"); 16. print( " " ); 17. print( " " ); 18. } Generating Invocations: searchpage.jsp 3"> "); 16. print( " " ); 17. print( " " ); 18. } Generating Invocations: searchpage.jsp 3">

Presentation is loading. Please wait.

Presentation is loading. Please wait.

Automated Identification of Parameter Mismatches in Web Applications William G.J. Halfond and Alessandro Orso Georgia Institute of Technology.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Automated Identification of Parameter Mismatches in Web Applications William G.J. Halfond and Alessandro Orso Georgia Institute of Technology."— Presentation transcript:

1 Automated Identification of Parameter Mismatches in Web Applications William G.J. Halfond and Alessandro Orso Georgia Institute of Technology

2 Example Web Application 2 Web Server End Users Initial Visit Web Application searchpage.jsp dosearch.jsp Search Results http://host/dosearch.jsp?search=bagels&business=bakery

3 void service(Request req) { 1. print( " Business Search " ); 2. print( " " ); 3. print( " " ); 4. if (conf.searchPref.equals( "zip" )) { 5. print( " Zip: " ); 6. print( " " ); 7. } else if (conf.searchPref.equals( "type" )) { 8. printTypes( “business” ); 9. } else { 10. print( " City: " ); 11. print( " " ); 12. print( " State: " ); 13. print( " " ); 14. } 15. print( "<input type=hidden name=searchPref value=" + conf.searchPref + ">"); 16. print( " " ); 17. print( " " ); 18. } Generating Invocations: searchpage.jsp 3

4 Receiving Invocations: dosearch.jsp 4 void service(Request req) { 1. String dbQuery = "select businesses from db where " ; 2. String search = req.getParameter( "search" ); 3. String dbQuery += "name like '" + search + "' " ; 4. String searchType = req.getParameter( "searchPref" ); 5. if (searchType.equals( "zip" )) { 6. String zip = req.getParameter( "zip" ); 7. dbQuery+= "zip=" +zip; 8. } else if (searchType.equals( "type" )) { 9. String type = req.getParameter( "busines" ); 10. dbQuery+= "type=" +type; 11. } else { 12. String state = req.getParameter( "state" ); 13. dbQuery+= "state=" +state; 14. } 15. ResultSet results = execute(dbQuery); 16. print(results); 1.search 2.searchpref 3.zip 1.search 2.searchpref 3.busines 1.search 2.searchpref 3.state

5 Errors in Example Servlets 5 Web Application Interfaces search, searchpref, zip search, searchpref, busines search, searchpref, state searchpage.jspdosearch.jsp Invocations search, searchpref, zip search, searchpref, business search, searchpref, city, state Error #1: MispellingError #2: Ignored Parameter

6 Current Approaches Compilers HTML validators Developer specification Manual inspection Traditional testing 6

7 Our Approach 1.Identify accepted interfaces 2.Identify interface invocations 3.Verify invocations against accepted interfaces Goal Automatic identification of errors in interface invocations. 7

8 Step 1: Identify Accepted Interfaces 8 WAM (Interface Discovery) [FSE 2007] Accepted Interfaces Web Application HTML Servlets #1#2#3 1. search 2. searchpref 3. zip 1. search 2. searchpref 3. busines 1. search 2. searchpref 3. state

9 Step 2: Identify Interface Invocations 9 1. Direct – via API calls 2. Indirect – via user client String urlString = “dosearch.jsp?search=bagels” URLConnection url = new URLConnection(); InputStream response = url.open(urlString);

10 String urlString = “dosearch.jsp?search=bagels” URLConnection url = new URLConnection(); InputStream response = url.open(urlString); Direct Invocations 10 1.Scan code to find direct invocation API calls 2.Identify parameter containing invocation 3.Perform string analysis on parameter 4.Parse the URL strings

11 Indirect Invocations: Overview 11 Analysis to Identify Indirect Invocations Indirect Interface Invocations Web Application HTML Servlets For each method m: 1.Identify HTML content of each output statement 2.Group content along a path into HTML fragments 3.Intermediate parsing of HTML fragments 4.Add HTML fragment to m’s summary Combine summaries up to root method Servlet

12 19. void printTypes(String name) { 20. print( " " ); 21. optValues[] = [ "Jewelry", "Bakery", "Restaurant" ]; 22. for (String opt :optValues) { 23. print( " " + opt + " " ); 24. } 25. print( " " ); 26. } Indirect Invocations: Example 12 HTML Fragment for Method printTypes Jewelry Bakery Restaurant

