A robustness testing approach for SOAP Web services

The use of Web services in enterprise applications is quickly increasing. In a Web services environment, providers supply a set of services for consumers. However, although Web services are being used in business-critical environments, there are no practical means to test or compare their robustness to invalid and malicious inputs. In fact, client applications are typically developed with the assumption that the services being used are robust, which is not always the case. Robustness failures in such environments are particularly dangerous, as they may originate vulnerabilities that can be maliciously exploited, with severe consequences for the systems under attack. This paper addresses the problem of robustness testing in Web services environments. The proposed approach is based on a set of robustness tests (including both malicious and non-malicious invalid call parameters) that is used to discover programming and design errors. This approach, useful for both service providers and consumers, is demonstrated by two sets of experiments, showing, respectively, the use of Web services Robustness testing from the consumer and the provider points of view. The experiments comprise the robustness testing of 1,204 Web service operations publicly available in the Internet and of 29 home-implemented services, including two different implementations of the Web services specified by the standard TPC-App performance benchmark. Results show that many Web services are deployed with critical robustness problems and that robustness testing is an effective approach to improve services quality.

[1]  Marco Vieira,et al.  Using web security scanners to detect vulnerabilities in web services , 2009, 2009 IEEE/IFIP International Conference on Dependable Systems & Networks.

[2]  R. Oswald A cautionary tale. , 1994, Accident and emergency nursing.

[3]  Nuno Laranjeiro,et al.  wsrbench: An On-Line Tool for Robustness Benchmarking , 2008, 2008 IEEE International Conference on Services Computing.

[4]  Ravishankar K. Iyer,et al.  Software Dependability in the Tandem GUARDIAN System , 1995, IEEE Trans. Software Eng..

[5]  Daniel P. Siewiorek,et al.  Development of a benchmark to measure system robustness , 1993, FTCS-23 The Twenty-Third International Symposium on Fault-Tolerant Computing.

[6]  Daniel P. Siewiorek,et al.  Comparing operating systems using robustness benchmarks , 1997, Proceedings of SRDS'97: 16th IEEE Symposium on Reliable Distributed Systems.

[7]  Hui Shi,et al.  Web Services Wind Tunnel: On Performance Testing Large-Scale Stateful Web Services , 2007, 37th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN'07).

[8]  Philip Koopman,et al.  Comparing the robustness of POSIX operating systems , 1999, Digest of Papers. Twenty-Ninth Annual International Symposium on Fault-Tolerant Computing (Cat. No.99CB36352).

[9]  Juan Luo,et al.  Testing Web services by XML perturbation , 2005, 16th IEEE International Symposium on Software Reliability Engineering (ISSRE'05).

[10]  Nashat Mansour,et al.  Testing Web services , 2005, The 3rd ACS/IEEE International Conference onComputer Systems and Applications, 2005..

[11]  J. Arlat,et al.  Assessment of COTS microkernels by fault injection , 1999, Dependable Computing for Critical Applications 7.

[12]  Nuno Laranjeiro,et al.  Benchmarking the Robustness of Web Services , 2007, 13th Pacific Rim International Symposium on Dependable Computing (PRDC 2007).

[13]  Mark Sullivan,et al.  Software defects and their impact on system availability-a study of field failures in operating systems , 1991, [1991] Digest of Papers. Fault-Tolerant Computing: The Twenty-First International Symposium.

[14]  Chen Fu,et al.  Testing of java web services for robustness , 2004, ISSTA '04.

[15]  Matjaz B. Juric,et al.  Business process execution language for web services , 2004 .

[16]  Elaine J. Weyuker,et al.  Testing Component-Based Software: A Cautionary Tale , 1998, IEEE Softw..

[17]  Fabrizio Sebastiani,et al.  Machine learning in automated text categorization , 2001, CSUR.

[18]  Jean Arlat,et al.  MAFALDA: Microkernel Assessment by Fault Injection and Design Aid , 1999, EDCC.

[19]  Xiuzhen Zhang,et al.  Predicting Defective Software Components from Code Complexity Measures , 2007 .

[20]  David A. Chappell,et al.  Java web services - using Java in service-oriented architectures , 2002 .

[21]  Daniel P. Siewiorek,et al.  Robustness testing and hardening of CORBA ORB implementations , 2001, 2001 International Conference on Dependable Systems and Networks.

[22]  Thomas Erl,et al.  Service-Oriented Architecture: Concepts, Technology, and Design , 2005 .

[23]  Eda Marchetti,et al.  WS-TAXI: A WSDL-based Testing Tool for Web Services , 2009, 2009 International Conference on Software Testing Verification and Validation.

[24]  Charles P. Shelton,et al.  Robustness testing of the Microsoft Win32 API , 2000, Proceeding International Conference on Dependable Systems and Networks. DSN 2000.

[25]  Jan Mendling,et al.  Business Process Execution Language for Web Services , 2006, EMISA Forum.

[26]  Jean-Charles Fabre,et al.  Failure Mode Analysis of CORBA Service Implementations , 2001, Middleware.

[27]  Hyeon Soo Kim,et al.  Robustness testing framework for Web services composition , 2009, 2009 IEEE Asia-Pacific Services Computing Conference (APSCC).

[28]  Sanjiva Weerawarana,et al.  Unraveling the Web services web: an introduction to SOAP, WSDL, and UDDI , 2002, IEEE Internet Computing.

[29]  Nuno Laranjeiro,et al.  Applying Text Classification Algorithms in Web Services Robustness Testing , 2010, 2010 29th IEEE Symposium on Reliable Distributed Systems.

[30]  Nuno Laranjeiro,et al.  Improving Web Services Robustness , 2009, 2009 IEEE International Conference on Web Services.

[31]  Ravishankar K. Iyer,et al.  Failure data analysis of a LAN of Windows NT based computers , 1999, Proceedings of the 18th IEEE Symposium on Reliable Distributed Systems.

[32]  Daniel P. Siewiorek,et al.  Measuring Software Dependability by Robustness Benchmarking , 1997, IEEE Trans. Software Eng..

[33]  Nuno Ferreira Neves,et al.  Robustness Testing of the Windows DDK , 2007, 37th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN'07).

[34]  Algirdas A. Avi The Methodology of N-Version Programming , 1995 .

[35]  Dafydd Stuttard,et al.  The Web Application Hacker's Handbook: Discovering and Exploiting Security Flaws , 2007 .

[36]  Tony Andrews Business Process Execution Language for Web Services Version 1.1 , 2003 .

[37]  Jean Arlat,et al.  MAFALDA-RT: a tool for dependability assessment of real-time systems , 2002, Proceedings International Conference on Dependable Systems and Networks.

[38]  Maria Grazia Fugini,et al.  Quality analysis of composed services through fault injection , 2009, Inf. Syst. Frontiers.

[39]  Nuno Laranjeiro,et al.  Benchmarking the Robustness of Web Services , 2007 .

[40]  Jean Jacques Moreau,et al.  SOAP Version 1. 2 Part 1: Messaging Framework , 2003 .

[41]  Barton P. Miller,et al.  Fuzz Revisited: A Re-examination of the Reliability of UNIX Utilities and Services , 1995 .

[42]  Nandamudi Lankalapalli Vijaykumar,et al.  A Practical Approach for Automated Test Case Generation using Statecharts , 2006, 30th Annual International Computer Software and Applications Conference (COMPSAC'06).