Presentation is loading. Please wait.

Presentation is loading. Please wait.

Applying Mutation Testing to Web Applications Upsorn Praphamontripong and Jeff Offutt Software Engineering George Mason University Fairfax, VA USA www.cs.gmu.edu/~offutt/

Published byStephanie Hagan Modified over 3 years ago

Similar presentations

Presentation on theme: "Applying Mutation Testing to Web Applications Upsorn Praphamontripong and Jeff Offutt Software Engineering George Mason University Fairfax, VA USA www.cs.gmu.edu/~offutt/"— Presentation transcript:

1 Applying Mutation Testing to Web Applications Upsorn Praphamontripong and Jeff Offutt Software Engineering George Mason University Fairfax, VA USA www.cs.gmu.edu/~offutt/ uprapham@gmu.edu, offutt@gmu.edu

2 Web App Software Failures Huge losses due to web application failures –Financial services : $6.5 million per hour –Credit card sales applications : $2.4 million per hour Oct 2004: Paypal waived transaction fees for an entire day because of a service outage after an upgrade Dec 2006: amazon.coms BOGO offer turned into a double discount 2007 : Symantec said that most security vulnerabilities are due to faulty software July 2008: Amazon failure caused businesses to lose information and revenue Mutation 2010© Praphamontripong and Offutt2 World-wide monetary loss due to poor software is staggering Thanks in part to Dr. Sreedevi Sampath

3 This Research Where do faults reside in web applications ? –In the novel control connections among web components –In the novel state management facilities –In the interfaces between clients and servers Key research problems : 1.Model web application faults 2.Invent new mutation operators for these faults 3.Design a mutation analysis tool for web applications 4.Evaluate operators, applicability and practicality Mutation 2010© Praphamontripong and Offutt3 Improve our ability to test web applications by using mutation analysis

4 Modeling Web Applications Mutation 2010© Praphamontripong and Offutt4 Atomic section model –Offutt and Wu, July 2009 Atomic SectionHTML –Server-generated section: all or nothing property gradeServlet A.htmlB.html P1 P4 P6 P5 P2 P3 C.html get () get (param1, param2, param3) get (param1, param2, param3) get () component Atomic section form link transition simple link transition Component expressions –Basic (p) –Sequence (p p1 · p2) –Selection (p p1 | p2) –Iteration (p p1*) –Aggregation (p p1 { p2})

5 Mutation 2010© Praphamontripong and Offutt5 Control Connection Faults TransitionsPotential Faults Simple link transition … Incorrect URL specified in the href attribute of an tag Form link transition Incorrect URL specified in the action attribute of a tag Inappropriate transfer mode Omitted necessary information or inappropriate information submitted via hidden controls Parameter mismatches

6 Mutation 2010© Praphamontripong and Offutt6 Control Connections Faults (2) TransitionsPotential Faults Component expression transition Incorrect / non-existing URL specified in an include directive Operational transition back, forward, … Unintended transitions Intentionally bypass the validation Redirect transition redirect, jsp:forward Incorrect / inappropriate URL specified in Incorrect / inappropriate URL specified in res.SendRedirect

7 Web Mutation Operators HTML : 6 Mutation Operators 1.Simple link replacement (WLR) 2.Simple link deletion (WLD) 3.Form link replacement (WFR) 4.Transfer mode replacement (WTR) 5.Hidden form field replacement (WHR) 6.Hidden form field deletion (WHD) JSP : 5 Mutation Operators 1.Server-side-include replacement (WIR) 2.Server-side-include deletion (WID) 3.Redirect transition replacement (WRR) 4.Redirect transition deletion (WRD) 5.Get session replacement (WGR) Mutation 2010© Praphamontripong and Offutt7

8 Web Mut OperatorsHTML Mutation 2010© Praphamontripong and Offutt8 1. WLR – Simple Link Replacement … … … 2. WLD – Simple Link Deletion … …

9 Web Mut OperatorsHTML Mutation 2010© Praphamontripong and Offutt9 3. WFR – Form Link Replacement … … … 4. WTR – Transfer Mode Replacement …


10 Web Mut OperatorsHTML Mutation 2010© Praphamontripong and Offutt10 5. WHR – Hidden Form Field Replacement … … 6. WHD – Hidden Form Field Deletion …

