A case study on bypass testing of web applications

Society’s increasing reliance on services provided by web applications places a high demand on their reliability. The flow of control through web applications heavily depends on user inputs and interactions, so user inputs should be thoroughly validated before being passed to the back-end software. Although several techniques are used to validate inputs on the client, users can easily bypass this validation and submit arbitrary data to the server. This can cause unexpected behavior, and even allow unauthorized access. A test technique called bypass testing intentionally sends invalid data to the server by bypassing client-side validation. This paper reports results from a comprehensive case study on 16 deployed, widely used, commercial web applications. As part of this project, the theory behind bypass testing was extended and an automated tool, AutoBypass, was built. The case study found failures in 14 of the 16 web applications tested, some significant. This study gives evidence that bypass testing is effective, has positive return on investment, and scales to real applications.

[1]  Massimiliano Di Penta,et al.  Considering browser interaction in Web application testing , 2003, Fifth IEEE International Workshop on Web Site Evolution, 2003. Theme: Architecture. Proceedings..

[2]  Emily Hill,et al.  Web Application Testing with Customized Test Requirements - An Experimental Comparison Study , 2006, 2006 17th International Symposium on Software Reliability Engineering.

[3]  Emily Hill,et al.  Applying Concept Analysis to User-Session-Based Testing of Web Applications , 2007, IEEE Transactions on Software Engineering.

[4]  A. Jefferson Offutt,et al.  Web application bypass testing , 2004, Proceedings of the 28th Annual International Computer Software and Applications Conference, 2004. COMPSAC 2004..

[5]  A. Jefferson Offutt,et al.  The Dynamic Domain Reduction Procedure for Test Data Generation: Design and Algorithms , 1994 .

[6]  Paolo Tonella,et al.  Analysis and testing of Web applications , 2001, Proceedings of the 23rd International Conference on Software Engineering. ICSE 2001.

[7]  Gregg Rothermel,et al.  Leveraging user-session data to support Web application testing , 2005, IEEE Transactions on Software Engineering.

[8]  Ye Wu,et al.  Modeling and Testing Web-based Applications , 2002 .

[9]  Walter F. Tichy,et al.  Proceedings 25th International Conference on Software Engineering , 2003, 25th International Conference on Software Engineering, 2003. Proceedings..

[10]  James Miller,et al.  Agile security testing of Web-based systems via HTTPUnit , 2005, Agile Development Conference (ADC'05).

[11]  A. Jefferson Offutt,et al.  Testing Web applications by modeling with FSMs , 2005, Software & Systems Modeling.

[12]  Paolo Tonella,et al.  Testing Processes of Web Applications , 2002, Ann. Softw. Eng..

[13]  Ye Wu,et al.  Modeling and Testing Web-based Applications , 2002 .

[14]  Gregg Rothermel,et al.  Improving web application testing with user session data , 2003, 25th International Conference on Software Engineering, 2003. Proceedings..

[15]  Yves Le Traon,et al.  Tailored Shielding and Bypass Testing of Web Applications , 2011, 2011 Fourth IEEE International Conference on Software Testing, Verification and Validation.

[16]  Anh Nguyen-Tuong,et al.  Automatically Hardening Web Applications Using Precise Tainting , 2005, SEC.

[17]  Paul Ammann,et al.  Using formal methods to derive test frames in category-partition testing , 1994, Proceedings of COMPASS'94 - 1994 IEEE 9th Annual Conference on Computer Assurance.

[18]  Lori L. Pollock,et al.  Automated Oracle Comparators for TestingWeb Applications , 2007, The 18th IEEE International Symposium on Software Reliability (ISSRE '07).

[19]  James Miller,et al.  Towards Automated Bypass Testing of Web Applications , 2010 .

[20]  A. Jefferson Offutt,et al.  Bypass testing of Web applications , 2004, 15th International Symposium on Software Reliability Engineering.

[21]  Emily Hill,et al.  An empirical comparison of test suite reduction techniques for user-session-based testing of Web applications , 2005, 21st IEEE International Conference on Software Maintenance (ICSM'05).

[22]  Paul Ammann,et al.  Automating Bypass Testing for Web Applications Automating Bypass Testing for Web Applications List of Tables List of Figures Abstract Automating Bypass Testing for Web Applications Chapter 1: Introduction Chapter 2: Types of Client Input Validation 2.1 Html Validation , .

[23]  Mary Jean Harrold,et al.  Testing: a roadmap , 2000, ICSE '00.

[24]  A. Jefferson Offutt,et al.  Constraint-Based Automatic Test Data Generation , 1991, IEEE Trans. Software Eng..

[25]  David Chenho Kung,et al.  Structural testing of Web applications , 2000, Proceedings 11th International Symposium on Software Reliability Engineering. ISSRE 2000.

[26]  Lori L. Pollock,et al.  Leveraging User-Privilege Classification to Customize Usage-based Statistical Models of Web Applications , 2012, 2012 IEEE Fifth International Conference on Software Testing, Verification and Validation.

[27]  Emily Hill,et al.  Automated replay and failure detection for web applications , 2005, ASE '05.

[28]  Lori Pollock,et al.  A scalable approach to user-session based testing of Web applications through concept analysis , 2004 .

[29]  S. Bhatkar,et al.  A Unified Approach for Preventing Attacks Exploiting a Range of Software Vulnerabilities ∗ , 2005 .

[30]  Terrence A. Brooks,et al.  World Wide Web Consortium (W3C) , 2010 .

[31]  Atif M. Memon,et al.  An empirical approach to evaluating web application compliance across diverse client platform configurations , 2007, Int. J. Web Eng. Technol..

[32]  Massood Towhidnejad,et al.  Software quality across the curriculum , 2002, 32nd Annual Frontiers in Education.

[33]  Wen-Li Wang,et al.  User-oriented reliability modeling for a Web system , 2003, 14th International Symposium on Software Reliability Engineering, 2003. ISSRE 2003..

[34]  Bob Martin,et al.  2010 CWE/SANS Top 25 Most Dangerous Software Errors , 2010 .

[35]  Curtis E. Dyreson,et al.  Scalability issues with using FSMWeb to test web applications , 2010, Inf. Softw. Technol..

[36]  A. Jefferson Offutt,et al.  Quality Attributes of Web Software Applications , 2002, IEEE Softw..

[37]  A. Jefferson Offutt,et al.  Modeling presentation layers of web applications for testing , 2009, Software & Systems Modeling.

[38]  Alessandro Orso,et al.  Improving test case generation for web applications using automated interface discovery , 2007, ESEC-FSE '07.

[39]  David Chenho Kung,et al.  An object-oriented Web test model for testing Web applications , 2000, Proceedings 24th Annual International Computer Software and Applications Conference. COMPSAC2000.