Presentation is loading. Please wait.

Presentation is loading. Please wait.

Finding Bugs in Web Applications Using Dynamic Test Generation and Explicit-State Model Checking -Shreyas Ravindra.

Published byMorgan Lamb Modified over 8 years ago

Similar presentations

Presentation on theme: "Finding Bugs in Web Applications Using Dynamic Test Generation and Explicit-State Model Checking -Shreyas Ravindra."— Presentation transcript:

1 Finding Bugs in Web Applications Using Dynamic Test Generation and Explicit-State Model Checking -Shreyas Ravindra

2 Abstract Web script crashes and malformed dynamically generated webpages are common errors Current tools for webpage validation cannot handle the dynamically generated pages A dynamic test generation technique for the domain of dynamic Web applications is presented in this session The technique Utilizes – Combined concrete and symbolic execution – Explicit-state model checking

3 Introduction This paper extends dynamic test generation to the domain of web applications that dynamically create web (HTML) pages during execution, which are typically presented to the user in a browser. Our goal is to find two kinds of failures in web applications: – execution failures – HTML failures

4 Failures in PHP Programs Apollo targets two types of failures – Execution Failures – HTML Failures

5 Above prog contains three faults, which cause the following failures when the program – line 11: Execution failure – Line 23: Execution failure – Line 29: Malformed HTML

6 Algorithm

7 Algorithm(Cont.) Subroutine getConfig() is used to get new configurations.

8 Example executeSymbolic produces the following path constraint: NotSet(page)^ page2 !=1337 ^ login !=1 --(I) The algorithm now enters the foreach loop on line 16 NotSet(page) ^ page2 != 1337 ^ login =1-(II) NotSet(pageÞ ^ page2 = 1337 -------------- (III) Set(page) ---------------------------------------- (IV)

9 Path Constraint Minimization Minimization algorithm attempts to find a shorter path constraint for a given bug report. For a Given Bug report b, the algorithm takes following steps 1.Intersects all the path constraints exposing b:failure (line 1). 2. The minimizer systematically removes one conjunct at a time (lines 3-6). 3. If one of these shorter path constraints does not expose b:failure, then the removed conjunct is required for exposing b:failure. 4.The set of all such required conjuncts determines the minimized path constraint.

10 Combined Concrete and Symbolic Execution with Explicit-State Model Checking : A typical PHP Web application is a client-server application in which data and control flows interactively between a server that runs PHP scripts and a client, which is usually a Web browser. Apollo implements a form of explicit-state software model checking. the algorithm presented in this section remembers and restores the state between executions of PHP scripts. This technique, known as state matching, is widely known in model checking and implemented in tools such as SPIN and JavaPath-Finder.

11 Interactive User Simulation Example

12 Algorithm II The algorithm tracks the state of the environment, and automatically discovers additional configurations based on an analysis of the output for available user options. The algorithm does the following two functions: 1.Tracks changes to the state of the environment (i.e., session state, cookies, and the database) 2.Performs an “on-the-fly” analysis of the output produced by the program to determine what user options it contains, with their associated PHP script

13 Algorithm II(Cont.)

14 There are four differences (underlined in the figure) with the simplified algorithm that was previously shown in Fig. 2. 1.A configuration contains an explicit state of the environment (before the only state that was used was the initial state S0) in addition to the path constraint and the input (line 3). 2.Before the program is executed, the algorithm (method executeConcrete) will restore the environment to the state given in the configuration (line 7) and will return the new state of the environment after the execution.

15 Algorithm II(Cont.) 3. getConfigs() – finds new configurations, – it analyzes the output to find possible transitions from the new environment state (lines 24-27). analyzeOutput()— extracts parameter names and possible values for each parameter, and represents the extracted information as a path constraint. 4. The algorithm uses a set of configurations that are already in the queue (line 14) and it performs state matching in order to only explore new configurations (line 11).

16 Implementation: Apollo consists of three major components 1.Executor 2.Bug Finder 3.Input Generator

17 Implementation: INPUT Inputs – Program under test – Initial values for the environment Environment Consists of – Database – Cookies – Stored Session information The initial environment consists of – A database populated with some values – Username/Password pairs supplied by user for database authentication

18 Implementation: EXECUTOR Executor—executes a PHP script with a given input in a given state. The executor contains two subcomponents: – The Shadow Interpreter is a PHP interpreter that propagates and records path constraints and positional information associated with output. – The State Manager

19 Implementation: BUG FINDER The Bug Finder has the following subcomponents: The Oracle finds HTML failures in the output of the program. The Bug Report Repository stores all bug reports found during all executions. The Input Minimizer finds, for a given bug report, the smallest path constraint on the input parameters that results in inputs inducing the same failure as in the report.

