Yesterday, my program worked. Today, it does not. Why?
ESEC/FSE-7 Proceedings of the 7th European software engineering conference held jointly with the 7th ACM SIGSOFT international symposium on Foundations of software engineering
Static validation of dynamically generated HTML
PASTE '01 Proceedings of the 2001 ACM SIGPLAN-SIGSOFT workshop on Program analysis for software tools and engineering
Analysis and testing of Web applications
ICSE '01 Proceedings of the 23rd International Conference on Software Engineering
Intrusion Detection via Static Analysis
SP '01 Proceedings of the 2001 IEEE Symposium on Security and Privacy
Static approximation of dynamically generated Web pages
WWW '05 Proceedings of the 14th international conference on World Wide Web
Locating causes of program failures
Proceedings of the 27th international conference on Software engineering
DART: directed automated random testing
Proceedings of the 2005 ACM SIGPLAN conference on Programming language design and implementation
Leveraging User-Session Data to Support Web Application Testing
IEEE Transactions on Software Engineering
CUTE: a concolic unit testing engine for C
Proceedings of the 10th European software engineering conference held jointly with 13th ACM SIGSOFT international symposium on Foundations of software engineering
Automated replay and failure detection for web applications
Proceedings of the 20th IEEE/ACM international Conference on Automated software engineering
The essence of command injection attacks in web applications
Conference record of the 33rd ACM SIGPLAN-SIGACT symposium on Principles of programming languages
Pixy: A Static Analysis Tool for Detecting Web Application Vulnerabilities (Short Paper)
SP '06 Proceedings of the 2006 IEEE Symposium on Security and Privacy
HDD: hierarchical delta debugging
Proceedings of the 28th international conference on Software engineering
Web application characterization through directed requests
Proceedings of the 2006 international workshop on Dynamic systems analysis
Compositional dynamic test generation
Proceedings of the 34th annual ACM SIGPLAN-SIGACT symposium on Principles of programming languages
Proceedings of the 2007 ACM symposium on Applied computing
ICSE '07 Proceedings of the 29th international conference on Software Engineering
Sound and precise analysis of web applications for injection vulnerabilities
Proceedings of the 2007 ACM SIGPLAN conference on Programming language design and implementation
Static detection of security vulnerabilities in scripting languages
USENIX-SS'06 Proceedings of the 15th conference on USENIX Security Symposium - Volume 15
Dynamic test input generation for database applications
Proceedings of the 2007 international symposium on Software testing and analysis
Improving test case generation for web applications using automated interface discovery
Proceedings of the the 6th joint meeting of the European software engineering conference and the ACM SIGSOFT symposium on The foundations of software engineering
Directed test generation using symbolic grammars
Proceedings of the twenty-second IEEE/ACM international conference on Automated software engineering
Evacon: a framework for integrating evolutionary and concolic testing for object-oriented programs
Proceedings of the twenty-second IEEE/ACM international conference on Automated software engineering
Static detection of cross-site scripting vulnerabilities
Proceedings of the 30th international conference on Software engineering
DySy: dynamic symbolic execution for invariant inference
Proceedings of the 30th international conference on Software engineering
Grammar-based whitebox fuzzing
Proceedings of the 2008 ACM SIGPLAN conference on Programming language design and implementation
Dynamic characterization of web application interfaces
FASE'07 Proceedings of the 10th international conference on Fundamental approaches to software engineering
Demand-driven compositional symbolic execution
TACAS'08/ETAPS'08 Proceedings of the Theory and practice of software, 14th international conference on Tools and algorithms for the construction and analysis of systems
Defending against injection attacks through context-sensitive string evaluation
RAID'05 Proceedings of the 8th international conference on Recent Advances in Intrusion Detection
Execution generated test cases: how to make systems code crash itself
SPIN'05 Proceedings of the 12th international conference on Model Checking Software
Automated identification of parameter mismatches in web applications
Proceedings of the 16th ACM SIGSOFT International Symposium on Foundations of software engineering
Web application modeling for testing and analysis
Proceedings of the 2008 Foundations of Software Engineering Doctoral Symposium
