skip to main content
10.1145/1390630.1390661acmconferencesArticle/Chapter ViewAbstractPublication PagesisstaConference Proceedingsconference-collections
research-article

Dynamic test input generation for web applications

Published: 20 July 2008 Publication History

Abstract

Web applications routinely handle sensitive data, and many people rely on them to support various daily activities, so errors can have severe and broad-reaching consequences. Unlike most desktop applications, many web applications are written in scripting languages, such as PHP. The dynamic features commonly supported by these languages significantly inhibit static analysis and existing static analysis of these languages can fail to produce meaningful results on realworld web applications.
Automated test input generation using the concolic testing framework has proven useful for finding bugs and improving test coverage on C and Java programs, which generally emphasize numeric values and pointer-based data structures. However, scripting languages, such as PHP, promote a style of programming for developing web applications that emphasizes string values, objects, and arrays.
In this paper, we propose an automated input test generation algorithm that uses runtime values to analyze dynamic code, models the semantics of string operations, and handles operations whose argument and return values may not share a common type. As in the standard concolic testing framework, our algorithm gathers constraints during symbolic execution. Our algorithm resolves constraints over multiple types by considering each variable instance individually, so that it only needs to invert each operation. By recording constraints selectively, our implementation successfully finds bugs in real-world web applications which state-of-the-art static analysis tools fail to analyze.

References

[1]
M. Benedikt, J. Freire, and P. Godefroid. Veriweb: Automatically testing dynamic web sites. In Proceedings of the Eleventh International World Wide Web Conference (WWW 2002), 2002.
[2]
T. S. BV. Tiobe programming community index, September 2007. URL: http://www.tiobe.com/tpci.htm.
[3]
C. Cadar and D. R. Engler. Execution generated test cases: How to make system code crash itself. In Model Checking Software, 12th International SPIN Workshop, pages 2--23, 2005.
[4]
C. Cadar, V. Ganesh, P. M. Pawlowski, D. L. Dill, and D. R. Engler. Exe: automatically generating inputs of death. In Proceedings of the 13th ACM Conference on Computer and Communications Security (CCS 2006), pages 322--335, 2006.
[5]
M. Costa, M. Castro, L. Zhou, L. Zhang, and M. Peinado. Bouncer: securing software by blocking bad input. In Proceedings of the 21st ACM Symposium on Operating Systems Principles 2007 (SOSP 2007), pages 117--130, 2007.
[6]
C. Csallner and Y. Smaragdakis. Jcrasher: an automatic robustness tester for java. Software-Practice and Experience, pages 1025--1050, 2004.
[7]
E. de Vries, J. Gilbert, and P. Biggar. phc: The open source php compiler.
[8]
M. Emmi, R. Majumdar, and K. Sen. Dynamic test input generation for database applications. In Proceedings of the ACM/SIGSOFT International Symposium on Software Testing and Analysis (ISSTA 2007), pages 151--162, 2007.
[9]
A. Futoransky, E. Gutesman, and A. Waissbein. A dynamic technique for enhancing the security and privacy of web applications. In Proc. Black Hat USA, 2007.
[10]
B. S. Gulavani, T. A. Henzinger, Y. Kannan, A. V. Nori, and S. K. Rajamani. Synergy: a new algorithm for property checking. In Proceedings of the 14th ACM SIGSOFT International Symposium on Foundations of Software Engineering (FSE 2006), pages 117--127, 2006.
[11]
W. G. Halfond and A. Orso. Improving test case generation for web applications using automated interface discovery. In Proceedings of the 15th ACM SIGSOFT International Symposium on Foundations of Software Engineering (FSE 2007), 2007.
[12]
J. E. Hopcroft, R. Motwani, and J. D. Ullman. Introduction to Automata Theory, Languages and Computability. Addison-Wesley, Boston, MA, 2000.
[13]
X. Jia and H. Liu. Rigorous and automatic testing of web applications, 2002.
[14]
N. Jovanovic, C. Kruegel, and E. Kirda. Pixy: A static analysis tool for detecting web application vulnerabilities (short paper). In 2006 IEEE Symposium on Security and Privacy (S&P 2006), pages 258--263, 2006.
[15]
M. Kunc. What do we know about language equations? In Developments in Language Theory, 11th International Conference (DLT 2007), pages 23--27, 2007.
[16]
D. Kung, C. H. Liu, and P. Hsia. An object-oriented web test model for testing web applications. In 24th International Computer Software and Applications Conference (COMPSAC 2000), pages 537--542, 2000.
[17]
Y. Lei and J. H. Andrews. Minimization of randomized unit test cases. In 16th International Symposium on Software Reliability Engineering (ISSRE 2005), pages 267--276, 2005.
[18]
J. J. Li, D. Weiss, and H. Yee. Code-coverage guided prioritized test generation. Information and Software Technology, pages 1187--1198, 2006.
[19]
Y. Minamide. Static approximation of dynamically generated web pages. In Proceedings of the 14th International World Wide Web Conference (WWW 2005), 2005.
[20]
N. Nethercote and J. Seward. Valgrind: a framework for heavyweight dynamic binary instrumentation. Proceedings of the ACM SIGPLAN 2007 Conference on Programming Language Design and Implementation (PLDI 2007), pages 89--100, 2007.
[21]
A. Nguyen-Tuong, S. Guarnieri, D. Greene, J. Shirley, and D. Evans. Automatically hardening web applications using precise tainting. In Twentieth IFIP International Information Security Conference (SEC'05), 2005.
[22]
C. Pacheco and M. D. Ernst. Eclat: Automatic generation and classification of test inputs. In Object-Oriented Programming, 19th European Conference (ECOOP 2005), pages 504--527, 2005.
[23]
W. Plandowski. Satisfiability of word equations with constants is in pspace. In 40th Annual Symposium on Foundations of Computer Science (FOCS 1999), pages 495--500, 1999.
[24]
T. Reps, S. Horwitz, and M. Sagiv. Precise interprocedural dataflow analysis via graph reachability. In Conference Record of POPL'95: 22nd ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, pages 49--61, 1995.
[25]
F. Ricca and P. Tonella. Analysis and testing of web applications. In Proceedings of the 23rd International Conference on Software Engineering (ICSE 2001), pages 25--34, 2001.
[26]
K. Sen and G. Agha. Cute and jcute : Concolic unit testing and explicit path model-checking tools. In Computer Aided Verification, 18th International Conference (CAV 2006), pages 419--423, 2006. (Tool Paper).
[27]
K. Sen, D. Marinov, and G. Agha. Cute: a concolic unit testing engine for c. In Proceedings of the 13th ACM SIGSOFT International Symposium on Foundations of Software Engineering (FSE 2005), 2005.
[28]
Z. Su and G. Wassermann. The essence of command injection attacks in web applications. In Proceedings of the 33rd Annual Symposium on Principles of Programming Languages, pages 372--382, Charleston, SC, Jan. 2006. ACM Press New York, NY, USA.
[29]
G. Wassermann and Z. Su. Sound and Precise Analysis of Web Applications for Injection Vulnerabilities. In Proceedings of the ACM SIGPLAN 2007 Conference on Programming Language Design and Implementation (PLDI 2007), pages 32--41, 2007.
[30]
Y. Xie and A. Aiken. Static detection of security vulnerabilities in scripting languages. In Proceedings of the USENIX Security Symposium, 2006.