20 Implementation: INPUT GENERATOR The Input Generator implements the algorithm The UI Option Analyzer analyzes the HTML output of each execution to convert the interactive user options into new inputs to execute

21 Implementation: INPUT GENERATOR The Symbolic Driver generates new path constraints from the constraints found during the execution. The Constraint Solver computes an assignment of values to input parameters that satisfies a given path constraint. The Value Generator generates values for parameters that are not otherwise constrained, using a combination of random value generation and constant values mined from the program source code.

22 EVALUATION: Q1. How many faults can Apollo find, and of what varieties? Q2. How effective is the fault detection technique of Apollo compared to alternative approaches in terms of the number and severity of discovered faults and the line coverage achieved? Q3. How effective is our minimization technique in reducing the size of input parameter constraints and failure-inducing inputs?

23 GENERATION STRATERGIES We use the following test input-generation strategies in the remainder of this section: – Apollo’s Input Generation – Randomized both strategies were executed inside the same experimental harness. This includes the Database Manager, which supplies usernames and passwords for database access, and the UI option analyzer.

24 METHODOLOGY To answer the first research question (Q1) we applied Apollo to the six subject programs and we classified the discovered failures into five groups based on their different failure characteristics: – Execution error – Execution warning – HTML error – HTML warning

25 METHODOLOGY To answer Q2, the coverage achieved and the number of faults found with the Randomized generation strategy was compared with apollo’s output.. Q3 was tested by exercising the input minimizer algorithm.

26 Results The graphs and tables below visualize how coverage and the number of failures found increases over time, when both techniques are given up to 20 minutes

27 Results - 2

28 Results -3

29 Results - 4 Comparison with Static Analysis – Minamide Vs. Apollo Path Constraint Minimization – Original Unminimized path Vs Minimized path

30 Threats to Validity Construct Validity: – Why do we count malformed HTML as a defect in dynamically generated webpages? – Why do we use line coverage as a qulity metric? Internal Validity – Did Apollo discover real, unseeded, and unknown faults? External Validity – Will our results generalize beyond the subject programs?

31 Limitations: 1.Simulating user inputs based on locally executed Java-Script 2.Limited tracking in native methods 3.Limited tracking of input parameters through the database 4.Limited sources of input parameters

32 Related Work An earlier version of this paper was presented at ISSTA The Apollo tool presented at ISSTA did not handle the problem of automatically simulating user interactions in Web applications The current paper also extends by providing a more extensive evaluation, which includes two new large Web applications, and by presenting a detailed classification of the faults found by Apollo.

33 Conclusions A technique for finding faults in PHP web application through Combined Concrete and Symbolic Execution The Work is novel in several respects – The tool not only detects runtime errors but uses HTML validater as a oracle to inspect Malformed HTML pages – PHP Specific issues has been addressed, like Interactive user input – Automated analysis to minimize the failure inducing inputs

34 Conclusions Apollo’s test generation strategy achieves over 50 percent line coverage Apollo found a total of 673 faults in these applications: – 72 execution problems – 601 cases of malformed HTML – Apollo also minimizes the size of failure-inducing inputs: The minimized inputs are up to 5:3 smaller than the unminimized ones

35 References Finding Bugs in Web Applications Using Dynamic Test Generation and Explicit-State Model Checking – Shay Artzi, Adam Kie _zun, Julian Dolby, Frank Tip, Danny Dig,Amit Paradkar, Senior Member, IEEE, and Michael D. Ernst

36 Q&A

37 Thank you

Download ppt "Finding Bugs in Web Applications Using Dynamic Test Generation and Explicit-State Model Checking -Shreyas Ravindra."

Similar presentations

PHP I.

PHP I.
Microsoft Research March 20, 2000 A Programming Language for Developing Interactive Web Services Claus Brabrand BRICS, University of Aarhus, Denmark.