Automatic creation of SQL Injection and cross-site scripting attacks
ICSE '09 Proceedings of the 31st International Conference on Software Engineering
Invariant-based automatic testing of AJAX user interfaces
ICSE '09 Proceedings of the 31st International Conference on Software Engineering
Precise interface identification to improve testing and analysis of web applications
Proceedings of the eighteenth international symposium on Software testing and analysis
Practical fault localization for dynamic web applications
Proceedings of the 32nd ACM/IEEE International Conference on Software Engineering - Volume 1
Directed test generation for effective fault localization
Proceedings of the 19th international symposium on Software testing and analysis
Modeling consumer-perceived web application fault severities for testing
Proceedings of the 19th international symposium on Software testing and analysis
KLEE: unassisted and automatic generation of high-coverage tests for complex systems programs
OSDI'08 Proceedings of the 8th USENIX conference on Operating systems design and implementation
Interprocedural analysis with lazy propagation
SAS'10 Proceedings of the 17th international conference on Static analysis
Directed test suite augmentation: techniques and tradeoffs
Proceedings of the eighteenth ACM SIGSOFT international symposium on Foundations of software engineering
Statically locating web application bugs caused by asynchronous calls
Proceedings of the 20th international conference on World wide web
A framework for automated testing of javascript web applications
Proceedings of the 33rd International Conference on Software Engineering
Symbolic execution for software testing in practice: preliminary assessment
Proceedings of the 33rd International Conference on Software Engineering
Detecting cross-browser issues in web applications
Proceedings of the 33rd International Conference on Software Engineering
Concolic testing and constraint satisfaction
SAT'11 Proceedings of the 14th international conference on Theory and application of satisfiability testing
Praspel: a specification language for contract-based testing in PHP
ICTSS'11 Proceedings of the 23rd IFIP WG 6.1 international conference on Testing software and systems
Domain and value checking of web application invocation arguments
ASE '11 Proceedings of the 2011 26th IEEE/ACM International Conference on Automated Software Engineering
Auto-locating and fix-propagating for HTML validation errors to PHP server-side code
ASE '11 Proceedings of the 2011 26th IEEE/ACM International Conference on Automated Software Engineering
Proceedings of the 2012 International Symposium on Software Testing and Analysis
Proceedings of the 34th International Conference on Software Engineering
Marco: safe, expressive macros for any language
ECOOP'12 Proceedings of the 26th European conference on Object-Oriented Programming
Automating presentation changes in dynamic web applications via collaborative hybrid analysis
Proceedings of the ACM SIGSOFT 20th International Symposium on the Foundations of Software Engineering
Path sensitive static analysis of web applications for remote code execution vulnerability detection
Proceedings of the 2013 International Conference on Software Engineering
Making automated testing of cloud applications an integral component of PaaS
Proceedings of the 4th Asia-Pacific Workshop on Systems
MetaSymploit: day-one defense against script-based attacks with security-enhanced symbolic analysis
SEC'13 Proceedings of the 22nd USENIX conference on Security
Prototyping symbolic execution engines for interpreted languages
Proceedings of the 19th international conference on Architectural support for programming languages and operating systems
| Hi-index | 0.00 |
Web script crashes and malformed dynamically-generated Web pages are common errors, and they seriously impact usability of Web applications. Current tools for Web-page validation cannot handle the dynamically-generated pages that are ubiquitous on today's Internet. In this work, we apply a dynamic test generation technique, based on combined concrete and symbolic execution, to the domain of dynamic Web applications. The technique generates tests automatically, uses the tests to detect failures, and minimizes the conditions on the inputs exposing each failure, so that the resulting bug reports are small and useful in finding and fixing the underlying faults. Our tool Apollo implements the technique for PHP. Apollo generates test inputs for the Web application, monitors the application for crashes, and validates that the output conforms to the HTML specification. This paper presents Apollo's algorithms and implementation, and an experimental evaluation that revealed 214 faults in 4 PHP Web applications.