Web Application Model Recovery for User Input Validation Testing Nuo Li, Ji Wu, Mao-zhong Jin, Chao Liu Software Engineering Institute, School of Computer Science and Engineering, Beihang University, China seraphic, wuji, jmz, [email protected]
Abstract The invalidated input is one of the most critical web application security flaws. However, testing the user input validation function is an intellectual and labor intensive task. We are developing a model driven framework to help testers to accomplish this job in visual view with guidance. This paper reports our on-going work. A meta-model of Web application for user input validation testing is defined. Based on the meta-model, by analyzing HTML files, a light weight method is given to create the model. Our evaluation shows that the proposed method can comprehensively model Web applications, and accurately identify the purpose of input points, which are very important for the test case generation in the future. Keywords: Model-driven testing, Web application, user input validation
1. Introduction In the internet era, Web applications are becoming the core business in many areas. Meanwhile, there is a rapid increase in the amount of attacks on Web applications. Current technologies such as anti-virus software programs and network firewalls offer comparatively secure protection at the host and network levels, but not at the application level [1]. According to the open Web application security project’s assessment [2], the top one critical web application security flaw is un-validated input. Therefore, to develop a secure Web application, data from web requests must be validated before being used. Recently, more attention is paid to this problem This research is based on the work supported by the National High Technology Research and Development Program of China (Grant No. 2006AA01Z176) and the National Natural Science Foundation of China (Grant No. 60603039).
[1][3][4][5]. However, the Web applications developers often omit validating input data of users, and the validation functions are usually not clearly identified and defined in the requirement. Weber [6], a senior security consultant, took the Cross Site Scripting for example to show how to test Web applications for such vulnerabilities in practice. The first step is to get some automatic tools to intercept the HTTP requests. Secondly, map out the site and its functionality by talking with developers and project managers. Thirdly, identify and list out every point of user-supplied input. Then, the testers should think through and list out test cases manually. Finally, start testing and pay attention to the output to adjust test cases. These steps are troublesome. By adopting the model-driven testing methodology, we can help testers to test Web Application’s User Input Validation (WA-UIV) functions visually and thoroughly. Model-driven testing approach attempts to offer a suite of visualized facilities to define, execute and analyze testing [7]. By using proper method, the Web application can be presented visually and all test related information can be discovered automatically. Furthermore, some validation rules could be associated with the context information in the Web application model, and presented to testers in a visual view with guidance. These patterns will be a great help to generate WA-UIV test cases. This paper reports our on-going work on how to create the System Under Test (SUT) model of WA-UIV testing, especially how to identify the description text of the input points. Section 2 introduces the SUT model of WA-UIV testing, and the method of model generation. Section 3 describes the prototype of the modeling framework. Experimental results are presented in section 4. Section 5 discusses the related works. Section 6 concludes the paper and the future work sketching the WA-UIV test case generation.
2. The SUT model of WA-UIV Testing Test model is the core conception of model-driven
testing, and models can be constructed from different views in different phases of testing [8]. The SUT model is the base of test case generation and test execution.
2.1 Definition of the SUT model
basic information of input points and some description information about them. HTML elements are modeled as classes generalizing the Class class from UML2 and the relations between the elements generalize the Association class from UML2. The attribute named ‘descText’ of input, textarea and select is the description text of textbox or selection list. How to identify the ‘descText’ of these kinds of input points is detailedly explained in the next section. Once the description text is identified, the purpose of the input will be generated based on a topic model where each topic is associated with two sets: one includes possible words describing the topic, i.e. the purpose of an input point; the other includes values that are the valid input data for the input point with this topic.
2.2 Description-Text Identification The SUT model is generated by analyzing HTML files. Most of the model elements defined in the meta-model could be analyzed from the HTML files easily. However how to identify the ‘descText’ is a difficult problem, because input tags, text tags and format tags are often intermixed in HTML codes.