Microsoft Research March 20, 2000 A Programming Language for Developing Interactive Web Services Claus Brabrand BRICS, University of Aarhus, Denmark.
Prioritizing User-session-based Test Cases for Web Applications Testing Sreedevi Sampath, Renne C. Bryce, Gokulanand Viswanath, Vani Kandimalla, A.Gunes.

Prioritizing User-session-based Test Cases for Web Applications Testing Sreedevi Sampath, Renne C. Bryce, Gokulanand Viswanath, Vani Kandimalla, A.Gunes.
Languages for Dynamic Web Documents

Languages for Dynamic Web Documents
SOFTWARE SECURITY JORINA VAN MALSEN 1 FLAX: Systematic Discovery of Client-Side Validation Vulnerabilities in Rich Web Applications.

SOFTWARE SECURITY JORINA VAN MALSEN 1 FLAX: Systematic Discovery of Client-Side Validation Vulnerabilities in Rich Web Applications.
SE 450 Software Processes & Product Metrics Reliability: An Introduction.

SE 450 Software Processes & Product Metrics Reliability: An Introduction.
Software Testing and Quality Assurance

Software Testing and Quality Assurance
An Object-Oriented Architecture Supporting Web Application Testing Presented By: Bhavdeep Singh.

An Object-Oriented Architecture Supporting Web Application Testing Presented By: Bhavdeep Singh.
RIT Software Engineering

RIT Software Engineering
SE 450 Software Processes & Product Metrics 1 Defect Removal.

SE 450 Software Processes & Product Metrics 1 Defect Removal.
Michael Ernst, page 1 Improving Test Suites via Operational Abstraction Michael Ernst MIT Lab for Computer Science Joint.

Michael Ernst, page 1 Improving Test Suites via Operational Abstraction Michael Ernst MIT Lab for Computer Science Joint.
1 State-Based Testing of Ajax Web Applications A. Marchetto, P. Tonella and F. Ricca CMSC737 Spring 2008 Shashvat A Thakor.

1 State-Based Testing of Ajax Web Applications A. Marchetto, P. Tonella and F. Ricca CMSC737 Spring 2008 Shashvat A Thakor.
1 Software Testing and Quality Assurance Lecture 30 – Testing Systems.

1 Software Testing and Quality Assurance Lecture 30 – Testing Systems.
Leveraging User Interactions for In-Depth Testing of Web Applications Sean McAllister, Engin Kirda, and Christopher Kruegel RAID ’08 1 Seoyeon Kang November.

Leveraging User Interactions for In-Depth Testing of Web Applications Sean McAllister, Engin Kirda, and Christopher Kruegel RAID ’08 1 Seoyeon Kang November.
Automated Tests in NICOS Nightly Control System Alexander Undrus Brookhaven National Laboratory, Upton, NY 11973 Software testing is a difficult, time-consuming.

Automated Tests in NICOS Nightly Control System Alexander Undrus Brookhaven National Laboratory, Upton, NY Software testing is a difficult, time-consuming.
Leveraging User Interactions for In-Depth Testing of Web Application Sean McAllister Secure System Lab, Technical University Vienna, Austria Engin Kirda.

Leveraging User Interactions for In-Depth Testing of Web Application Sean McAllister Secure System Lab, Technical University Vienna, Austria Engin Kirda.
State coverage: an empirical analysis based on a user study Dries Vanoverberghe, Emma Eyckmans, and Frank Piessens.

State coverage: an empirical analysis based on a user study Dries Vanoverberghe, Emma Eyckmans, and Frank Piessens.
TEST CASE DESIGN Prepared by: Fatih Kızkun. OUTLINE Introduction –Importance of Test –Essential Test Case Development A Variety of Test Methods –Risk.

TEST CASE DESIGN Prepared by: Fatih Kızkun. OUTLINE Introduction –Importance of Test –Essential Test Case Development A Variety of Test Methods –Risk.
‘ ?>

‘ ?>
Finding Bugs in Dynamic Web Applications Shay Artzi, Adam Kiezun, Julian Dolby, Frank Tip, Danny Dig, Amit Paradkar, Michael D. Earnst Proceeding: ISSTA.

Finding Bugs in Dynamic Web Applications Shay Artzi, Adam Kiezun, Julian Dolby, Frank Tip, Danny Dig, Amit Paradkar, Michael D. Earnst Proceeding: ISSTA.

Similar presentations

Ads by Google