Aug. 2, 2005Vasileios Papadimitriou1 Automating Bypass Testing for Web Applications Vasileios Papadimitriou The Volgenau School of Information.

Slides:



Advertisements
Similar presentations
PHP I.
Advertisements

Performance Testing - Kanwalpreet Singh.
Unit Testing in the OO Context(Chapter 19-Roger P)
Chapter 10 Software Testing
Lecture 6/2/12. Forms and PHP The PHP $_GET and $_POST variables are used to retrieve information from forms, like user input When dealing with HTML forms.
Test Case Management and Results Tracking System October 2008 D E L I V E R I N G Q U A L I T Y (Short Version)
Tutorial 6 Creating a Web Form
Introduction to Software Testing Chapter 9.2 Challenges in Testing Software – Software Testability Paul Ammann & Jeff Offutt
Alternate Software Development Methodologies
Automating Bespoke Attack Ruei-Jiun Chapter 13. Outline Uses of bespoke automation ◦ Enumerating identifiers ◦ Harvesting data ◦ Web application fuzzing.
Building Enterprise Applications Using Visual Studio ®.NET Enterprise Architect.
DT211/3 Internet Application Development JSP: Processing User input.
SE 450 Software Processes & Product Metrics Reliability: An Introduction.
Web Page Behavior IS 373—Web Standards Todd Will.
1 State-Based Testing of Ajax Web Applications A. Marchetto, P. Tonella and F. Ricca CMSC737 Spring 2008 Shashvat A Thakor.
Leveraging User Interactions for In-Depth Testing of Web Applications Sean McAllister, Engin Kirda, and Christopher Kruegel RAID ’08 1 Seoyeon Kang November.
Swami NatarajanJuly 14, 2015 RIT Software Engineering Reliability: Introduction.
Introduction to Software Testing
UNIT-V The MVC architecture and Struts Framework.
Students: Nadia Goshmir, Yulia Koretsky Supervisor: Shai Rozenrauch Industrial Project Advanced Tool for Automatic Testing Final Presentation.
INTRODUCTION TO WEB DATABASE PROGRAMMING
Introduction to Software Testing Chapter 7.2 Engineering Criteria for Technologies Paul Ammann & Jeff Offutt
A Scalable Application Architecture for composing News Portals on the Internet Serpil TOK, Zeki BAYRAM. Eastern MediterraneanUniversity Famagusta Famagusta.
Samuvel Johnson nd MCA B. Contents  Introduction to Real-time systems  Two main types of system  Testing real-time software  Difficulties.
Semester 1, 2003 Week 7 CSE9020 / 1 Software Testing and Quality Assurance With thanks to Shonali Krishnaswamy and Sylvia Tucker.
Software Quality Assurance Lecture #8 By: Faraz Ahmed.
Lecture 7 Interaction. Topics Implementing data flows An internet solution Transactions in MySQL 4-tier systems – business rule/presentation separation.
C++ Code Analysis: an Open Architecture for the Verification of Coding Rules Paolo Tonella ITC-irst, Centro per la Ricerca Scientifica e Tecnologica
CMSC 345 Fall 2000 Unit Testing. The testing process.
ISU Alumni Association Online Store Abstract The Iowa State University Alumni Association desires a complete overhaul of their online store. The current.
1 A Static Analysis Approach for Automatically Generating Test Cases for Web Applications Presented by: Beverly Leung Fahim Rahman.
Introduction to Software Testing Chapter 7.1 Engineering Criteria for Technologies Paul Ammann & Jeff Offutt
nd Joint Workshop between Security Research Labs in JAPAN and KOREA Profile-based Web Application Security System Kyungtae Kim High Performance.
Event Management & ITIL V3
RELATIONAL FAULT TOLERANT INTERFACE TO HETEROGENEOUS DISTRIBUTED DATABASES Prof. Osama Abulnaja Afraa Khalifah
XRules An XML Business Rules Language Introduction Copyright © Waleed Abdulla All rights reserved. August 2004.
Top Five Web Application Vulnerabilities Vebjørn Moen Selmersenteret/NoWires.org Norsk Kryptoseminar Trondheim
NMD202 Web Scripting Week3. What we will cover today Includes Exercises PHP Forms Exercises Server side validation Exercises.
OWASP Top Ten #1 Unvalidated Input. Agenda What is the OWASP Top 10? Where can I find it? What is Unvalidated Input? What environments are effected? How.
Introduction to Software Testing. Types of Software Testing Unit Testing Strategies – Equivalence Class Testing – Boundary Value Testing – Output Testing.
Today’s Agenda  HW #1  Finish Introduction  Input Space Partitioning Software Testing and Maintenance 1.
1 CS122B: Projects in Databases and Web Applications Spring 2015 Notes 03: Web-App Architectures Professor Chen Li Department of Computer Science CS122B.
UHD::3320::CH121 DESIGN PHASE Chapter 12. UHD::3320::CH122 Design Phase Two Aspects –Actions which operate on data –Data on which actions operate Two.
Dynamic web content HTTP and HTML: Berners-Lee’s Basics.
Today’s Agenda  Reminder: HW #1 Due next class  Quick Review  Input Space Partitioning Software Testing and Maintenance 1.
02/09/2010 Industrial Project Course (234313) Virtualization-aware database engine Final Presentation Industrial Project Course (234313) Virtualization-aware.
1 Web Servers (Chapter 21 – Pages( ) Outline 21.1 Introduction 21.2 HTTP Request Types 21.3 System Architecture.
PwC New Technologies New Risks. PricewaterhouseCoopers Technology and Security Evolution Mainframe Technology –Single host –Limited Trusted users Security.
 Previous lessons have focused on client-side scripts  Programs embedded in the page’s HTML code  Can also execute scripts on the server  Server-side.
© FPT SOFTWARE – TRAINING MATERIAL – Internal use 04e-BM/NS/HDCV/FSOFT v2/3 JSP Application Models.
Concepts and Realization of a Diagram Editor Generator Based on Hypergraph Transformation Author: Mark Minas Presenter: Song Gu.
JavaScript Introduction and Background. 2 Web languages Three formal languages HTML JavaScript CSS Three different tasks Document description Client-side.
SOFTWARE TESTING AND QUALITY ASSURANCE. Software Testing.
CS122B: Projects in Databases and Web Applications Spring 2017
CS122B: Projects in Databases and Web Applications Winter 2017
Building Enterprise Applications Using Visual Studio®
Bypass Testing of Web Applications
Generating Automated Tests from Behavior Models
Chapter 8 – Software Testing
Web Software Model CS 4640 Programming Languages for Web Applications
PHP / MySQL Introduction
MIS Professor Sandvig MIS 324 Professor Sandvig
Paul Ammann & Jeff Offutt
Introduction to Software Testing
CS122B: Projects in Databases and Web Applications Winter 2018
CS122B: Projects in Databases and Web Applications Spring 2018
Serpil TOK, Zeki BAYRAM. Eastern MediterraneanUniversity Famagusta
CS122B: Projects in Databases and Web Applications Winter 2019
Error Handling in Java Servlets
Lecture 34: Testing II April 24, 2017 Selenium testing script 7/7/2019
Presentation transcript:

