Presentation is loading. Please wait.

Presentation is loading. Please wait.

Aug. 2, 2005Vasileios Papadimitriou1 Automating Bypass Testing for Web Applications Vasileios Papadimitriou The Volgenau School of Information.

Published byIsabel Carson Modified over 8 years ago

Similar presentations

Presentation on theme: "Aug. 2, 2005Vasileios Papadimitriou1 Automating Bypass Testing for Web Applications Vasileios Papadimitriou The Volgenau School of Information."— Presentation transcript:

1 Aug. 2, 2005Vasileios Papadimitriou1 Automating Bypass Testing for Web Applications Vasileios Papadimitriou vpapadim@gmu.edu The Volgenau School of Information Technology & Engineering Dept. of Information & Software Engineering George Mason University Fairfax, VA USA

2 Aug. 2, 2005Vasileios Papadimitriou2 Introduction World Wide Web changed the methods of software development and deployment –We value reliability, usability, and security more than “time to market” –“Extremely loosely coupled” systems –Browser based clients –HTTP Web applications become vulnerable to input manipulation that may: –Reduce reliability –Compromise security

3 Aug. 2, 2005Vasileios Papadimitriou3 Introduction (cont.) Offutt and Wu's work on bypass testing of web application is extended –Theoretical background is revised to support use of automated approach HttpUnit is used to build a prototype software application that automatically: –Parses HMTL pages –Identifies forms and their fields –Creates bypass test cases –Submits test cases to the application’s server

4 Aug. 2, 2005Vasileios Papadimitriou4 Presentation Outline Client side validation types & rules to automatically generate test cases AutoBypass testing tool and demo Experiment design Results Conclusions

5 Aug. 2, 2005Vasileios Papadimitriou5 Types of Client Input Validation Client side input validation is performed by HTML form controls, their attributes, and client side scripts that access DOM Validation types are categorized in HTML and Scripting. –HTML supports syntactic validation –Client scripting can perform both syntactic and semantic validation HTML ConstraintsScripting Constraints Length (max input characters) Value (preset values) Transfer Mode (GET or POST) Field Element (preset fields) Target URL (links with values) Data Type (e.g. integer check) Data Format (e.g. ZIP code format) Data Value (e.g. age value range) Inter-Value (e.g. credit # + exp. date) Invalid Characters (e.g. <,../,&)

6 Aug. 2, 2005Vasileios Papadimitriou6 Example Interface: yahoo registration form Limited Length (HTML) Preset Values (HTML) Preset Transfer Mode in form definition (HTML) Preset No of Fields (HTML) URL with preset Values (HTML) Data Value, Type, & Format validation (script) Inter Value validation (script)

7 Aug. 2, 2005Vasileios Papadimitriou7 Test Value Selection Challenge: –How to automatically provide effective test values? “Semantic Domain Problem” (SDP) –Values within the application domain are needed –Enumeration of all possible test values is inefficient Possible Solutions –Random Values (ineffective) –Automatically generated values (too hard) –Study application and construct a set of values (feasible) –Tester input (feasible) AutoBypass uses a input domain created by parsing the interface and tester input

8 Aug. 2, 2005Vasileios Papadimitriou8 AutoBypass AutoBypass Steps (the big picture) Parse Interface Set Default Values Generate Test Cases & Run Tests Review Results All HTML violation rules are used to generate test cases This version of AutoBypass does NOT automatically violate scripting validation, but: –AutoBypass behaves as a browser with scripts disabled –Tester can provide test inputs that will bypass scripting validation.