Figure 1. Meta-model of the SUT model of WA-UIV testing Web applications provide users services and obtain user input through navigation and other HTML components. So the navigation model is chosen as the SUT model. On the client side, although the components which could accept users’ input are various in appearances, they could be classified into three types: url, cookie and form which is visible or hidden. Furthermore, a form could contain select, textarea, input and button tags. Di Lucca et al. [9] and Ricca and Tonella [10] proposed how to describe the navigation model of Web applications by UML models. We extended their definition to define the SUT model of WA-UIV testing (shown in Figure 1, which was drawn by Rational Rose). The UML 2.0 Testing Profile [12] explains that the SUT is exercised via its public interface operations and signals by the test components when test execution. For WA-UIV testing, the ‘public interface’ is the ‘input point’ where to accept the data user offered. Figure 1 presents the meta-model of the SUT model of WA-UIV testing. It depicts the navigation relation among the client pages, the relationship between input points, the
Figure 2. DOM tree of a HTML page Figure 2 demonstrates an example of the DOM tree of a HTML page. In order to identify the ‘descText’ of the tag, the sub-tree belonging to the
In the internet era, Web applications are becoming the core business in many areas. Meanwhile, there is ..... Computer Society, Toronto, Ontario, 2001, pp.25-34.
Figure 1. The two modalities, image content and textual information, can together help group similar Web images .... length of the real line represents the degree of similarities. The ..... Society for Information Science and Technology, 52(10),.
Analysis and Machine Intelligence, 11(8), 1989, 859-872. [12] J. Sklansky, Measuring concavity on a rectangular mosaic. IEEE Transactions on Computing, ...
Page 1 of 1. To. Asst. Wireless Adviser. Government of India. Ministry of Communications & Information Technology. WPC WING, Amateur Section. 6. th Floor ...
DEB â Dictionary Editor and Browser platform for developement of dictionary writing systems all the data stored in XML, Unicode free data structure, any language client-server architecture server data manipulation, most of the functionality data st
and evaluation, the editor will be enhanced to build any wordnet-like semantic network. Key words: semantic network, ontology, editor, web application, DEB-.
Feb 14, 2006 - tion environment to determine the application type, for example ... intelligence (AI) component that infers an action that a user ...... Files, paths,.
Feb 14, 2006 - web application security frame component can be applied to. Chen et a1' ...... attacker successfully gains access as a legitimate user or host,.
The mechanism allows us to define stereotypes, tagged values and constraints that can be applied to model elements. A stereotype is an adornment that allows us to define. COMMUNICATIONS OF THE ACM October 1999/Vol. 42, No. 10. 65. 3In the Rational Un
Jul 15, 2007 - ... a particular sector. Higher the degree of betweeness implies that sector has ..... To understand the structural positions of different economic sectors in India, we present the network ..... Public administration. 0 0. 0. 68. 0. 67
driven weather systems such as land/sea breezes, and ... generated the AERMET files using NWS surface and upper air ... Surface data was obtained in CD-144.
lication database to classify the collection of papers into three topics: Natural Language Processing (NLP), ... algorithms to address these basic usability issues. Our work is the first in this direction. Topic Model ... some use Variational Bayes (
policies for spoken dialogue systems using rein- forcement ... dialogue partners (Issacs and Clark, 1987). ... and we collect data on user reactions to system REG.
Loading⦠Page 1. Whoops! There was a problem loading more pages. pdf web application. pdf web application. Open. Extract. Open with. Sign In. Main menu.
conceptual framework for studying mobile information interaction. ... aesthetic appeal, and endurability for the mobile environment. .... mobile devices for social networking purposes. However, .... of perceived visual aesthetics of Web sites.
... bond or policy, if required, together with a copy of the permit shall be filed in the office of. the Village Clerk. Page 2 of 2. Fireworks User Application-Permit.pdf.
Sep 28, 2007 - retrieving abundant images on the internet. ..... 6.4 A Comparison with HITS Algorithm ... It is a link analysis algorithm that rates web pages.
plex service-based information systems, as the impact of energy ... Autonomic management of service center infrastructure is receiving great interest by.
As the amount of Web information grows rapidly, search engines must be able to retrieve information according to the user's interest. In this paper, we propose a new web search personalization approach that captures the user's interests and preferenc
There was a problem previewing this document. Retrying... Download. Connect more apps... Try one of the apps below to open or edit this item. secure java for ...
4 days ago - Tenable.io, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their ...
Whoops! There was a problem loading more pages. Whoops! There was a problem previewing this document. Retrying... Download. Connect more apps... Try one of the apps below to open or edit this item. rapid application development model pdf. rapid appli
Introduction. Semantic network editing. VisDic â offline desktop application. DEBVisDic â online reimplementation in DEBiilatform developed as an extension for ...