research-article

Finding bugs in dynamic web applications

Authors:
Shay Artzi

MIT, Cambridge, MA, USA

MIT, Cambridge, MA, USA
View Profile

,
Adam Kiezun

MIT, Cambridge, MA, USA

MIT, Cambridge, MA, USA
View Profile

,
Julian Dolby

IBM, Yorktown Heights, NY, USA

IBM, Yorktown Heights, NY, USA
View Profile

,
Frank Tip

IBM, Yorktown Heights, NY, USA

IBM, Yorktown Heights, NY, USA
View Profile

,
Danny Dig

MIT, Cambridge, MA, USA

MIT, Cambridge, MA, USA
View Profile

,
Amit Paradkar

IBM, Yorktown Heights, NY, USA

IBM, Yorktown Heights, NY, USA
View Profile

,
Michael D. Ernst

MIT, Cambridge, MA, USA

MIT, Cambridge, MA, USA
View Profile

ISSTA '08: Proceedings of the 2008 international symposium on Software testing and analysisJuly 2008Pages 261–272https://doi.org/10.1145/1390630.1390662

Published:20 July 2008Publication History

ISSTA '08: Proceedings of the 2008 international symposium on Software testing and analysis

Pages 261–272

ABSTRACT

Web script crashes and malformed dynamically-generated Web pages are common errors, and they seriously impact usability of Web applications. Current tools for Web-page validation cannot handle the dynamically-generated pages that are ubiquitous on today's Internet. In this work, we apply a dynamic test generation technique, based on combined concrete and symbolic execution, to the domain of dynamic Web applications. The technique generates tests automatically, uses the tests to detect failures, and minimizes the conditions on the inputs exposing each failure, so that the resulting bug reports are small and useful in finding and fixing the underlying faults. Our tool Apollo implements the technique for PHP. Apollo generates test inputs for the Web application, monitors the application for crashes, and validates that the output conforms to the HTML specification. This paper presents Apollo's algorithms and implementation, and an experimental evaluation that revealed 214 faults in 4 PHP Web applications.

References

S. Anand, P. Godefroid, and N. Tillmann. Demand-driven compositional symbolic execution. In TACAS, 2008. Google ScholarDigital Library
M. Benedikt, J. Freire, and P. Godefroid. VeriWeb: Automatically testing dynamic Web sites. In WWW, 2002.Google Scholar
C. Braband, A. Moller, and M. Schwartzbach. Static validation dynamically generated HTML. In PASTE, 2001. Google ScholarDigital Library
C. Cadar and D. R. Engler. Execution generated test cases: How to make systems code crash itself. In SPIN, 2005. Google ScholarDigital Library
C. Cadar and D. R. Engler. Execution generated test cases: How to make systems code crash itself. In SPIN, 2005. Google ScholarDigital Library
H. Cleve and A. Zeller. Locating causes of program failures. In ICSE, 2005. Google ScholarDigital Library
C. Csallner, N. Tillmann, and Y. Smaragdakis. DySy: Dynamic symbolic execution for invariant inference. In ICSE, 2008. Google ScholarDigital Library
D. Dean and D. Wagner. Intrusion detection via static analysis. In Symposium on Research in Security and Privacy, May 2001. Google ScholarDigital Library
S. Elbaum, K.-R. Chilakamarri, M. Fisher, and G. Rothermel. Web application characterization through directed requests. In WODA, 2006. Google ScholarDigital Library
S. Elbaum, S. Karre, G. Rothermel, and M. Fisher. Leveraging user-session data to support Web application testing. IEEE Trans. Softw. Eng., 31(3), 2005. Google ScholarDigital Library
M. Emmi, R. Majumdar, and K. Sen. Dynamic test input generation for database applications. In ISSTA, 2007. Google ScholarDigital Library
M. Fisher, S. G. Elbaum, and G. Rothermel. Dynamic characterization of Web application interfaces. In FASE, 2007. Google ScholarDigital Library
P. Godefroid. Compositional dynamic test generation. In POPL, 2007. Google ScholarDigital Library
P. Godefroid, A. Kiezun, and M. Y. Levin. Grammar-based whitebox fuzzing. In PLDI, 2008. Google ScholarDigital Library
P. Godefroid, N. Klarlund, and K. Sen. DART: Directed automated random testing. In PLDI, 2005. Google ScholarDigital Library
P. Godefroid, M. Y. Levin, and D. Molnar. Automated whitebox fuzz testing. In NDSS, 2008.Google Scholar
W. G. J. Halfond and A. Orso. Improving test case generation for Web applications using automated interface discovery. In ESEC-FSE, 2007. Google ScholarDigital Library
K. Inkumsah and T. Xie. Evacon: a framework for integrating evolutionary and concolic testing for object-oriented programs. In ASE, 2007. Google ScholarDigital Library
M. Johns and C. Beyerlein. SMask: preventing injection attacks in Web applications by approximating automatic data/code separation. In SAC, 2007. Google ScholarDigital Library
N. Jovanovic, C. Kruegel, and E. Kirda. Pixy: A static analysis tool for detecting Web application vulnerabilities (short paper). In Security and Privacy, 2006. Google ScholarDigital Library
R. Majumdar and K. Sen. Hybrid concolic testing. In ICSE, 2007. Google ScholarDigital Library
R. Majumdar and R.-G. Xu. Directed test generation using symbolic grammars. In ASE, 2007. Google ScholarDigital Library
Y. Minamide. Static approximation of dynamically generated Web pages. In WWW, 2005. Google ScholarDigital Library
G. Misherghi and Z. Su. HDD: hierarchical delta debugging. In ICSE, 2006. Google ScholarDigital Library
R. O'Callahan. Personal communication, 2008.Google Scholar
T. Pietraszek and C. V. Berghe. Defending against injection attacks through context-sensitive string evaluation. In RAID, 2005. Google ScholarDigital Library
F. Ricca and P. Tonella. Analysis and testing of Web applications. In ICSE, 2001. Google ScholarDigital Library
K. Sen, D. Marinov, and G. Agha. CUTE: A concolic unit testing engine for C. In FSE, 2005. Google ScholarDigital Library
S. Sprenkle, E. Gibson, S. Sampath, and L. Pollock. Automated replay and failure detection for Web applications. In ASE, 2005. Google ScholarDigital Library
Z. Su and G. Wassermann. The essence of command injection attacks in Web applications. In POPL, 2006. Google ScholarDigital Library
G. Wassermann and Z. Su. Sound and precise analysis of Web applications for injection vulnerabilities. In PLDI, 2007. Google ScholarDigital Library
G. Wassermann and Z. Su. Static detection of cross-site scripting vulnerabilities. In ICSE, 2008. Google ScholarDigital Library
Y. Xie and A. Aiken. Static detection of security vulnerabilities in scripting languages. In USENIX-SS, 2006. Google ScholarDigital Library
A. Zeller. Yesterday, my program worked. Today, it does not. Why? In FSE, 1999. Google ScholarDigital Library

