Gary Wassermann
Zhendong Su
ABSTRACT
Web applications routinely handle sensitive data, and many people rely on them to support various daily activities, so errors can have severe and broad-reaching consequences. Unlike most desktop applications, many web applications are written in scripting languages, such as PHP. The dynamic features commonly supported by these languages significantly inhibit static analysis and existing static analysis of these languages can fail to produce meaningful results on realworld web applications.
Automated test input generation using the concolic testing framework has proven useful for finding bugs and improving test coverage on C and Java programs, which generally emphasize numeric values and pointer-based data structures. However, scripting languages, such as PHP, promote a style of programming for developing web applications that emphasizes string values, objects, and arrays.
In this paper, we propose an automated input test generation algorithm that uses runtime values to analyze dynamic code, models the semantics of string operations, and handles operations whose argument and return values may not share a common type. As in the standard concolic testing framework, our algorithm gathers constraints during symbolic execution. Our algorithm resolves constraints over multiple types by considering each variable instance individually, so that it only needs to invert each operation. By recording constraints selectively, our implementation successfully finds bugs in real-world web applications which state-of-the-art static analysis tools fail to analyze.
- M. Benedikt, J. Freire, and P. Godefroid. Veriweb: Automatically testing dynamic web sites. In Proceedings of the Eleventh International World Wide Web Conference (WWW 2002), 2002.Google Scholar
- T. S. BV. Tiobe programming community index, September 2007. URL: http://www.tiobe.com/tpci.htm.Google Scholar
- C. Cadar and D. R. Engler. Execution generated test cases: How to make system code crash itself. In Model Checking Software, 12th International SPIN Workshop, pages 2--23, 2005. Google ScholarDigital Library
- C. Cadar, V. Ganesh, P. M. Pawlowski, D. L. Dill, and D. R. Engler. Exe: automatically generating inputs of death. In Proceedings of the 13th ACM Conference on Computer and Communications Security (CCS 2006), pages 322--335, 2006. Google ScholarDigital Library
- M. Costa, M. Castro, L. Zhou, L. Zhang, and M. Peinado. Bouncer: securing software by blocking bad input. In Proceedings of the 21st ACM Symposium on Operating Systems Principles 2007 (SOSP 2007), pages 117--130, 2007. Google ScholarDigital Library
- C. Csallner and Y. Smaragdakis. Jcrasher: an automatic robustness tester for java. Software-Practice and Experience, pages 1025--1050, 2004. Google ScholarDigital Library
- E. de Vries, J. Gilbert, and P. Biggar. phc: The open source php compiler.Google Scholar
- M. Emmi, R. Majumdar, and K. Sen. Dynamic test input generation for database applications. In Proceedings of the ACM/SIGSOFT International Symposium on Software Testing and Analysis (ISSTA 2007), pages 151--162, 2007. Google ScholarDigital Library
- A. Futoransky, E. Gutesman, and A. Waissbein. A dynamic technique for enhancing the security and privacy of web applications. In Proc. Black Hat USA, 2007.Google Scholar
- B. S. Gulavani, T. A. Henzinger, Y. Kannan, A. V. Nori, and S. K. Rajamani. Synergy: a new algorithm for property checking. In Proceedings of the 14th ACM SIGSOFT International Symposium on Foundations of Software Engineering (FSE 2006), pages 117--127, 2006. Google ScholarDigital Library
- W. G. Halfond and A. Orso. Improving test case generation for web applications using automated interface discovery. In Proceedings of the 15th ACM SIGSOFT International Symposium on Foundations of Software Engineering (FSE 2007), 2007. Google ScholarDigital Library
- J. E. Hopcroft, R. Motwani, and J. D. Ullman. Introduction to Automata Theory, Languages and Computability. Addison-Wesley, Boston, MA, 2000. Google ScholarDigital Library
- X. Jia and H. Liu. Rigorous and automatic testing of web applications, 2002.Google Scholar
- N. Jovanovic, C. Kruegel, and E. Kirda. Pixy: A static analysis tool for detecting web application vulnerabilities (short paper). In 2006 IEEE Symposium on Security and Privacy (S&P 2006), pages 258--263, 2006. Google ScholarDigital Library
- M. Kunc. What do we know about language equations? In Developments in Language Theory, 11th International Conference (DLT 2007), pages 23--27, 2007. Google ScholarDigital Library
