skip to main content
research-article

Cookies: A deployment study and the testing implications

Published:03 July 2009Publication History
Skip Abstract Section

Abstract

The results of an extensive investigation of cookie deployment amongst 100,000 Internet sites are presented. Cookie deployment is found to be approaching universal levels and hence there exists an associated need for relevant Web and software engineering processes, specifically testing strategies which actively consider cookies. The semi-automated investigation demonstrates that over two-thirds of the sites studied deploy cookies. The investigation specifically examines the use of first-party, third-party, sessional, and persistent cookies within Web-based applications, identifying the presence of a P3P policy and dynamic Web technologies as major predictors of cookie usage. The results are juxtaposed with the lack of testing strategies present in the literature. A number of real-world examples, including two case studies are presented, further accentuating the need for comprehensive testing strategies for Web-based applications. The use of antirandom test case generation is explored with respect to the testing issues discussed. Finally, a number of seeding vectors are presented, providing a basis for testing cookies within Web-based applications.

References

  1. ]]Alexa Internet Inc. 2006a. About the Alexa traffic rankings. http://www.alexa.com/site/devcorner/top_sites.Google ScholarGoogle Scholar
  2. ]]Alexa Internet Inc. 2006b. Alexa top site service. http://www.alexa.com/site/devcorner/top_sites.Google ScholarGoogle Scholar
  3. ]]Alvin, T. S. C. 2004. Cookies on-the-move: Managing cookies on a smart card. In Proceedings of the ACM Symposium on Applied Computing. ACM Press. Google ScholarGoogle ScholarDigital LibraryDigital Library
  4. ]]Andrews, A., Offutt, J., and Alexander, R. 2005. Testing Web applications by modeling with FSMs. Softw. Syst. Model. 4, 326--345.Google ScholarGoogle ScholarDigital LibraryDigital Library
  5. ]]Auger, R., Currudo, C., Huseby, S. H., Newman, A. C., Pompon, R., Groves, D., and Ristic, I. 2005. Web security glossary. Web Application Security Consortium. http://www.webappsec.org/projects/glossary/.Google ScholarGoogle Scholar
  6. ]]Bellettini, C., Marchetto, A., and Trentini, A. 2005. TestUml: User-Metrics driven Web applications testing. In Proceedings of the ACM Symposium on Applied Computing. ACM Press. Google ScholarGoogle ScholarDigital LibraryDigital Library
  7. ]]BlackHawk. 2007. RevokeBB blind SQL injection/hash extractor. Neohapsis. http://archives.neohapsis.com/archives/bugtraq/2007-06/0014.html.Google ScholarGoogle Scholar
  8. ]]CBS News. 2002. CIA caught sneaking cookies. CBS Worldwide Inc. http://www.cbsnews.com/stories/2002/03/20/tech/printable504131.shtml.Google ScholarGoogle Scholar
  9. ]]CGISecurity.com. 2002. The cross site scripting FAQ. http://www.cgisecurity.com/articles/xss-faq.shtml.Google ScholarGoogle Scholar
  10. ]]ComScore Inc. 2007a. ComScore releases March U.S. search engine rankings. http://www.comscore.com/press/release.asp?id=1397.Google ScholarGoogle Scholar
  11. ]]ComScore Inc. 2007b. Cookie-Based counting overstates size of Web site audiencces. http://www.comscore.com/press/release.asp?press=1389.Google ScholarGoogle Scholar
  12. ]]Cook, S. 2003. A Web developers guide to cross-site scripting. The SANS Institute. http://www.sans.org/reading_room/whitepapers/securecode/988.php.Google ScholarGoogle Scholar
  13. ]]Di Lucca, G. A., Fasolino, A. R., Faralli, F., and de Carlini, U. 2002. Testing Web applications. In Proceedings of the International Conference on Software Maintenance, 310-319. Google ScholarGoogle ScholarDigital LibraryDigital Library