9 Aug. 2, 2005Vasileios Papadimitriou9 AutoBypass Demo: 69.255.103.24:8080/AutoBypass/ Localhost:8080/AutoBypass

10 Aug. 2, 2005Vasileios Papadimitriou10 v AutoBypass Architecture

11 Aug. 2, 2005Vasileios Papadimitriou11 Experiment Design How well can the tool perform on real web applications? Null Hypothesis: –Bypass testing of web applications will NOT expose more faults than standard testing. Independent Variable: –Method of testing web applications. –Two values are compared: Bypass method Industry standard testing method

12 Aug. 2, 2005Vasileios Papadimitriou12 Experiment Design (cont.) Dependent Variable: Type of the server response given an invalid request submission: –(V) Valid Responses: invalid inputs are adequately processed by the server –(F) Faults & Failures: invalid inputs that cause abnormal server behavior (typically caught by web server when application fails to handle the error) –(E) Exposure: invalid input is not recognized by the server and abnormal software behavior is exposed to the users * both F & E are invalid responses

13 Aug. 2, 2005Vasileios Papadimitriou13 Experiment Design (cont.) Appropriateness vs. Expectancy –Responses for Invalid inputs are not defined Preliminary results show a variety of “valid” responses –Further classification is defined (V1)Server acknowledges the invalid request and provides an explicit message regarding the violation (V2)Server produces a generic error message (V3)Server apparently ignores the invalid request and produces an appropriate response (V4)Server apparently ignores the request completely It is unknown whether valid responses have actually resulted to corrupted data on the server.

14 Aug. 2, 2005Vasileios Papadimitriou14 Subject Selection Criteria: –Complexity of the application –Ability to perform bypass testing Assumptions for web applications tested: –Products designed by professionals –Tested by their designers (yet testing methods are not well known or well defined) –Used by significant number of users

15 Aug. 2, 2005Vasileios Papadimitriou15 Subjects atutor.ca Atalker demo.joomla.or Poll, Users phpMyAdmin Main page, Set Theme, SQL Query, DB Stats brainbench.com Submit Request Info, New user myspace.com Events & Music Search bankofamerica.com ATM locator, Site search comcast.com Service availability ecost.com Detail submit, Shopping cart control google.com Froogle, Language tools pageflakes.com Registration wellsfargolife.com Quote search nytimes.com Us-markets mutex.gmu.edu Login form yahoo.com Notepad, Composer, Search reminder, Weather Search barnesandnoble.com Cart manager, Book search/results amazon.com Item dispatch, Handle buy

16 Aug. 2, 2005Vasileios Papadimitriou16 Results (1 of 2)

17 Aug. 2, 2005Vasileios Papadimitriou17 Results (2 of 2)

18 Aug. 2, 2005Vasileios Papadimitriou18 v Result Graphs

19 Aug. 2, 2005Vasileios Papadimitriou19 Results Summary 24% of tests caused invalid responses Hypothesis is rejected * with the exception of Google and Amazon Problems Found: –Crashes and incorrect output (and possibly corrupt data on the servers) –Potential security vulnerabilities Invalid input passed to the application without validation Invalid input reached database queries

20 Aug. 2, 2005Vasileios Papadimitriou20 Results Summary (cont.) Testing Cost –Average of 1.8 hours per module tested ~ 1¾ hours of human labor & 5 minutes computer processing Violation Rules effectiveness

21 Aug. 2, 2005Vasileios Papadimitriou21 Confounding Variables AutoBypass Implementation –Tested for validity of results –Some Violation rules are not implemented (Scripting rules) Sample Selection –Complex interfaces could not be parsed –Selected only public, non-critical applications –Some interfaces had to be modified to allow testing

22 Aug. 2, 2005Vasileios Papadimitriou22 Confounding Variables (cont.) Tester Value Selection –Selection of additional values that violated the constraints –Little or no familiarity with the application domain Result Evaluation –Challenging process ~ 90% of the testing cost –No access to server –faults may not be detected –Manual verification –Cross Rater evaluation would be helpful

23 Aug. 2, 2005Vasileios Papadimitriou23 Conclusions Bypass testing can reveal errors in web applications beyond what standard testing can find –Programs are still designed to depend on client’s side interface constraints –Subjects with significant number of users were less affected Assumed to be the most expensive software Web development can benefit from bypass testing –Inexpensive to test applications in terms of resources and human labor. –Efficient method creating limited test cases –AutoBypass performs testing on external system level Access to the application source or server is NOT required. Platform independent Can be combined with standard testing.