Aug. 2, 2005Vasileios Papadimitriou1 Automating Bypass Testing for Web Applications Vasileios Papadimitriou The Volgenau School of Information Technology & Engineering Dept. of Information & Software Engineering George Mason University Fairfax, VA USA

Aug. 2, 2005Vasileios Papadimitriou2 Introduction World Wide Web changed the methods of software development and deployment –We value reliability, usability, and security more than “time to market” –“Extremely loosely coupled” systems –Browser based clients –HTTP Web applications become vulnerable to input manipulation that may: –Reduce reliability –Compromise security

Aug. 2, 2005Vasileios Papadimitriou3 Introduction (cont.) Offutt and Wu's work on bypass testing of web application is extended –Theoretical background is revised to support use of automated approach HttpUnit is used to build a prototype software application that automatically: –Parses HMTL pages –Identifies forms and their fields –Creates bypass test cases –Submits test cases to the application’s server

Aug. 2, 2005Vasileios Papadimitriou4 Presentation Outline Client side validation types & rules to automatically generate test cases AutoBypass testing tool and demo Experiment design Results Conclusions

Aug. 2, 2005Vasileios Papadimitriou5 Types of Client Input Validation Client side input validation is performed by HTML form controls, their attributes, and client side scripts that access DOM Validation types are categorized in HTML and Scripting. –HTML supports syntactic validation –Client scripting can perform both syntactic and semantic validation HTML ConstraintsScripting Constraints Length (max input characters) Value (preset values) Transfer Mode (GET or POST) Field Element (preset fields) Target URL (links with values) Data Type (e.g. integer check) Data Format (e.g. ZIP code format) Data Value (e.g. age value range) Inter-Value (e.g. credit # + exp. date) Invalid Characters (e.g. <,../,&)

Aug. 2, 2005Vasileios Papadimitriou6 Example Interface: yahoo registration form Limited Length (HTML) Preset Values (HTML) Preset Transfer Mode in form definition (HTML) Preset No of Fields (HTML) URL with preset Values (HTML) Data Value, Type, & Format validation (script) Inter Value validation (script)

Aug. 2, 2005Vasileios Papadimitriou7 Test Value Selection Challenge: –How to automatically provide effective test values? “Semantic Domain Problem” (SDP) –Values within the application domain are needed –Enumeration of all possible test values is inefficient Possible Solutions –Random Values (ineffective) –Automatically generated values (too hard) –Study application and construct a set of values (feasible) –Tester input (feasible) AutoBypass uses a input domain created by parsing the interface and tester input

Aug. 2, 2005Vasileios Papadimitriou8 AutoBypass AutoBypass Steps (the big picture) Parse Interface Set Default Values Generate Test Cases & Run Tests Review Results All HTML violation rules are used to generate test cases This version of AutoBypass does NOT automatically violate scripting validation, but: –AutoBypass behaves as a browser with scripts disabled –Tester can provide test inputs that will bypass scripting validation.