  14. ]]Elbaum, S., Rothermel, G., Karre, S., and Fisher II, M. 2005. Leveraging user-session data to support Web application testing. IEEE Trans. Softw. Eng. 31, 187--202. Google ScholarGoogle ScholarDigital LibraryDigital Library
  15. ]]Fogie, S. 2006. XSS, cookies, and session ID authentication: Three ingredients for a successful hack. Pearson Education Inc. http://www.informit.com/articles/article.asp?p=603037&rl=1.Google ScholarGoogle Scholar
  16. ]]Gold, R. 2004. HTTPUnit home. http://httpunit.sourceforge.net/.Google ScholarGoogle Scholar
  17. ]]Google. 2007. Google analytics. Google. http://www.google.com/analytics/.Google ScholarGoogle Scholar
  18. ]]Iron. 2008. EazyPortal <= 1.0 SQL injection exploit. milw0rm.com. http://milw0rm.com/exploits/5196.Google ScholarGoogle Scholar
  19. ]]Juels, A., Jakobsson, M., and Jagatic, T. N. 2006. Cache cookies for browser authentication. In Proceedings of the IEEE Symposium on Security and Privacy. Google ScholarGoogle ScholarDigital LibraryDigital Library
  20. ]]Kals, S. 2007. SecuBat. http://www.secubat.org/.Google ScholarGoogle Scholar
  21. ]]Kristol, D. and Montulli, L. 1997. RFC 2109: HTTP state management mechanism. Internet Engineering Task Force. http://www.ietf.org/rfc/rfc2109.txt. Google ScholarGoogle ScholarDigital LibraryDigital Library
  22. ]]Kristol, D. and Montulli, L. 2000. RFC 2965: HTTP state management mechanism. Internet Engineering Task Force. http://www.ietf.org/rfc/rfc2965.txt. Google ScholarGoogle ScholarDigital LibraryDigital Library
  23. ]]Kristol, D. M. 2001. HTTP cookies: Standards, privacy, and politics. ACM Trans. Internet Technol. 1, 151--198. Google ScholarGoogle ScholarDigital LibraryDigital Library
  24. ]]Kung, D. C., Liu, C., and Hsia, P. 2000. An object-oriented Web test model for testing Web applications. In Proceedings of the 1st Asia-Pacific Conference on Quality Software (APAQS'00). IEEE Computer Society. Google ScholarGoogle ScholarDigital LibraryDigital Library
  25. ]]Malaiya, Y. K. 1995. Antirandom testing: Getting the most out of black-box testing. In Proceedings of the 6th International Symposium on Software Reliability Engineering. 86--95.Google ScholarGoogle ScholarCross RefCross Ref
  26. ]]Microsoft Corp. 2002. No cookies for you! Internet explorer service pack helps thwart cross-site script attacks. Microsoft Corp. http://www.microsoft.com/presspass/features/2002/oct02/10-23xss-ie.mspx.Google ScholarGoogle Scholar
  27. ]]Microsoft Corp. 2007. Mitigating cross-site scripting with HTTP-only cookies. http://msdn2.microsoft.com/en-us/library/ms533046.aspx.Google ScholarGoogle Scholar
  28. ]]Mozilla Corp. 2006. Firefox. http://www.mozilla.com/firefox/.Google ScholarGoogle Scholar
  29. ]]Net Applications. 2006. Browser market share. Net Applications. http://marketshare.hitslink.com/report.aspx?qprid=0.Google ScholarGoogle Scholar
  30. ]]Nielsen//NetRatings. 2007. Nielsen//NetRatings announces March U.S. search share rankings.Google ScholarGoogle Scholar
  31. ]]Nielsen//NetRatings. http://www.netratings.com/pr/pr_070320.pdf.Google ScholarGoogle Scholar
  32. ]]Offutt, J., Wu, Y., Du, X., and Huang, H. 2004. Bypass testing of Web applications. In Proceedings of the 15th IEEE International Symposium on Software Reliability Engineering. 187--197. http://ise.gmu.edu/faculty/ofut/rsrch/papers/bypass-issre.pdf. Google ScholarGoogle ScholarDigital LibraryDigital Library
  33. ]]Park, J. S. and Sandhu, R. 2000. Secure cookies on the Web. IEEE Internet Comput. 4, 36--44. Google ScholarGoogle ScholarDigital LibraryDigital Library