- D. Kung, C. H. Liu, and P. Hsia. An object-oriented web test model for testing web applications. In 24th International Computer Software and Applications Conference (COMPSAC 2000), pages 537--542, 2000. Google ScholarDigital Library
- Y. Lei and J. H. Andrews. Minimization of randomized unit test cases. In 16th International Symposium on Software Reliability Engineering (ISSRE 2005), pages 267--276, 2005. Google ScholarDigital Library
- J. J. Li, D. Weiss, and H. Yee. Code-coverage guided prioritized test generation. Information and Software Technology, pages 1187--1198, 2006. Google ScholarDigital Library
- Y. Minamide. Static approximation of dynamically generated web pages. In Proceedings of the 14th International World Wide Web Conference (WWW 2005), 2005. Google ScholarDigital Library
- N. Nethercote and J. Seward. Valgrind: a framework for heavyweight dynamic binary instrumentation. Proceedings of the ACM SIGPLAN 2007 Conference on Programming Language Design and Implementation (PLDI 2007), pages 89--100, 2007. Google ScholarDigital Library
- A. Nguyen-Tuong, S. Guarnieri, D. Greene, J. Shirley, and D. Evans. Automatically hardening web applications using precise tainting. In Twentieth IFIP International Information Security Conference (SEC'05), 2005.Google ScholarCross Ref
- C. Pacheco and M. D. Ernst. Eclat: Automatic generation and classification of test inputs. In Object-Oriented Programming, 19th European Conference (ECOOP 2005), pages 504--527, 2005. Google ScholarDigital Library
- W. Plandowski. Satisfiability of word equations with constants is in pspace. In 40th Annual Symposium on Foundations of Computer Science (FOCS 1999), pages 495--500, 1999. Google ScholarDigital Library
- T. Reps, S. Horwitz, and M. Sagiv. Precise interprocedural dataflow analysis via graph reachability. In Conference Record of POPL'95: 22nd ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, pages 49--61, 1995. Google ScholarDigital Library
- F. Ricca and P. Tonella. Analysis and testing of web applications. In Proceedings of the 23rd International Conference on Software Engineering (ICSE 2001), pages 25--34, 2001. Google ScholarDigital Library
- K. Sen and G. Agha. Cute and jcute : Concolic unit testing and explicit path model-checking tools. In Computer Aided Verification, 18th International Conference (CAV 2006), pages 419--423, 2006. (Tool Paper). Google ScholarDigital Library
- K. Sen, D. Marinov, and G. Agha. Cute: a concolic unit testing engine for c. In Proceedings of the 13th ACM SIGSOFT International Symposium on Foundations of Software Engineering (FSE 2005), 2005. Google ScholarDigital Library
- Z. Su and G. Wassermann. The essence of command injection attacks in web applications. In Proceedings of the 33rd Annual Symposium on Principles of Programming Languages, pages 372--382, Charleston, SC, Jan. 2006. ACM Press New York, NY, USA. Google ScholarDigital Library
- G. Wassermann and Z. Su. Sound and Precise Analysis of Web Applications for Injection Vulnerabilities. In Proceedings of the ACM SIGPLAN 2007 Conference on Programming Language Design and Implementation (PLDI 2007), pages 32--41, 2007. Google ScholarDigital Library
- Y. Xie and A. Aiken. Static detection of security vulnerabilities in scripting languages. In Proceedings of the USENIX Security Symposium, 2006. Google ScholarDigital Library
Index Terms
- Dynamic test input generation for web applications
Recommendations
Leveraging existing tests in automated test generation for web applications
ASE '14: Proceedings of the 29th ACM/IEEE International Conference on Automated Software EngineeringTo test web applications, developers currently write test cases in frameworks such as Selenium. On the other hand, most web test generation techniques rely on a crawler to explore the dynamic states of the application. The first approach requires much ...
DOM-based test adequacy criteria for web applications
ISSTA 2014: Proceedings of the 2014 International Symposium on Software Testing and AnalysisTo assess the quality of web application test cases, web developers currently measure code coverage. Although code coverage has traditionally been a popular test adequacy criterion, we believe it alone is not adequate for assessing the quality of web ...
Directed test generation for effective fault localization
ISSTA '10: Proceedings of the 19th international symposium on Software testing and analysisFault-localization techniques that apply statistical analyses to execution data gathered from multiple tests are quite effective when a large test suite is available. However, if no test suite is available, what is the best approach to generate one? ...
Comments