Index Terms

Finding bugs in dynamic web applications

Recommendations

Finding Bugs in Web Applications Using Dynamic Test Generation and Explicit-State Model Checking

Web script crashes and malformed dynamically generated webpages are common errors, and they seriously impact the usability of Web applications. Current tools for webpage validation cannot handle the dynamically generated pages that are ubiquitous on ...
Read More
A case study-based comparison of web testing techniques applied to AJAX web applications

Asynchronous Javascript And XML (AJAX) is a recent technology used to develop rich and dynamic Web applications. Different from traditional Web applications, AJAX applications consist of a single page whose elements are updated dynamically in response ...
Read More
Modeling and Verifying for Frameset-Based Web Applications
TASE '11: Proceedings of the 2011 Fifth International Conference on Theoretical Aspects of Software Engineering

As Web applications evolve, their structure may be-come more and more complex. Web frameset is used to organize multiple frames and nested framesets to make the layout of some Web pages more identical and bring the development of Web applications easier,...
Read More

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Published in
ISSTA '08: Proceedings of the 2008 international symposium on Software testing and analysis
July 2008
324 pages
ISBN:9781605580500
DOI:10.1145/1390630
General Chair:
Barbara G. Ryder
Virginia Tech, USA
,
Program Chair:
Andreas Zeller
Saarland University, Germany
Copyright © 2008 ACM
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 20 July 2008
Permissions
Request permissions about this article.
Request Permissions

Check for updates
Author Tags
dynamic analysis
php
software testing
web applications
Qualifiers
- research-article
Conference

Acceptance Rates
Overall Acceptance Rate58of213submissions,27%
Upcoming Conference
ISSTA '24

Sponsor:

sigsoft

33rd ACM SIGSOFT International Symposium on Software Testing and Analysis

September 16 - 20, 2024

Vienna , Austria
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 106
  Total Citations
  View Citations
- 1,913
  Total Downloads
- Downloads (Last 12 months)35
- Downloads (Last 6 weeks)6
Other Metrics
View Author Metrics
Cited By
View all

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Finding bugs in dynamic web applications

ISSTA '08: Proceedings of the 2008 international symposium on Software testing and analysis

ABSTRACT

References

Cited By

Index Terms

Recommendations

Finding Bugs in Web Applications Using Dynamic Test Generation and Explicit-State Model Checking

A case study-based comparison of web testing techniques applied to AJAX web applications

Modeling and Verifying for Frameset-Based Web Applications