11 Web Mut OperatorsJSP Mutation 2010© Praphamontripong and Offutt11 1. WIR – Server-Side- Include Replacement … … … 2. WID – Server-Side-Include Deletion …

12 Web Mut OperatorsJSP Mutation 2010© Praphamontripong and Offutt12 3. WRR – Redirect Transition Replacement … … … 4. WRD – Redirect Transition Deletion …

13 Web Mut OperatorsJSP Mutation 2010© Praphamontripong and Offutt13 5. WGR – Get Session Replacement … session = get.session (true); session = get.session (false); …

14 Mutation 2010© Praphamontripong and Offutt14 webMujava : Generation

15 Mutation 2010© Praphamontripong and Offutt15 webMuJava : Mutants

16 Mutation 2010© Praphamontripong and Offutt16 Case Study : STIS JSP fileJava lines HTML lines Java/HTML ratio Comment lines Blank lines Total about0970.00819124 browse62830.755241238 categories34490.693721141 category_edit14370.38221386 index0310.0013751 login19320.59222396 logout10210.4813953 navigation_bar3250.1213950 page_footer240.506315 page_header971.299833 record_add4450.09221586 record_delete350.608420 record_edit36550.653025146 record_insert12460.26231596 record_search7410.17141173 update_search933.006321 Total2245810.392982261329 Helps users store, access and category information

17 Mutation 2010© Praphamontripong and Offutt17 Mutants and Tests JSP fileTotalTestsLiveKilledScore about1670 1.00 browse551314410.75 categories39116330.85 category_edit1360 1.00 index84081.00 login1700 1.00 logout73250.71 navigation_bar1050 1.00 page_footer42041.00 page_header32120.67 record_add84081.00 record_delete42041.00 record_edit2166150.71 record_insert94091.00 record_search22021.00 update_search32031.00 Total21980291900.87

18 Analysis 60 mutants (38%) were WHR (Hidden Form Field Replacement) Equivalent mutants : Changes of values of non-keys of records to be updated to or deleted from the database This was appropriately checked on the server Mutants not killed Mutation 2010© Praphamontripong and Offutt18

19 Mutation 2010© Praphamontripong and Offutt19 Hand-Seeded Faults Detected JSP file# Faults# TestsFoundRatio about4741.00 browse2013160.80 categories2611210.81 category_edit176140.82 index4430.75 login197110.58 logout3320.67 navigation_bar2521.00 page_footer2221.00 page_header5251.00 record_add9491.00 record_delete0n/a record_edit216140.67 record_insert9491.00 record_search3231.00 update_search3231.00 Total147801180.80

20 Mutation 2010© Praphamontripong and Offutt20 Analysis of Missed Faults Changes of scope setting of jsp:useBean This is state management Changes between equals method and sign (==) if (request.getParameter (userid).equals() if (request.getParameter(userid) == ) Unit testing?

21 Summary Conclusions –Demonstrated feasibility : Mutation operators, a tool –Initial evaluation : Tests, found faults, no comparison Future Work –Additional Web mutation operators – state, scope –SQL mutation operators –Support servlets –Controlled experiments using large, more complex, and industrial web applications –Release webMuJava Mutation 2010© Praphamontripong and Offutt21

22 © Praphamontripong and Offutt22Contacts Upsorn Praphamontripong uprapham@gmu.edu Jeff Offutt offutt@gmu.eduhttp://cs.gmu.edu/~offutt/ Mutation 2010

Download ppt "Applying Mutation Testing to Web Applications Upsorn Praphamontripong and Jeff Offutt Software Engineering George Mason University Fairfax, VA USA www.cs.gmu.edu/~offutt/"

Similar presentations

Of 23 Leadership Rules SWE 301 / 401 Internship Preparation & Reflection Jeff Offutt

Of 23 Leadership Rules SWE 301 / 401 Internship Preparation & Reflection Jeff Offutt
Testing Web Applications (Adapted from Introduction to Software Testing Chapter 7.2 Engineering Criteria for Technologies) By Paul Ammann & Jeff Offutt.

Testing Web Applications (Adapted from Introduction to Software Testing Chapter 7.2 Engineering Criteria for Technologies) By Paul Ammann & Jeff Offutt.
Aug. 2, 2005Vasileios Papadimitriou1 Automating Bypass Testing for Web Applications Vasileios Papadimitriou The Volgenau School of Information.