Aug. 2, 2005Vasileios Papadimitriou9 AutoBypass Demo: :8080/AutoBypass/ Localhost:8080/AutoBypass

Aug. 2, 2005Vasileios Papadimitriou10 v AutoBypass Architecture

Aug. 2, 2005Vasileios Papadimitriou11 Experiment Design How well can the tool perform on real web applications? Null Hypothesis: –Bypass testing of web applications will NOT expose more faults than standard testing. Independent Variable: –Method of testing web applications. –Two values are compared: Bypass method Industry standard testing method

Aug. 2, 2005Vasileios Papadimitriou12 Experiment Design (cont.) Dependent Variable: Type of the server response given an invalid request submission: –(V) Valid Responses: invalid inputs are adequately processed by the server –(F) Faults & Failures: invalid inputs that cause abnormal server behavior (typically caught by web server when application fails to handle the error) –(E) Exposure: invalid input is not recognized by the server and abnormal software behavior is exposed to the users * both F & E are invalid responses

Aug. 2, 2005Vasileios Papadimitriou13 Experiment Design (cont.) Appropriateness vs. Expectancy –Responses for Invalid inputs are not defined Preliminary results show a variety of “valid” responses –Further classification is defined (V1)Server acknowledges the invalid request and provides an explicit message regarding the violation (V2)Server produces a generic error message (V3)Server apparently ignores the invalid request and produces an appropriate response (V4)Server apparently ignores the request completely It is unknown whether valid responses have actually resulted to corrupted data on the server.

Aug. 2, 2005Vasileios Papadimitriou14 Subject Selection Criteria: –Complexity of the application –Ability to perform bypass testing Assumptions for web applications tested: –Products designed by professionals –Tested by their designers (yet testing methods are not well known or well defined) –Used by significant number of users

Aug. 2, 2005Vasileios Papadimitriou15 Subjects atutor.ca Atalker demo.joomla.or Poll, Users phpMyAdmin Main page, Set Theme, SQL Query, DB Stats brainbench.com Submit Request Info, New user myspace.com Events & Music Search bankofamerica.com ATM locator, Site search comcast.com Service availability ecost.com Detail submit, Shopping cart control google.com Froogle, Language tools pageflakes.com Registration wellsfargolife.com Quote search nytimes.com Us-markets mutex.gmu.edu Login form yahoo.com Notepad, Composer, Search reminder, Weather Search barnesandnoble.com Cart manager, Book search/results amazon.com Item dispatch, Handle buy

Aug. 2, 2005Vasileios Papadimitriou16 Results (1 of 2)

Aug. 2, 2005Vasileios Papadimitriou17 Results (2 of 2)

Aug. 2, 2005Vasileios Papadimitriou18 v Result Graphs

Aug. 2, 2005Vasileios Papadimitriou19 Results Summary 24% of tests caused invalid responses Hypothesis is rejected * with the exception of Google and Amazon Problems Found: –Crashes and incorrect output (and possibly corrupt data on the servers) –Potential security vulnerabilities Invalid input passed to the application without validation Invalid input reached database queries

Aug. 2, 2005Vasileios Papadimitriou20 Results Summary (cont.) Testing Cost –Average of 1.8 hours per module tested ~ 1¾ hours of human labor & 5 minutes computer processing Violation Rules effectiveness

Aug. 2, 2005Vasileios Papadimitriou21 Confounding Variables AutoBypass Implementation –Tested for validity of results –Some Violation rules are not implemented (Scripting rules) Sample Selection –Complex interfaces could not be parsed –Selected only public, non-critical applications –Some interfaces had to be modified to allow testing

Aug. 2, 2005Vasileios Papadimitriou22 Confounding Variables (cont.) Tester Value Selection –Selection of additional values that violated the constraints –Little or no familiarity with the application domain Result Evaluation –Challenging process ~ 90% of the testing cost –No access to server –faults may not be detected –Manual verification –Cross Rater evaluation would be helpful

Aug. 2, 2005Vasileios Papadimitriou23 Conclusions Bypass testing can reveal errors in web applications beyond what standard testing can find –Programs are still designed to depend on client’s side interface constraints –Subjects with significant number of users were less affected Assumed to be the most expensive software Web development can benefit from bypass testing –Inexpensive to test applications in terms of resources and human labor. –Efficient method creating limited test cases –AutoBypass performs testing on external system level Access to the application source or server is NOT required. Platform independent Can be combined with standard testing.

Aug. 2, 2005Vasileios Papadimitriou24 Ways to improve AutoBypass Improve interface parser –Eliminate scripting limitations Implement scripting violation rules Widen the scope of testing from a form/page to a site –Test sequence of events –Application level Input Domain Explore possibilities for automated response evaluation

Aug. 2, 2005Vasileios Papadimitriou25 Questions? Vasileios Papadimitriou

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.