  34. ]]PHP Group. 2008. The PHP manual: Magic quotes. http://ca.php.net/magic_quotes.Google ScholarGoogle Scholar
  35. ]]Rathaus, N. 2004. PlaySMS SQL injetion via cookie. Beyond Security. http://www.securiteam.com/unixfocus/5UP0F2ADPS.html.Google ScholarGoogle Scholar
  36. ]]Reay, I., Beatty, P., Dick, S., and Miller, J. 2007. A survey and analysis of the P3P protocol's agents, adoption, maintenance, and future. IEEE Trans. Depend. Secure Comput. 5, 151--164. Google ScholarGoogle ScholarDigital LibraryDigital Library
  37. ]]Ricca, F. and Tonella, P. 2001. Analysis and testing of Web applications. In Proceedings of the IEEE 23rd International Conference on Software Engineering. Google ScholarGoogle ScholarDigital LibraryDigital Library
  38. ]]Samar, V. 1999. Single sign-on using cookies for Web applications. In Proceedings of the IEEE 8th International Workshop on Enabling Technologies: Infrastructure for Collaborative Enterprises. 158--163. Google ScholarGoogle ScholarDigital LibraryDigital Library
  39. ]]Secunia. 2005a. PaFileDB administrative user authentication SQL injection. http://secunia.com/advisories/16566/.Google ScholarGoogle Scholar
  40. ]]Secunia. 2005b. phpCOIN SQL injection and file inclusion vulnerabilities. http://secunia.com/advisories/21624.Google ScholarGoogle Scholar
  41. ]]Secunia. 2006. e107 cookie parameter SQL injection vulnerability. http://secunia.com/advisories/20089/.Google ScholarGoogle Scholar
  42. ]]SecuriTeam. 2004. Internet software sciences's Web+Center SQL injection. Beyond Security. http://www.securiteam.com/windowsntfocus/5RP0N0ADGK.html.Google ScholarGoogle Scholar
  43. ]]SecuriTeam. 2008. MyBB SQL injetion (exploit). Beyond Security. http://www.securiteam.com/exploits/5GP0E1PI0Y.html.Google ScholarGoogle Scholar
  44. ]]Security Space. 2006a. Internet cookie report. E-Soft Inc. http://www.securityspace.com/s_survey/data/man.200609/cookieReport.html.Google ScholarGoogle Scholar
  45. ]]Security Space. 2006b. Technology penetration report. E-Soft Inc. http://www.securityspace.com/s_survey/data/man.200610/techpen.html.Google ScholarGoogle Scholar
  46. ]]Smith, R. M. 1999. The Web bug FAQ. Electronic Frontier Foundation. http://www.eff.org/Privacy/Marketing/web_bug.html.Google ScholarGoogle Scholar
  47. ]]Tappenden, A., Beatty, P., Miller, J., Geras, A., and Smith, M. R. 2005. Agile security testing of Web-based systems via HTTPUnit. In Proceedings of the IEEE Agile Conference. 29-38. Google ScholarGoogle ScholarDigital LibraryDigital Library
  48. ]]Tappenden, A. and Miller, J. 2008. A three-tiered testing strategy for cookies. In Proceedings of the IEEE International Conference on Software Testing, Verification, and Validation. 131--140. Google ScholarGoogle ScholarDigital LibraryDigital Library
  49. ]]Tappenden, A. F., Huynh, T., Miller, J., Geras, A., and Smith, M. R. 2006. Agile development of secure Web-based applications. Int. J. Inform. Technol. Web Engin. 1, 1--24.Google ScholarGoogle ScholarCross RefCross Ref
  50. ]]Tezinde, T., Murphy, J., Nguyen, H. C., and Jenkinson, C. 2001. Cookies: Walking the fine line between love and hate. In Proceedings of the Western Australian Workshop on Information Systems Research.Google ScholarGoogle Scholar
  51. ]]TheCounter.com. 2006. Browser stats. Jupitermedia Corporation. http://www.thecounter.com/stats/2006/October/browser.php.Google ScholarGoogle Scholar
  52. ]]Tonella, P. and Ricca, F. 2004. A 2-layer model for the white-box testing of Web applications. In Proceedings of the IEEE 6th International Workshop on Web Site Evolution, 11--19. Google ScholarGoogle ScholarDigital LibraryDigital Library
