholakele kuphinde kwaveza ukuthi uMtapo Wolwazi Wase-Unisa unemihlahlandlela kanye nezinqubomgomo okulandelwayo ukuze kusetshenziswe kahle amathuluzi ezinkundla zokuxhumana komphakathi, ukuxhumana nabasebenzisi bawo, ukukhangisa ngomtapo wolwazi nokwazisa ngemicimbi ekhona kanye noshintsho ekuhlinzekweni kwezidingo. / Marangrang a leago a thomile go šomišwa kudu ka makgobapukung a thuto, efela go sa na le dipotšišo ka ga ka fao makgobapuku a šomišago dithulusi tša marangrang a leago go kaonafatša kabo ya ona ya ditirelo. Maikemišetšo a nyakišišo ye ya phetleko e be e le go nyakišiša tšhomišo ya dithulusi tša marangrang a leago ka bašomi ba go šoma ka bokgobapukung bjo bogolo bja Yunibesithi ya Afrika Borwa (Unisa), Khamphaseng ya Muckleneuk. Ka ge go lemogilwe gore ga se bašomi ka moka ba go šomiša dithulusi tša marangrang a leago tirong ya mešongwana ya bona ya letšatši le letšatši, nepo ya mathomo e be e le go hwetša gore ke bašomi bafe bao ba šomišago dithulusi tša marangrang a leago le gore dithulusi di šomišetšwa morero ofe. Nepo ye nngwe e be e le go ithuta ka ga mehola ye dithulusi tša marangrang a leago di kago kgona go ba nayo go kaonafatša kabo ya ditirelo. Nyakišišo gape e lekile go hwetša kwešišo ya ditlhohlo tše dithulusi tša marangrang a leago di di bakelago bašomiši ba tšona. Go ya ka tshekatsheko ya dingwalo, go lemogilwe gore makgobapuku, kudu makgobapuku a thuto, a šomiša marangrang a leago go bapatša, go phatlalatša tshedimošo, go fa ditirelo tša referentshe, go kgokagana le bathekgi le go araba dipotšišo tša baithuti. Dikutullo tše di begilwego tša nyakišišo ye di dumelelana le dikutullo tša tshekatsheko ya dingwalo tše di hweditšwego. Datha ya go lemogwa (emperikale) yeo e kgobokeditšwego ka lenaneopotšišo la nyakišišo ya khwalithethifi le dipoledišano tša bašomi ba bokgobapuku bao ba šomišago dithulusi tša marangrang a leago, di utulotše gore ke fela bašomi bao ba boledišanago le bathekgi ba bokgobapuku, e lego basepetši ba tshedimošo le bašomi ba go bapatša bao ba šomišago dithulusi tša marangrang a leago. Dikutullo gape di laeditše gore bokgobapuku bja Unisa bo na le dipholisi le melawana ye itšeng ya go hlahla tšhomišo ya dithulusi tša mekgwa ya leago go kgokagana le bašomiši, go bapatša bokgobapuku le go tsebiša ditiragalo le diphetogo tša kabo ya ditirelo. / Information Science / M.A. (Information Science)

Academic libraries

Library staff

Library users

Social media tools

Unisa

Library

Investigation

Pretoria

South Africa

Web 2.0

025.5277709682275

University of South Africa. Library

Zpracování neurčitých údajů v databázích / Processing of Uncertain Information in Databases

Morávek, Petr

January 2009

The following diploma thesis focuses on processing of uncertain information in databases. Uncertain information represents vague customer requests during laptop choice in classic shop purchasing. Effort of the work is to develop a modern e-shop application selling laptops, which is based on expert fuzzy system helping customers to choose a laptop without knowledge of technical specifications and current trends.

Sécurité et vie privée dans les applications web / Web applications security and privacy