Aug. 2, 2005Vasileios Papadimitriou1 Automating Bypass Testing for Web Applications Vasileios Papadimitriou The Volgenau School of Information.
Testing Dynamic Aspects of Web Applications Jeff Offutt Professor, Software Engineering George Mason University Fairfax, VA USA

Testing Dynamic Aspects of Web Applications Jeff Offutt Professor, Software Engineering George Mason University Fairfax, VA USA
Complaint Desk Team 8. Introduction A web based system that records grievances. A web based system that records grievances. Users can report their grievances.

Complaint Desk Team 8. Introduction A web based system that records grievances. A web based system that records grievances. Users can report their grievances.
Java Programming: Advanced Topics 1 Building Web Applications Chapter 13.

Java Programming: Advanced Topics 1 Building Web Applications Chapter 13.
Apache Struts Technology

Apache Struts Technology
CSCI 6962: Server-side Design and Programming Introduction to Java Server Faces.

CSCI 6962: Server-side Design and Programming Introduction to Java Server Faces.
CGI Programming: Part 1. What is CGI? CGI = Common Gateway Interface Provides a standardized way for web browsers to: –Call programs on a server. –Pass.

CGI Programming: Part 1. What is CGI? CGI = Common Gateway Interface Provides a standardized way for web browsers to: –Call programs on a server. –Pass.
PhD Seminar Hints on Writing (A) Rules for Quality Writing With thanks to Robert Geist Jeff Offutt

PhD Seminar Hints on Writing (A) Rules for Quality Writing With thanks to Robert Geist Jeff Offutt
OOSSE Week 8 JSP models Format of lecture: Assignment context JSP models JSPs calling other JSPs i.e. breaking up work Parameter passing JSPs with Add.

OOSSE Week 8 JSP models Format of lecture: Assignment context JSP models JSPs calling other JSPs i.e. breaking up work Parameter passing JSPs with Add.
Of 33 Improving Logic-Based Testing Jeff Offutt Professor, Software Engineering George Mason University Fairfax, VA USA

Of 33 Improving Logic-Based Testing Jeff Offutt Professor, Software Engineering George Mason University Fairfax, VA USA
Fast Track to ColdFusion 9. Getting Started with ColdFusion Understanding Dynamic Web Pages ColdFusion Benchmark Introducing the ColdFusion Language Introducing.

Fast Track to ColdFusion 9. Getting Started with ColdFusion Understanding Dynamic Web Pages ColdFusion Benchmark Introducing the ColdFusion Language Introducing.
SDJ INFOSOFT PVT. LTD. 2 BROWSERBROWSER JSP JavaBean DB 1 4 3 Req Res Application Layer Enterprise server/Data Sources.

SDJ INFOSOFT PVT. LTD. 2 BROWSERBROWSER JSP JavaBean DB Req Res Application Layer Enterprise server/Data Sources.
A Presentation Presentation On JSP On JSP & Online Shopping Cart Online Shopping Cart.

A Presentation Presentation On JSP On JSP & Online Shopping Cart Online Shopping Cart.
Fall 2007cs4201 Advanced Java Programming Umar Kalim Dept. of Communication Systems Engineering

Fall 2007cs4201 Advanced Java Programming Umar Kalim Dept. of Communication Systems Engineering
K. Jamroendararasame*, T. Matsuzaki, T. Suzuki, and T. Tokuda Department of Computer Science, Tokyo Institute of Technology, JAPAN Two Generators of Secure.

K. Jamroendararasame*, T. Matsuzaki, T. Suzuki, and T. Tokuda Department of Computer Science, Tokyo Institute of Technology, JAPAN Two Generators of Secure.
Tutorial 1 Getting Started with Adobe Dreamweaver CS5.

Tutorial 1 Getting Started with Adobe Dreamweaver CS5.
Java Server Pages Lecture 17 27 July 2013. Java Server Pages Java Server Pages (JSPs) provide a way to separate the generation of dynamic content (java)

Java Server Pages Lecture July Java Server Pages Java Server Pages (JSPs) provide a way to separate the generation of dynamic content (java)
Beyond negative security Signatures are not always enough Or Katz Trustwave ot.com/

Beyond negative security Signatures are not always enough Or Katz Trustwave ot.com/

Similar presentations

Ads by Google