Abstract
The results of an extensive investigation of cookie deployment amongst 100,000 Internet sites are presented. Cookie deployment is found to be approaching universal levels and hence there exists an associated need for relevant Web and software engineering processes, specifically testing strategies which actively consider cookies. The semi-automated investigation demonstrates that over two-thirds of the sites studied deploy cookies. The investigation specifically examines the use of first-party, third-party, sessional, and persistent cookies within Web-based applications, identifying the presence of a P3P policy and dynamic Web technologies as major predictors of cookie usage. The results are juxtaposed with the lack of testing strategies present in the literature. A number of real-world examples, including two case studies are presented, further accentuating the need for comprehensive testing strategies for Web-based applications. The use of antirandom test case generation is explored with respect to the testing issues discussed. Finally, a number of seeding vectors are presented, providing a basis for testing cookies within Web-based applications.
- ]]Alexa Internet Inc. 2006a. About the Alexa traffic rankings. http://www.alexa.com/site/devcorner/top_sites.Google Scholar
- ]]Alexa Internet Inc. 2006b. Alexa top site service. http://www.alexa.com/site/devcorner/top_sites.Google Scholar
- ]]Alvin, T. S. C. 2004. Cookies on-the-move: Managing cookies on a smart card. In Proceedings of the ACM Symposium on Applied Computing. ACM Press. Google Scholar
Digital Library
- ]]Andrews, A., Offutt, J., and Alexander, R. 2005. Testing Web applications by modeling with FSMs. Softw. Syst. Model. 4, 326--345.Google Scholar
Digital Library
- ]]Auger, R., Currudo, C., Huseby, S. H., Newman, A. C., Pompon, R., Groves, D., and Ristic, I. 2005. Web security glossary. Web Application Security Consortium. http://www.webappsec.org/projects/glossary/.Google Scholar
- ]]Bellettini, C., Marchetto, A., and Trentini, A. 2005. TestUml: User-Metrics driven Web applications testing. In Proceedings of the ACM Symposium on Applied Computing. ACM Press. Google Scholar
Digital Library
- ]]BlackHawk. 2007. RevokeBB blind SQL injection/hash extractor. Neohapsis. http://archives.neohapsis.com/archives/bugtraq/2007-06/0014.html.Google Scholar
- ]]CBS News. 2002. CIA caught sneaking cookies. CBS Worldwide Inc. http://www.cbsnews.com/stories/2002/03/20/tech/printable504131.shtml.Google Scholar
- ]]CGISecurity.com. 2002. The cross site scripting FAQ. http://www.cgisecurity.com/articles/xss-faq.shtml.Google Scholar
- ]]ComScore Inc. 2007a. ComScore releases March U.S. search engine rankings. http://www.comscore.com/press/release.asp?id=1397.Google Scholar
- ]]ComScore Inc. 2007b. Cookie-Based counting overstates size of Web site audiencces. http://www.comscore.com/press/release.asp?press=1389.Google Scholar
- ]]Cook, S. 2003. A Web developers guide to cross-site scripting. The SANS Institute. http://www.sans.org/reading_room/whitepapers/securecode/988.php.Google Scholar
- ]]Di Lucca, G. A., Fasolino, A. R., Faralli, F., and de Carlini, U. 2002. Testing Web applications. In Proceedings of the International Conference on Software Maintenance, 310-319. Google Scholar
Digital Library
- ]]Elbaum, S., Rothermel, G., Karre, S., and Fisher II, M. 2005. Leveraging user-session data to support Web application testing. IEEE Trans. Softw. Eng. 31, 187--202. Google Scholar
Digital Library
- ]]Fogie, S. 2006. XSS, cookies, and session ID authentication: Three ingredients for a successful hack. Pearson Education Inc. http://www.informit.com/articles/article.asp?p=603037&rl=1.Google Scholar
- ]]Gold, R. 2004. HTTPUnit home. http://httpunit.sourceforge.net/.Google Scholar
- ]]Google. 2007. Google analytics. Google. http://www.google.com/analytics/.Google Scholar
- ]]Iron. 2008. EazyPortal <= 1.0 SQL injection exploit. milw0rm.com. http://milw0rm.com/exploits/5196.Google Scholar
- ]]Juels, A., Jakobsson, M., and Jagatic, T. N. 2006. Cache cookies for browser authentication. In Proceedings of the IEEE Symposium on Security and Privacy. Google Scholar
