ABSTRACT
Web script crashes and malformed dynamically-generated Web pages are common errors, and they seriously impact usability of Web applications. Current tools for Web-page validation cannot handle the dynamically-generated pages that are ubiquitous on today's Internet. In this work, we apply a dynamic test generation technique, based on combined concrete and symbolic execution, to the domain of dynamic Web applications. The technique generates tests automatically, uses the tests to detect failures, and minimizes the conditions on the inputs exposing each failure, so that the resulting bug reports are small and useful in finding and fixing the underlying faults. Our tool Apollo implements the technique for PHP. Apollo generates test inputs for the Web application, monitors the application for crashes, and validates that the output conforms to the HTML specification. This paper presents Apollo's algorithms and implementation, and an experimental evaluation that revealed 214 faults in 4 PHP Web applications.
- S. Anand, P. Godefroid, and N. Tillmann. Demand-driven compositional symbolic execution. In TACAS, 2008. Google ScholarDigital Library
- M. Benedikt, J. Freire, and P. Godefroid. VeriWeb: Automatically testing dynamic Web sites. In WWW, 2002.Google Scholar
- C. Braband, A. Moller, and M. Schwartzbach. Static validation dynamically generated HTML. In PASTE, 2001. Google ScholarDigital Library
- C. Cadar and D. R. Engler. Execution generated test cases: How to make systems code crash itself. In SPIN, 2005. Google ScholarDigital Library
- C. Cadar and D. R. Engler. Execution generated test cases: How to make systems code crash itself. In SPIN, 2005. Google ScholarDigital Library
- H. Cleve and A. Zeller. Locating causes of program failures. In ICSE, 2005. Google ScholarDigital Library
- C. Csallner, N. Tillmann, and Y. Smaragdakis. DySy: Dynamic symbolic execution for invariant inference. In ICSE, 2008. Google ScholarDigital Library
- D. Dean and D. Wagner. Intrusion detection via static analysis. In Symposium on Research in Security and Privacy, May 2001. Google ScholarDigital Library
- S. Elbaum, K.-R. Chilakamarri, M. Fisher, and G. Rothermel. Web application characterization through directed requests. In WODA, 2006. Google ScholarDigital Library
- S. Elbaum, S. Karre, G. Rothermel, and M. Fisher. Leveraging user-session data to support Web application testing. IEEE Trans. Softw. Eng., 31(3), 2005. Google ScholarDigital Library
- M. Emmi, R. Majumdar, and K. Sen. Dynamic test input generation for database applications. In ISSTA, 2007. Google ScholarDigital Library
- M. Fisher, S. G. Elbaum, and G. Rothermel. Dynamic characterization of Web application interfaces. In FASE, 2007. Google ScholarDigital Library
- P. Godefroid. Compositional dynamic test generation. In POPL, 2007. Google ScholarDigital Library
- P. Godefroid, A. Kiezun, and M. Y. Levin. Grammar-based whitebox fuzzing. In PLDI, 2008. Google ScholarDigital Library
- P. Godefroid, N. Klarlund, and K. Sen. DART: Directed automated random testing. In PLDI, 2005. Google ScholarDigital Library
- P. Godefroid, M. Y. Levin, and D. Molnar. Automated whitebox fuzz testing. In NDSS, 2008.Google Scholar
- W. G. J. Halfond and A. Orso. Improving test case generation for Web applications using automated interface discovery. In ESEC-FSE, 2007. Google ScholarDigital Library
- K. Inkumsah and T. Xie. Evacon: a framework for integrating evolutionary and concolic testing for object-oriented programs. In ASE, 2007. Google ScholarDigital Library
- M. Johns and C. Beyerlein. SMask: preventing injection attacks in Web applications by approximating automatic data/code separation. In SAC, 2007. Google ScholarDigital Library
- N. Jovanovic, C. Kruegel, and E. Kirda. Pixy: A static analysis tool for detecting Web application vulnerabilities (short paper). In Security and Privacy, 2006. Google ScholarDigital Library
- R. Majumdar and K. Sen. Hybrid concolic testing. In ICSE, 2007. Google ScholarDigital Library
- R. Majumdar and R.-G. Xu. Directed test generation using symbolic grammars. In ASE, 2007. Google ScholarDigital Library
- Y. Minamide. Static approximation of dynamically generated Web pages. In WWW, 2005. Google ScholarDigital Library
- G. Misherghi and Z. Su. HDD: hierarchical delta debugging. In ICSE, 2006. Google ScholarDigital Library
- R. O'Callahan. Personal communication, 2008.Google Scholar
- T. Pietraszek and C. V. Berghe. Defending against injection attacks through context-sensitive string evaluation. In RAID, 2005. Google ScholarDigital Library
- F. Ricca and P. Tonella. Analysis and testing of Web applications. In ICSE, 2001. Google ScholarDigital Library
- K. Sen, D. Marinov, and G. Agha. CUTE: A concolic unit testing engine for C. In FSE, 2005. Google ScholarDigital Library
- S. Sprenkle, E. Gibson, S. Sampath, and L. Pollock. Automated replay and failure detection for Web applications. In ASE, 2005. Google ScholarDigital Library
- Z. Su and G. Wassermann. The essence of command injection attacks in Web applications. In POPL, 2006. Google ScholarDigital Library
- G. Wassermann and Z. Su. Sound and precise analysis of Web applications for injection vulnerabilities. In PLDI, 2007. Google ScholarDigital Library
- G. Wassermann and Z. Su. Static detection of cross-site scripting vulnerabilities. In ICSE, 2008. Google ScholarDigital Library
- Y. Xie and A. Aiken. Static detection of security vulnerabilities in scripting languages. In USENIX-SS, 2006. Google ScholarDigital Library
- A. Zeller. Yesterday, my program worked. Today, it does not. Why? In FSE, 1999. Google ScholarDigital Library
Index Terms
- Finding bugs in dynamic web applications
Recommendations
Finding Bugs in Web Applications Using Dynamic Test Generation and Explicit-State Model Checking
Web script crashes and malformed dynamically generated webpages are common errors, and they seriously impact the usability of Web applications. Current tools for webpage validation cannot handle the dynamically generated pages that are ubiquitous on ...
A case study-based comparison of web testing techniques applied to AJAX web applications
Asynchronous Javascript And XML (AJAX) is a recent technology used to develop rich and dynamic Web applications. Different from traditional Web applications, AJAX applications consist of a single page whose elements are updated dynamically in response ...
Modeling and Verifying for Frameset-Based Web Applications
TASE '11: Proceedings of the 2011 Fifth International Conference on Theoretical Aspects of Software EngineeringAs Web applications evolve, their structure may be-come more and more complex. Web frameset is used to organize multiple frames and nested framesets to make the layout of some Web pages more identical and bring the development of Web applications easier,...
Comments