13 Indirect Invocations: Example 13 void service(Request req) { 1. print( " Business Search " ); 2. print( " " ); 3. print( " " ); 4. if (conf.searchPref.equals( "zip" )) { 5. print( " Zip: " ); 6. print( " " ); 7. } else if (conf.searchPref.equals( "type" )) { 8. printTypes( “business” ); 9. } else { 10. print( " City: " ); 11. print( " " ); 12. print( " State: " ); 13. print( " " ); 14. } 15. print( "<input type=hidden name=searchPref value=" + conf.searchPref + ">"); 16. print( " " ); 17. print( " " ); 18. } Business Search Search terms: City: State: Business Search Search terms: Type: Bakery Jewelry Restaurant Business Search Search terms: Zip:

14 Step 3: Verification 14 Interface Invocations  search, searchpref, zip  search, searchpref, city, state  search, searchpref, business  dosearch.jsp search, searchpref, state search, searchpref, busines search, searchpref, zip   For each invocation: verify that its target has a matching interface.

15 Empirical Evaluation Research Questions: 1. How efficient is our analysis when run on real web applications? 2. What percentage of the reported parameter mismatches represent actual errors in the web applications? 15

16 Tool Implementation Written in Java 1. Accepted Interfaces => WAM 2. Interface Invocations => leveraged Soot, JSA, HTML Parser Targets Java Enterprise Edition (JEE) Analyzes bytecode and outputs mismatches WAIVE Web Application Interface Verification Engine 16

17 Subject Applications SubjectDescriptionLOCCls.Svlt. BookstoreOnline bookstore.18,9192825 DaffodilCustomer mgmt.19,30511970 FilelisterOnline file browser.8,6304110 JWMAWebmail.29,4029720 17 Applications available via SourceForge and GotoCode Mix of commercial and open-source development

18 RQ1: Efficiency Subject Analysis Time (s) InterfaceInvokeVerifyTotal Bookstore4472051653 Daffodil16,747205116,953 Filelister1,7126611,779 JWMA9,645630110,276 18 Overall time ranges from 10 minutes to 5 hours 50-80% of time spent in call graph building Manual inspection of four servlets took 12 hours

19 RQ2: Precision Ran WAIVE on four subject applications Manually inspected each reported parameter mismatch Classified each mismatch 1. Actual error or false positive 2. According to root cause 19

20 Errors Identified Subject Ignored Parameter Optional Parameter Syntax Error Bookstore624 Daffodil001 Filelister120 JWMA331767 20 Effect of errors varied widely, but all caused significant problems Underlying human error ranged from mistyping to complex logic errors

21 False Positives SubjectWAMJavaScript Redirects & Imports Bookstore000 Daffodil236 Filelister000 JWMA070 21 Dominant root causes addressable by engineering WAM precision can be significantly improved

22 Summary and Future Work Technique to identify parameter mismatches Implemented in prototype tool, WAIVE Evaluation Identified 151 mismatches Only 18 false positives Future work: Expand verification to include type checking 22

23 Thank You. William G.J. Halfond Georgia Tech whalfond@cc.gatech.edu

24 Inter-Component Communication 24 Web Application Invocations: 1.search, searchpref, zip 2.search, searchpref, business 3.search, searchpref, city, state searchpage.jspdosearch.jsp

25 25 19. void printTypes(String name) { 20. print( " " ); 21. optValues[] = [ "Jewelry", "Bakery", "Restaurant" ]; 22. for (String opt:optValues) { 23. print( " " + opt + " " ); 24. } 25. print( " " ); 26. }

26 Web Application Architecture 26 DB Other Systems Web Server End Users Request http://host?login=alice&pin=1234 HTML Pages Web Application HTML Servlets

27 Inter-Component Communication 27 Web Application Target Arguments: name-value pairs searchpage.jspdosearch.jsp http://host/dosearch.jsp?search=bagels&business=bakery

Download ppt "Automated Identification of Parameter Mismatches in Web Applications William G.J. Halfond and Alessandro Orso Georgia Institute of Technology."

Similar presentations

Chapter 6 Server-side Programming: Java Servlets

Chapter 6 Server-side Programming: Java Servlets
DETAILED DESIGN, IMPLEMENTATIONA AND TESTING Instructor: Dr. Hany H. Ammar Dept. of Computer Science and Electrical Engineering, WVU.

