Precise interface identification to improve testing and analysis of web applications

Authors:
William G.J. Halfond;Saswat Anand;Alessandro Orso
Affiliations:
Georgia Institute of Technology, Atlanta, GA, USA;Georgia Institute of Technology, Atlanta, GA, USA;Georgia Institute of Technology, Atlanta, GA, USA
Venue:
Proceedings of the eighteenth international symposium on Software testing and analysis
Year:
2009

Citing 21
Cited 17

Symbolic execution and program testing

Communications of the ACM
Analysis and testing of Web applications

ICSE '01 Proceedings of the 23rd International Conference on Software Engineering
Measuring and Modeling Usage and Reliability for Statistical Web Testing

IEEE Transactions on Software Engineering - Special section on the seventh international software metrics symposium
Model Checking Programs

Automated Software Engineering
Web application security assessment by fault injection and behavior monitoring

WWW '03 Proceedings of the 12th international conference on World Wide Web
Improving web application testing with user session data

Proceedings of the 25th International Conference on Software Engineering
Dynamic Model Extraction and Statistical Analysis of Web Applications

WSE '02 Proceedings of the Fourth International Workshop on Web Site Evolution (WSE'02)
Testing web database applications

ACM SIGSOFT Software Engineering Notes
Leveraging User-Session Data to Support Web Application Testing

IEEE Transactions on Software Engineering
An exploration of statistical models for automated test case generation

WODA '05 Proceedings of the third international workshop on Dynamic analysis
Web application characterization through directed requests

Proceedings of the 2006 international workshop on Dynamic systems analysis
Command-Form Coverage for Testing Database Applications

ASE '06 Proceedings of the 21st IEEE/ACM International Conference on Automated Software Engineering
Dynamic test input generation for database applications

Proceedings of the 2007 international symposium on Software testing and analysis
Improving test case generation for web applications using automated interface discovery

Proceedings of the the 6th joint meeting of the European software engineering conference and the ACM SIGSOFT symposium on The foundations of software engineering
Dynamic test input generation for web applications

ISSTA '08 Proceedings of the 2008 international symposium on Software testing and analysis
Finding bugs in dynamic web applications

ISSTA '08 Proceedings of the 2008 international symposium on Software testing and analysis
Automated identification of parameter mismatches in web applications

Proceedings of the 16th ACM SIGSOFT International Symposium on Foundations of software engineering
Penetration Testing with Improved Input Vector Identification

ICST '09 Proceedings of the 2009 International Conference on Software Testing Verification and Validation
Type-dependence analysis and program transformation for symbolic execution

TACAS'07 Proceedings of the 13th international conference on Tools and algorithms for the construction and analysis of systems
JPF-SE: a symbolic execution extension to Java PathFinder

TACAS'07 Proceedings of the 13th international conference on Tools and algorithms for the construction and analysis of systems
Generalized symbolic execution for model checking and testing

TACAS'03 Proceedings of the 9th international conference on Tools and algorithms for the construction and analysis of systems

Enforcing request integrity in web applications

DBSec'10 Proceedings of the 24th annual IFIP WG 11.3 working conference on Data and applications security and privacy
Statically locating web application bugs caused by asynchronous calls

Proceedings of the 20th international conference on World wide web
Automated driver generation for analysis of web applications

FASE'11/ETAPS'11 Proceedings of the 14th international conference on Fundamental approaches to software engineering: part of the joint European conferences on theory and practice of software
WAPTEC: whitebox analysis of web applications for parameter tampering exploit construction

Proceedings of the 18th ACM conference on Computer and communications security
Automated web application testing using search based software engineering

ASE '11 Proceedings of the 2011 26th IEEE/ACM International Conference on Automated Software Engineering
State aware test case regeneration for improving web application test suite coverage and fault detection

Proceedings of the 2012 International Symposium on Software Testing and Analysis
ViewPoints: differential string analysis for discovering client- and server-side input validation inconsistencies

Proceedings of the 2012 International Symposium on Software Testing and Analysis
Static detection of resource contention problems in server-side scripts

Proceedings of the 34th International Conference on Software Engineering
Automated detection of client-state manipulation vulnerabilities

Proceedings of the 34th International Conference on Software Engineering
An automated analysis methodology to detect inconsistencies in web services with WSDL interfaces

Software Testing, Verification & Reliability
Automatically repairing broken workflows for evolving GUI applications

Proceedings of the 2013 International Symposium on Software Testing and Analysis
Efficient and flexible GUI test execution via test merging

Proceedings of the 2013 International Symposium on Software Testing and Analysis
Guided test generation for web applications

Proceedings of the 2013 International Conference on Software Engineering
Path sensitive static analysis of web applications for remote code execution vulnerability detection

Proceedings of the 2013 International Conference on Software Engineering
Server interface descriptions for automated testing of JavaScript web applications

Proceedings of the 2013 9th Joint Meeting on Foundations of Software Engineering
An evaluation model for dependability of Internet-scale software on basis of Bayesian Networks and trustworthiness

Journal of Systems and Software
Automated detection of parameter tampering opportunities and vulnerabilities in web applications

Journal of Computer Security

Quantified Score

Hi-index	0.00

Visualization

Abstract

As web applications become more widespread, sophisticated, and complex, automated quality assurance techniques for such applications have grown in importance. Accurate interface identification is fundamental for many of these techniques, as the components of a web application communicate extensively via implicitly-defined interfaces to generate customized and dynamic content. However, current techniques for identifying web application interfaces can be incomplete or imprecise, which hinders the effectiveness of quality assurance techniques. To address these limitations, we present a new approach for identifying web application interfaces that is based on a specialized form of symbolic execution. In our empirical evaluation, we show that the set of interfaces identified by our approach is more accurate than those identified by other approaches. We also show that this increased accuracy leads to improvements in several important quality assurance techniques for web applications: test-input generation, penetration testing, and invocation verification.