24 Aug. 2, 2005Vasileios Papadimitriou24 Ways to improve AutoBypass Improve interface parser –Eliminate scripting limitations Implement scripting violation rules Widen the scope of testing from a form/page to a site –Test sequence of events –Application level Input Domain Explore possibilities for automated response evaluation

25 Aug. 2, 2005Vasileios Papadimitriou25 Questions? Vasileios Papadimitriou vpapadim@gmu.edu

Download ppt "Aug. 2, 2005Vasileios Papadimitriou1 Automating Bypass Testing for Web Applications Vasileios Papadimitriou The Volgenau School of Information."

Similar presentations

PHP I.

PHP I.
Performance Testing - Kanwalpreet Singh.

Performance Testing - Kanwalpreet Singh.
Unit Testing in the OO Context(Chapter 19-Roger P)

Unit Testing in the OO Context(Chapter 19-Roger P)
Chapter 10 Software Testing

Chapter 10 Software Testing
Lecture 6/2/12. Forms and PHP The PHP $_GET and $_POST variables are used to retrieve information from forms, like user input When dealing with HTML forms.

Lecture 6/2/12. Forms and PHP The PHP $_GET and $_POST variables are used to retrieve information from forms, like user input When dealing with HTML forms.
Test Case Management and Results Tracking System October 2008 D E L I V E R I N G Q U A L I T Y (Short Version) www.megalith-solutions.com.

Test Case Management and Results Tracking System October 2008 D E L I V E R I N G Q U A L I T Y (Short Version)
Tutorial 6 Creating a Web Form

Tutorial 6 Creating a Web Form
Introduction to Software Testing Chapter 9.2 Challenges in Testing Software – Software Testability Paul Ammann & Jeff Offutt www.introsoftwaretesting.com.

Introduction to Software Testing Chapter 9.2 Challenges in Testing Software – Software Testability Paul Ammann & Jeff Offutt
Alternate Software Development Methodologies

Alternate Software Development Methodologies
Automating Bespoke Attack Ruei-Jiun Chapter 13. Outline Uses of bespoke automation ◦ Enumerating identifiers ◦ Harvesting data ◦ Web application fuzzing.

Automating Bespoke Attack Ruei-Jiun Chapter 13. Outline Uses of bespoke automation ◦ Enumerating identifiers ◦ Harvesting data ◦ Web application fuzzing.
Building Enterprise Applications Using Visual Studio ®.NET Enterprise Architect.

Building Enterprise Applications Using Visual Studio ®.NET Enterprise Architect.
DT211/3 Internet Application Development JSP: Processing User input.

DT211/3 Internet Application Development JSP: Processing User input.
SE 450 Software Processes & Product Metrics Reliability: An Introduction.

SE 450 Software Processes & Product Metrics Reliability: An Introduction.
Web Page Behavior IS 373—Web Standards Todd Will.

Web Page Behavior IS 373—Web Standards Todd Will.
1 State-Based Testing of Ajax Web Applications A. Marchetto, P. Tonella and F. Ricca CMSC737 Spring 2008 Shashvat A Thakor.

1 State-Based Testing of Ajax Web Applications A. Marchetto, P. Tonella and F. Ricca CMSC737 Spring 2008 Shashvat A Thakor.
Leveraging User Interactions for In-Depth Testing of Web Applications Sean McAllister, Engin Kirda, and Christopher Kruegel RAID ’08 1 Seoyeon Kang November.

Leveraging User Interactions for In-Depth Testing of Web Applications Sean McAllister, Engin Kirda, and Christopher Kruegel RAID ’08 1 Seoyeon Kang November.
Swami NatarajanJuly 14, 2015 RIT Software Engineering Reliability: Introduction.

Swami NatarajanJuly 14, 2015 RIT Software Engineering Reliability: Introduction.
Introduction to Software Testing

Introduction to Software Testing
UNIT-V The MVC architecture and Struts Framework.

UNIT-V The MVC architecture and Struts Framework.
Students: Nadia Goshmir, Yulia Koretsky Supervisor: Shai Rozenrauch Industrial Project 234313 Advanced Tool for Automatic Testing Final Presentation.

Students: Nadia Goshmir, Yulia Koretsky Supervisor: Shai Rozenrauch Industrial Project Advanced Tool for Automatic Testing Final Presentation.

Similar presentations

Ads by Google