Digital Library
- ]]Kals, S. 2007. SecuBat. http://www.secubat.org/.Google Scholar
- ]]Kristol, D. and Montulli, L. 1997. RFC 2109: HTTP state management mechanism. Internet Engineering Task Force. http://www.ietf.org/rfc/rfc2109.txt. Google Scholar
Digital Library
- ]]Kristol, D. and Montulli, L. 2000. RFC 2965: HTTP state management mechanism. Internet Engineering Task Force. http://www.ietf.org/rfc/rfc2965.txt. Google Scholar
Digital Library
- ]]Kristol, D. M. 2001. HTTP cookies: Standards, privacy, and politics. ACM Trans. Internet Technol. 1, 151--198. Google Scholar
Digital Library
- ]]Kung, D. C., Liu, C., and Hsia, P. 2000. An object-oriented Web test model for testing Web applications. In Proceedings of the 1st Asia-Pacific Conference on Quality Software (APAQS'00). IEEE Computer Society. Google Scholar
Digital Library
- ]]Malaiya, Y. K. 1995. Antirandom testing: Getting the most out of black-box testing. In Proceedings of the 6th International Symposium on Software Reliability Engineering. 86--95.Google Scholar
Cross Ref
- ]]Microsoft Corp. 2002. No cookies for you! Internet explorer service pack helps thwart cross-site script attacks. Microsoft Corp. http://www.microsoft.com/presspass/features/2002/oct02/10-23xss-ie.mspx.Google Scholar
- ]]Microsoft Corp. 2007. Mitigating cross-site scripting with HTTP-only cookies. http://msdn2.microsoft.com/en-us/library/ms533046.aspx.Google Scholar
- ]]Mozilla Corp. 2006. Firefox. http://www.mozilla.com/firefox/.Google Scholar
- ]]Net Applications. 2006. Browser market share. Net Applications. http://marketshare.hitslink.com/report.aspx?qprid=0.Google Scholar
- ]]Nielsen//NetRatings. 2007. Nielsen//NetRatings announces March U.S. search share rankings.Google Scholar
- ]]Nielsen//NetRatings. http://www.netratings.com/pr/pr_070320.pdf.Google Scholar
- ]]Offutt, J., Wu, Y., Du, X., and Huang, H. 2004. Bypass testing of Web applications. In Proceedings of the 15th IEEE International Symposium on Software Reliability Engineering. 187--197. http://ise.gmu.edu/faculty/ofut/rsrch/papers/bypass-issre.pdf. Google Scholar
Digital Library
- ]]Park, J. S. and Sandhu, R. 2000. Secure cookies on the Web. IEEE Internet Comput. 4, 36--44. Google Scholar
Digital Library
- ]]PHP Group. 2008. The PHP manual: Magic quotes. http://ca.php.net/magic_quotes.Google Scholar
- ]]Rathaus, N. 2004. PlaySMS SQL injetion via cookie. Beyond Security. http://www.securiteam.com/unixfocus/5UP0F2ADPS.html.Google Scholar
- ]]Reay, I., Beatty, P., Dick, S., and Miller, J. 2007. A survey and analysis of the P3P protocol's agents, adoption, maintenance, and future. IEEE Trans. Depend. Secure Comput. 5, 151--164. Google Scholar
Digital Library
- ]]Ricca, F. and Tonella, P. 2001. Analysis and testing of Web applications. In Proceedings of the IEEE 23rd International Conference on Software Engineering. Google Scholar
Digital Library
- ]]Samar, V. 1999. Single sign-on using cookies for Web applications. In Proceedings of the IEEE 8th International Workshop on Enabling Technologies: Infrastructure for Collaborative Enterprises. 158--163. Google Scholar
Digital Library
- ]]Secunia. 2005a. PaFileDB administrative user authentication SQL injection. http://secunia.com/advisories/16566/.Google Scholar
- ]]Secunia. 2005b. phpCOIN SQL injection and file inclusion vulnerabilities. http://secunia.com/advisories/21624.Google Scholar
- ]]Secunia. 2006. e107 cookie parameter SQL injection vulnerability. http://secunia.com/advisories/20089/.Google Scholar
- ]]SecuriTeam. 2004. Internet software sciences's Web+Center SQL injection. Beyond Security. http://www.securiteam.com/windowsntfocus/5RP0N0ADGK.html.Google Scholar
- ]]SecuriTeam. 2008. MyBB SQL injetion (exploit). Beyond Security. http://www.securiteam.com/exploits/5GP0E1PI0Y.html.Google Scholar
- ]]Security Space. 2006a. Internet cookie report. E-Soft Inc. http://www.securityspace.com/s_survey/data/man.200609/cookieReport.html.Google Scholar
- ]]Security Space. 2006b. Technology penetration report. E-Soft Inc. http://www.securityspace.com/s_survey/data/man.200610/techpen.html.Google Scholar