DETAILED DESIGN, IMPLEMENTATIONA AND TESTING Instructor: Dr. Hany H. Ammar Dept. of Computer Science and Electrical Engineering, WVU.
 Copyright Wipro Technologies JSP Ver 1.0 Page 1 Talent Transformation Java Server Pages.

 Copyright Wipro Technologies JSP Ver 1.0 Page 1 Talent Transformation Java Server Pages.
Precise Interface Identification to Improve Testing and Analysis of Web Applications William G.J. Halfond, Saswat Anand, and Alessandro Orso Georgia Institute.

Precise Interface Identification to Improve Testing and Analysis of Web Applications William G.J. Halfond, Saswat Anand, and Alessandro Orso Georgia Institute.
Penetration Testing with Improved Input Vector Identification William G.J. Halfond, Shauvik Roy Choudhary, and Alessandro Orso College of Computing Georgia.

Penetration Testing with Improved Input Vector Identification William G.J. Halfond, Shauvik Roy Choudhary, and Alessandro Orso College of Computing Georgia.
DT211/3 Internet Application Development JSP: Processing User input.

DT211/3 Internet Application Development JSP: Processing User input.
Progress Report 11/1/01 Matt Bridges. Overview Data collection and analysis tool for web site traffic Lets website administrators know who is on their.

Progress Report 11/1/01 Matt Bridges. Overview Data collection and analysis tool for web site traffic Lets website administrators know who is on their.
TRAVEL RESERVATION SYSTEM USING WEB SERVICES COMPOSITION LANGUAGE

TRAVEL RESERVATION SYSTEM USING WEB SERVICES COMPOSITION LANGUAGE
1 CS6320 – Why Servlets? L. Grewe 2 What is a Servlet? Servlets are Java programs that can be run dynamically from a Web Server Servlets are Java programs.

1 CS6320 – Why Servlets? L. Grewe 2 What is a Servlet? Servlets are Java programs that can be run dynamically from a Web Server Servlets are Java programs.
1 Dickson K.W. Chiu PhD, SMIEEE Reference: Sun J2EE 1.4 Tutorial CSIT600b: XML Programming XML Programming Guide: Getting Started 2.

1 Dickson K.W. Chiu PhD, SMIEEE Reference: Sun J2EE 1.4 Tutorial CSIT600b: XML Programming XML Programming Guide: Getting Started 2.
JSP Architecture  JSP is a simple text file consisting of HTML or XML content along with JSP elements  JSP packages define the interface for the compiled.

JSP Architecture  JSP is a simple text file consisting of HTML or XML content along with JSP elements  JSP packages define the interface for the compiled.
Web Applications Basics. Introduction to Web Web features Clent/Server HTTP HyperText Markup Language URL addresses Web server - a computer program that.

Web Applications Basics. Introduction to Web Web features Clent/Server HTTP HyperText Markup Language URL addresses Web server - a computer program that.
CGI Programming: Part 1. What is CGI? CGI = Common Gateway Interface Provides a standardized way for web browsers to: –Call programs on a server. –Pass.

CGI Programming: Part 1. What is CGI? CGI = Common Gateway Interface Provides a standardized way for web browsers to: –Call programs on a server. –Pass.
CSCI 6962: Server-side Design and Programming History and Background.

CSCI 6962: Server-side Design and Programming History and Background.
Gayle J Yaverbaum, PhD Professor of Information Systems Penn State Harrisburg.

Gayle J Yaverbaum, PhD Professor of Information Systems Penn State Harrisburg.
159.339 Quick Tour of the Web Technologies: The BIG picture LECTURE A bird’s eye view of the different web technologies that we shall explore and study.

Quick Tour of the Web Technologies: The BIG picture LECTURE A bird’s eye view of the different web technologies that we shall explore and study.
Overview of JSP Technology. The need of JSP With servlets, it is easy to – Read form data – Read HTTP request headers – Set HTTP status codes and response.

Overview of JSP Technology. The need of JSP With servlets, it is easy to – Read form data – Read HTTP request headers – Set HTTP status codes and response.
1 Introduction to Web Development. Web Basics The Web consists of computers on the Internet connected to each other in a specific way Used in all levels.

1 Introduction to Web Development. Web Basics The Web consists of computers on the Internet connected to each other in a specific way Used in all levels.
JSP Standard Tag Library

JSP Standard Tag Library
Applets & Servlets.

Applets & Servlets.

Similar presentations

Ads by Google