Somé, Dolière Francis

29 October 2018

Dans cette thèse, nous nous sommes intéressés aux problématiques de sécurité et de confidentialité liées à l'utilisation d'applications web et à l'installation d'extensions de navigateurs. Parmi les attaques dont sont victimes les applications web, il y a celles très connues de type XSS (ou Cross-Site Scripting). Les extensions sont des logiciels tiers que les utilisateurs peuvent installer afin de booster les fonctionnalités des navigateurs et améliorer leur expérience utilisateur. Content Security Policy (CSP) est une politique de sécurité qui a été proposée pour contrer les attaques de type XSS. La Same Origin Policy (SOP) est une politique de sécurité fondamentale des navigateurs, régissant les interactions entre applications web. Par exemple, elle ne permet pas qu'une application accède aux données d'une autre application. Cependant, le mécanisme de Cross-Origin Resource Sharing (CORS) peut être implémenté par des applications désirant échanger des données entre elles. Tout d'abord, nous avons étudié l'intégration de CSP avec la Same Origin Policy (SOP) et démontré que SOP peut rendre CSP inefficace, surtout quand une application web ne protège pas toutes ses pages avec CSP, et qu'une page avec CSP imbrique ou est imbriquée dans une autre page sans ou avec un CSP différent et inefficace. Nous avons aussi élucidé la sémantique de CSP, en particulier les différences entre ses 3 versions, et leurs implémentations dans les navigateurs. Nous avons ainsi introduit le concept de CSP sans dépendances qui assure à une application la même protection contre les attaques, quelque soit le navigateur dans lequel elle s'exécute. Finalement, nous avons proposé et démontré comment étendre CSP dans son état actuel, afin de pallier à nombre de ses limitations qui ont été révélées dans d'autres études. Les contenus tiers dans les applications web permettent aux propriétaires de ces contenus de pister les utilisateurs quand ils naviguent sur le web. Pour éviter cela, nous avons introduit une nouvelle architecture web qui une fois déployée, supprime le pistage des utilisateurs. Dans un dernier temps, nous nous sommes intéressés aux extensions de navigateurs. Nous avons d'abord démontré que les extensions qu'un utilisateur installe et/ou les applications web auxquelles il se connecte, peuvent le distinguer d'autres utilisateurs. Nous avons aussi étudié les interactions entre extensions et applications web. Ainsi avons-nous trouvé plusieurs extensions dont les privilèges peuvent être exploités par des sites web afin d'accéder à des données sensibles de l'utilisateur. Par exemple, certaines extensions permettent à des applications web d'accéder aux contenus d'autres applications, bien que cela soit normalement interdit par la Same Origin Policy. Finalement, nous avons aussi trouvé qu'un grand nombre d'extensions a la possibilité de désactiver la Same Origin Policy dans le navigateur, en manipulant les entêtes CORS. Cela permet à un attaquant d'accéder aux données de l'utilisateur dans n'importe qu'elle autre application, comme par exemple ses mails, son profile sur les réseaux sociaux, et bien plus. Pour lutter contre ces problèmes, nous préconisons aux navigateurs un système de permissions plus fin et une analyse d'extensions plus poussée, afin d'alerter les utilisateurs des dangers réels liés aux extensions. / In this thesis, we studied security and privacy threats in web applications and browser extensions. There are many attacks targeting the web of which XSS (Cross-Site Scripting) is one of the most notorious. Third party tracking is the ability of an attacker to benefit from its presence in many web applications in order to track the user has she browses the web, and build her browsing profile. Extensions are third party software that users install to extend their browser functionality and improve their browsing experience. Malicious or poorly programmed extensions can be exploited by attackers in web applications, in order to benefit from extensions privileged capabilities and access sensitive user information. Content Security Policy (CSP) is a security mechanism for mitigating the impact of content injection attacks in general and in particular XSS. The Same Origin Policy (SOP) is a security mechanism implemented by browsers to isolate web applications of different origins from one another. In a first work on CSP, we analyzed the interplay of CSP with SOP and demonstrated that the latter allows the former to be bypassed. Then we scrutinized the three CSP versions and found that a CSP is differently interpreted depending on the browser, the version of CSP it implements, and how compliant the implementation is with respect to the specification. To help developers deploy effective policies that encompass all these differences in CSP versions and browsers implementations, we proposed the deployment of dependency-free policies that effectively protect against attacks in all browsers. Finally, previous studies have identified many limitations of CSP. We reviewed the different solutions proposed in the wild, and showed that they do not fully mitigate the identified shortcomings of CSP. Therefore, we proposed to extend the CSP specification, and showed the feasibility of our proposals with an example of implementation. Regarding third party tracking, we introduced and implemented a tracking preserving architecture, that can be deployed by web developers willing to include third party content in their applications while preventing tracking. Intuitively, third party requests are automatically routed to a trusted middle party server which removes tracking information from the requests. Finally considering browser extensions, we first showed that the extensions that users install and the websites they are logged into, can serve to uniquely identify and track them. We then studied the communications between browser extensions and web applications and demonstrate that malicious or poorly programmed extensions can be exploited by web applications to benefit from extensions privileged capabilities. Also, we demonstrated that extensions can disable the Same Origin Policy by tampering with CORS headers. All this enables web applications to read sensitive user information. To mitigate these threats, we proposed countermeasures and a more fine-grained permissions system and review process for browser extensions. We believe that this can help browser vendors identify malicious extensions and warn users about the threats posed by extensions they install.

Web

Navigateurs

Applications web

Sécurité

Extensions de navigateurs

Communication inter-iframes

Confidentialité

Vie privé

Pistage

Empreinte de navigateurs

Web

Browser

Web applications

Security

Same origin policy

Content origin policy

Cross-origin resource sharing

Browser extensions

Privacy

Cross-iframe communication

Third party web tracking

Browser fingerprinting

An Exploration of Emotional Intelligence and Technology Skills Among Students ata Midwestern University

Incerti, Federica

13 June 2013

No description available.

Educational Psychology

Educational Sociology

Educational Software

Educational Technology

Higher Education

Information Technology

Multimedia Communications

Neurosciences

Psychology

Teacher Education

Teaching

Technology

Information Science

Emotional Intelligence

Technology Skills

learning

Education Technology

Higher-Education Technology

Teacher's Preparation

Neuroscience of Learning

Social-emotional Learning

Digital Natives

Web 2.0

Web Applications

21st century skills

teachers

Understanding Informational Privacy Through User Interfaces in Web Applications / Informationsintegritet och hur den uppfattas genom gränssnittet i webbapplikationer

Spence, Annalisa, Svensson, Mimmi

January 2023

This paper critically examines users' perceptions of privacy and security in web applications,emphasizing interface design. Drawing on both quantitative and qualitative data grounded inCPM and PMT theories, our research addresses Internet users' concerns regarding onlineprivacy and security. Employing triangulation analysis on survey responses and web-basedobservations, our findings reveal a strong association between users' trust in web applicationsand their visual elements. By providing visual examples of current design practices in oursurvey, we discover some important aspects of effective interface designs. Utilizing IUIPCtheory, we identify how web application interfaces influence users' privacy management,impacting their trust and usage decisions. Notably, some users are subtly prompted to grantpermissions or share personal information through deliberate exclusion of options in thedesign of certain web applications. The approach of this study encourages a criticalperspective on privacy and integrity issues in online settings.

Privacy

Information

Interface Design

Web Applications

Communication Privacy Management

Protection Motivation Theory

Integrity

HCI

Privacy Concerns

Quantitative

Human Aspects of ICT

Mänsklig interaktion med IKT

Human Computer Interaction

Media and Communication Technology

Medieteknik

Interaction Technologies

Interaktionsteknik

Information Systems