- ]]Smith, R. M. 1999. The Web bug FAQ. Electronic Frontier Foundation. http://www.eff.org/Privacy/Marketing/web_bug.html.Google Scholar
- ]]Tappenden, A., Beatty, P., Miller, J., Geras, A., and Smith, M. R. 2005. Agile security testing of Web-based systems via HTTPUnit. In Proceedings of the IEEE Agile Conference. 29-38. Google Scholar
Digital Library
- ]]Tappenden, A. and Miller, J. 2008. A three-tiered testing strategy for cookies. In Proceedings of the IEEE International Conference on Software Testing, Verification, and Validation. 131--140. Google Scholar
Digital Library
- ]]Tappenden, A. F., Huynh, T., Miller, J., Geras, A., and Smith, M. R. 2006. Agile development of secure Web-based applications. Int. J. Inform. Technol. Web Engin. 1, 1--24.Google Scholar
Cross Ref
- ]]Tezinde, T., Murphy, J., Nguyen, H. C., and Jenkinson, C. 2001. Cookies: Walking the fine line between love and hate. In Proceedings of the Western Australian Workshop on Information Systems Research.Google Scholar
- ]]TheCounter.com. 2006. Browser stats. Jupitermedia Corporation. http://www.thecounter.com/stats/2006/October/browser.php.Google Scholar
- ]]Tonella, P. and Ricca, F. 2004. A 2-layer model for the white-box testing of Web applications. In Proceedings of the IEEE 6th International Workshop on Web Site Evolution, 11--19. Google Scholar
Digital Library
- ]]Verton, R. 2007. WebSpell authentication bypass and arbitrary code execution. NEOHAPSIS. http://archives.neohapsis.com/archives/bugtraq/2007-02/0426.html.Google Scholar
- ]]Vind, J. 2007. Critical SQL injection in NukeSentinel 2.5.12. http://www.waraxe.us/advisory-58.html.Google Scholar
- ]]von Mayrhause, A., Chen, T., Hajjar, A., Bai, A., and Anderson, C. 1998. Fast antirandom (FAR) test generation. In Proceedings of the IEEE 3rd International High-Assurance Systems Engineering Symposium. 262--269. Google Scholar
Digital Library
- ]]W3 Schools. 2006. Browser statistics. Refsnes Data. http://www.w3schools.com/browsers/browsers_stats.asp.Google Scholar
- ]]W3C. 2006. Platform for privacy preferences (P3P) project. W3C. http://www.w3.org/P3P/.Google Scholar
- ]]Xu, L., Xu, B., and Jiang, J. 2005. Testing Web applications focusing on their specialties. SIGSOFT Softw. Engin. Notes 30, 10. Google Scholar
Digital Library
- ]]Yahoo! Inc. 2006. Yahoo! search marketing. http://www.content.overture.com/d/.Google Scholar
- ]]Yin, H., Lebne-Dengel, Z., and Malaiya, Y. K. 1997. Automatic test generation using checkpoint encoding and antirandom testing. In Proceedings of the 8th International Symposium On Software Reliability Engineering. 84--95. Google Scholar
Digital Library
- ]]Yue, C., Xie, M., and Wang, H. 2007. Automatic cookie usage setting with CookiePicker. In Proceedings of the 37th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN'07). M. Xie, Ed., 460--470. Google Scholar
Digital Library
- ]]Zalewski, M. 2006. Cross site cooking. Beyond Security. http://www.securiteam.com/securityreviews/5EP0L2KHFG.html.Google Scholar
Index Terms
Cookies: A deployment study and the testing implications
Recommendations
Cookies That Give You Away: The Surveillance Implications of Web Tracking
WWW '15: Proceedings of the 24th International Conference on World Wide WebWe study the ability of a passive eavesdropper to leverage "third-party" HTTP tracking cookies for mass surveillance. If two web pages embed the same tracker which tags the browser with a unique cookie, then the adversary can link visits to those pages ...
Cookies and Web browser design: toward realizing informed consent online
CHI '01: Proceedings of the SIGCHI Conference on Human Factors in Computing SystemsWe first provide criteria for assessing informed consent online. Then we examine how cookie technology and Web browser designs have responded to concerns about informed consent. Specifically, we document relevant design changes in Netscape Navigator and ...
HTTP Cookies: Standards, privacy, and politics
How did we get from a world where cookies were something you ate and where "nontechies" were unaware of "Netscape cookies" to a world where cookies are a hot-button privacy issue for many computer users? This article describes how HTTP "cookies" work ...






Comments