CS 290C: Formal Models for Web Software Lecture 1: Introduction Instructor: Tevfik Bultan.

Slides:



Advertisements
Similar presentations
Introduction to Model-View-Controller (MVC) Web Programming with TurboGears Leif Oppermann,
Advertisements

By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.
Server-Side vs. Client-Side Scripting Languages
15 Chapter 15 Web Database Development Database Systems: Design, Implementation, and Management, Fifth Edition, Rob and Coronel.
CS 290C: Formal Models for Web Software Lecture 10: Language Based Modeling and Analysis of Navigation Errors Instructor: Tevfik Bultan.
Kashif Jalal CA-240 (072) Web Development Using ASP.NET CA – 240 Kashif Jalal Welcome to week – 2 of…
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.
Cloud Computing Lecture #7 Introduction to Ajax Jimmy Lin The iSchool University of Maryland Wednesday, October 15, 2008 This work is licensed under a.
1 CS428 Web Engineering Lecture 18 Introduction (PHP - I)
Part or all of this lesson was adapted from the University of Washington’s “Web Design & Development I” Course materials.
Web Programming Language Dr. Ken Cosh Week 1 (Introduction)
WEB DESIGN SOME FOUNDATIONS. SO WHAT IS THIS INTERNET.
UNIT-V The MVC architecture and Struts Framework.
INTRODUCTION TO WEB DATABASE PROGRAMMING
6/1/2001 Supplementing Aleph Reports Using The Crystal Reports Web Component Server Presented by Bob Gerrity Head.
Web Design Scripting and the Web. Books on Scripting.
Samuvel Johnson nd MCA B. Contents  Introduction to Real-time systems  Two main types of system  Testing real-time software  Difficulties.
Copyright © cs-tutorial.com. Introduction to Web Development In 1990 and 1991,Tim Berners-Lee created the World Wide Web at the European Laboratory for.
Dynamic Web Pages (Flash, JavaScript)
Week 7 Lecture Web Database Development Samuel Conn, Asst. Professor
Chapter 1: Introduction to Web
Chapter 16 The World Wide Web Chapter Goals Compare and contrast the Internet and the World Wide Web Describe general Web processing Describe several.
Basics of Web Databases With the advent of Web database technology, Web pages are no longer static, but dynamic with connection to a back-end database.
Chapter 16 The World Wide Web. 2 The Web An infrastructure of information combined and the network software used to access it Web page A document that.
Web Application Access to Databases. Logistics Test 2: May 1 st (24 hours) Extra office hours: Friday 2:30 – 4:00 pm Tuesday May 5 th – you can review.
Lecture 7 Interaction. Topics Implementing data flows An internet solution Transactions in MySQL 4-tier systems – business rule/presentation separation.
Eliminating Bugs In MVC-Style Web Applications Tevfik Bultan Verification Lab (Vlab),
Chapter 17 - Deploying Java Applications on the Web1 Chapter 17 Deploying Java Applications on the Web.
ASP.NET Web Application and Development Digital Media Department Unit Credit Value : 4 Essential Learning time : 120 hours Digital.
COLD FUSION Deepak Sethi. What is it…. Cold fusion is a complete web application server mainly used for developing e-business applications. It allows.
 2001 Prentice Hall, Inc. All rights reserved. 1 Chapter 21 - Web Servers (IIS, PWS and Apache) Outline 21.1 Introduction 21.2 HTTP Request Types 21.3.
Lecture 19 Web Application Frameworks Boriana Koleva Room: C54
Software Project Documentation. Types of Project Documents  Project Charter  Requirements  Mockups and Prototypes  Test Cases  Architecture / Design.
Web Application Security ECE ECE Internetwork Security What is a Web Application? An application generally comprised of a collection of scripts.
Kingdom of Saudi Arabia Ministry of Higher Education Al-Imam Muhammad Ibn Saud Islamic University College of Computer and Information Sciences Chapter.
1 Welcome to CSC 301 Web Programming Charles Frank.
Security Attacks CS 795. Buffer Overflow Problem Buffer overflows can be triggered by inputs that are designed to execute code, or alter the way the program.
Building Secure Web Applications With ASP.Net MVC.
Model View Controller MVC Web Software Architecture.
ASP.NET in Definition: 1.ASP.NET is a web application framework developed and marketed by Microsoft to allow programmers to build dynamic web sites,
Web Technologies Lecture 8 Server side web. Client Side vs. Server Side Web Client-side code executes on the end-user's computer, usually within a web.
ASP. ASP is a powerful tool for making dynamic and interactive Web pages An ASP file can contain text, HTML tags and scripts. Scripts in an ASP file are.
WHAT IS E-COMMERCE? E-COMMERCE is a online service that helps the seller/buyer complete their transaction through a secure server. Throughout the past.
ASP-2-1 SERVER AND CLIENT SIDE SCRITPING Colorado Technical University IT420 Tim Peterson.
EECS 354: Network Security Group Members: Patrick Wong Eric Chan Shira Schneidman Web Attacks Project: Detecting XSS and SQL Injection Vulnerabilities.
Introduction to Model-View-Controller (MVC) Web Programming with TurboGears Leif Oppermann,
ASP.NET WEB Applications. ASP.NET  Web application framework developed by Microsoft  Build dynamic data driven web applications and web services  Subset.
Basics Components of Web Design & Development Basics, Components, Design and Development.
Presented by Alexey Vedishchev Developing Web-applications with Grails framework American University of Nigeria, 2016 Intro To MVC Architecture.
Teaching slides Chapter 6. Chapter 6 Software user interface design & construction Contents Introduction Graphical user interface – Rich window based.
WEB TESTING
Web Programming Language
Group 18: Chris Hood Brett Poche
World Wide Web policy.
What is WWW? The term WWW refers to the World Wide Web or simply the Web. The World Wide Web consists of all the public Web sites connected to the Internet.
Prepared by: Assistant prof. Aslamzai
Haritha Dasari Josue Balandrano Coronel -
PHP / MySQL Introduction
CS5220 Advanced Topics in Web Programming Course Overview
Dynamic Web Pages (Flash, JavaScript)
MIS Professor Sandvig MIS 324 Professor Sandvig
Database Driven Websites
Web Development Using ASP .NET
Content of Presentation
Lecture 2 - SQL Injection
Introduction of Week 11 Return assignment 9-1 Collect assignment 10-1
WPS - your story so far Seems incredible complicated, already
Architecture of the web
CS5220 Advanced Topics in Web Programming Course Overview
Web Application Development Using PHP
Presentation transcript:

CS 290C: Formal Models for Web Software Lecture 1: Introduction Instructor: Tevfik Bultan

Web software Web software is becoming increasingly dominant Web applications are used extensively in many areas: –Commerce: online banking, online shopping, … –Entertainment: online music, videos, … –Interaction: social networks We will rely on web applications more in the future: –Health records –Controlling and monitoring of national infrastructures

Web software Web software is also rapidly replacing desktop applications –software-as-service –cloud computing In the future most of the software applications we use will probably be web applications

Why are web applications so popular? Ease of access –You can access a web application from any computer with an internet connection –A lot of them are free Centralized data storage –You do not need to keep carrying a memory stick with you and keep copying files Easy to upgrade and maintain –Do not need to keep re-installing the new versions –Developers can update the software on the server side

Are there any problems? Web applications are not trustworthy! Web applications are notorious for security vulnerabilities Many web applications have navigation errors where they mishandle unexpected user requests As web applications are becoming increasingly dominant and as their use in safety critical areas is increasing, their trustworthiness is becoming a critical issue

Web applications are not secure There are many well-known security vulnerabilities that exist in many web applications. Here are some examples: –Malicious file execution: where a malicious user causes the server to execute malicious code –SQL injection: where a malicious user executes SQL commands on the back-end database by providing specially formatted input –Cross site scripting (XSS): causes the attacker to execute a malicious script at a user’s browser These vulnerabilities are typically due to errors in user input validation or lack of user input validation

Web application vulnerabilities are common

Web applications are error prone Most web applications have navigation errors where an unexpected user request can cause a web application to –display cryptic error messages –display sensitive information that might be exploited by malicious users –execute an unintended action

Navigation errors: Bamboo Invoice

Navigation errors: Digitalus

Navigation errors: Orbitz Customer enters the date and destination information to look for flights and receives a list of flight choices Customer uses the “open link in new window” option to open a new window and study the details of an evening flight Switching back to the original window, the customer inspects a morning flight. After comparing the flight details, the customer decides to take the evening flight and switches to the window with the evening flight and presses the purchase button. However, the reservation system instead selects the morning flight! If not careful, the customer will purchase the wrong flight.

Why are web applications error prone? Here are three main reasons that I think make web application development error prone: –Interactivity –Changeability –Diversity

Interactivity Web applications are interactive applications –Many errors are due to improper handling of interactions User interaction is not under the control of the developer –The back button of the browser –The user can open a new window –The user can cut and paste the url There are interactions between different software components –browser, server, back-end database One web application can be integration of many applications –Mash-ups, web services

Changeability Web applications are updated frequently since the code resides on the server side This is convenient for uploading a new version when there is a change However, this is also a challenge, since frequent updates mean that each new version has to be checked against potential errors

Diversity Web applications are developed using a diverse set of languages and technologies. –On the server side: Java, Perl, PHP, Python, Ruby, … –On the client side: HTML, XML, JAvaScript, … –On the back-end database: SQL, Xquery, … There are many web application development frameworks (based on model-view-controller architecture) –Ruby: Ruby on Rails –PHP: CakePHP, Zend –Python: Django, Pylons –Java: Spring, Struts

So what is this course about? Formal Models state machine models, logics, process algebras, … Web Software ruby, php, MVC frameworks, … Analysis Tools model checkers, theorem provers, …

Course topics We will discuss papers on formal modeling of Navigation constraints interactions Data model Access control Input validation We will use some formal models Hierarchical state machines (statecharts) Relational modeling (Alloy) Process algebras We will use some analysis tools Alloy analyzer Spin model checker

Course work I will give several homeworks There will be a class project (two student per project) –Extract a formal model from an existing web application and analyze it using an analysis tool –Two possibilities: Extract a navigation model and analyze it using the Spin model checker Extract a data model and analyze it using the Alloy analyzer In the next lecture I will give some simple examples on how this can be done

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.