  53. ]]Verton, R. 2007. WebSpell authentication bypass and arbitrary code execution. NEOHAPSIS. http://archives.neohapsis.com/archives/bugtraq/2007-02/0426.html.Google ScholarGoogle Scholar
  54. ]]Vind, J. 2007. Critical SQL injection in NukeSentinel 2.5.12. http://www.waraxe.us/advisory-58.html.Google ScholarGoogle Scholar
  55. ]]von Mayrhause, A., Chen, T., Hajjar, A., Bai, A., and Anderson, C. 1998. Fast antirandom (FAR) test generation. In Proceedings of the IEEE 3rd International High-Assurance Systems Engineering Symposium. 262--269. Google ScholarGoogle ScholarDigital LibraryDigital Library
  56. ]]W3 Schools. 2006. Browser statistics. Refsnes Data. http://www.w3schools.com/browsers/browsers_stats.asp.Google ScholarGoogle Scholar
  57. ]]W3C. 2006. Platform for privacy preferences (P3P) project. W3C. http://www.w3.org/P3P/.Google ScholarGoogle Scholar
  58. ]]Xu, L., Xu, B., and Jiang, J. 2005. Testing Web applications focusing on their specialties. SIGSOFT Softw. Engin. Notes 30, 10. Google ScholarGoogle ScholarDigital LibraryDigital Library
  59. ]]Yahoo! Inc. 2006. Yahoo! search marketing. http://www.content.overture.com/d/.Google ScholarGoogle Scholar
  60. ]]Yin, H., Lebne-Dengel, Z., and Malaiya, Y. K. 1997. Automatic test generation using checkpoint encoding and antirandom testing. In Proceedings of the 8th International Symposium On Software Reliability Engineering. 84--95. Google ScholarGoogle ScholarDigital LibraryDigital Library
  61. ]]Yue, C., Xie, M., and Wang, H. 2007. Automatic cookie usage setting with CookiePicker. In Proceedings of the 37th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN'07). M. Xie, Ed., 460--470. Google ScholarGoogle ScholarDigital LibraryDigital Library
  62. ]]Zalewski, M. 2006. Cross site cooking. Beyond Security. http://www.securiteam.com/securityreviews/5EP0L2KHFG.html.Google ScholarGoogle Scholar

Index Terms

  1. Cookies: A deployment study and the testing implications

                  Recommendations

                  Comments

                  Login options

                  Check if you have access through your login credentials or your institution to get full access on this article.

                  Sign in

                  Full Access

                  • Published in

                    cover image ACM Transactions on the Web
                    ACM Transactions on the Web  Volume 3, Issue 3
                    June 2009
                    179 pages
                    ISSN:1559-1131
                    EISSN:1559-114X
                    DOI:10.1145/1541822
                    Issue’s Table of Contents

                    Copyright © 2009 ACM

                    Publisher

                    Association for Computing Machinery

                    New York, NY, United States

                    Publication History

                    • Published: 3 July 2009
                    • Revised: 1 February 2009
                    • Accepted: 1 February 2009
                    • Received: 1 June 2007
                    Published in tweb Volume 3, Issue 3

                    Permissions

                    Request permissions about this article.

                    Request Permissions

                    Check for updates

                    Qualifiers

                    • research-article
                    • Research
                    • Refereed

                  PDF Format

                  View or Download as a PDF file.

                  PDF

                  eReader

                  View online with eReader.

                  eReader
                  About Cookies On This Site

                  We use cookies to ensure that we give you the best experience on our website.

                  Learn more

                  Got it!