Cited By

View all
  • (2024)URadar: Discovering Unrestricted File Upload Vulnerabilities via Adaptive Dynamic TestingIEEE Transactions on Information Forensics and Security10.1109/TIFS.2023.333588519(1251-1266)Online publication date: 2024
  • (2024)Migrating Unit Tests Across Java Applications2024 IEEE International Conference on Source Code Analysis and Manipulation (SCAM)10.1109/SCAM63643.2024.00022(131-142)Online publication date: 7-Oct-2024
  • (2023)XSnare: application-specific client-side cross-site scripting protectionEmpirical Software Engineering10.1007/s10664-023-10323-w28:5Online publication date: 17-Aug-2023
  • Show More Cited By

Recommendations

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences
ISSTA '08: Proceedings of the 2008 international symposium on Software testing and analysis
July 2008
324 pages
ISBN:9781605580500
DOI:10.1145/1390630
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 20 July 2008

Permissions

Request permissions for this article.

Check for updates

Author Tags

  1. automatic test generation
  2. concolic testing
  3. directed random testing
  4. web applications

Qualifiers

  • Research-article

Conference

ISSTA '08
Sponsor:

Acceptance Rates

Overall Acceptance Rate 58 of 213 submissions, 27%

Upcoming Conference

ISSTA '25

Contributors

Other Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

  • Downloads (Last 12 months)21
  • Downloads (Last 6 weeks)0
Reflects downloads up to 14 Feb 2025

Other Metrics

Citations

Cited By

View all
  • (2024)URadar: Discovering Unrestricted File Upload Vulnerabilities via Adaptive Dynamic TestingIEEE Transactions on Information Forensics and Security10.1109/TIFS.2023.333588519(1251-1266)Online publication date: 2024
  • (2024)Migrating Unit Tests Across Java Applications2024 IEEE International Conference on Source Code Analysis and Manipulation (SCAM)10.1109/SCAM63643.2024.00022(131-142)Online publication date: 7-Oct-2024
  • (2023)XSnare: application-specific client-side cross-site scripting protectionEmpirical Software Engineering10.1007/s10664-023-10323-w28:5Online publication date: 17-Aug-2023
  • (2022)FAUSTA: Scaling Dynamic Analysis with Traffic Generation at WhatsApp2022 IEEE Conference on Software Testing, Verification and Validation (ICST)10.1109/ICST53961.2022.00036(267-278)Online publication date: Apr-2022
  • (2021)Model-Based Testing of Web Application: An SLRVFAST Transactions on Software Engineering10.21015/vtse.v9i4.9489:4(126-136)Online publication date: 31-Dec-2021
  • (2021)UFuzzer: Lightweight Detection of PHP-Based Unrestricted File Upload Vulnerabilities Via Static-Fuzzing Co-AnalysisProceedings of the 24th International Symposium on Research in Attacks, Intrusions and Defenses10.1145/3471621.3471859(78-90)Online publication date: 6-Oct-2021
  • (2021)XSnare: Application-specific client-side cross-site scripting protection2021 IEEE International Conference on Software Analysis, Evolution and Reengineering (SANER)10.1109/SANER50967.2021.00023(154-165)Online publication date: Mar-2021
  • (2021)CorbFuzzProceedings of the 36th IEEE/ACM International Conference on Automated Software Engineering10.1109/ASE51524.2021.9678636(215-226)Online publication date: 15-Nov-2021
  • (2021)A deductive reasoning approach for database applications using verification conditionsJournal of Systems and Software10.1016/j.jss.2020.110903175(110903)Online publication date: May-2021
  • (2019)Concolic testing for models of state-based systemsProceedings of the 2019 27th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering10.1145/3338906.3338908(4-15)Online publication date: 12-Aug-2019
  • Show More Cited By

View Options

Login options

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Figures

Tables

Media

Share

Share

Share this Publication link

Share on social media