research-article

Precise interface identification to improve testing and analysis of web applications

Authors:

William G.J. Halfond,

Alessandro OrsoAuthors Info & Claims

ISSTA '09: Proceedings of the eighteenth international symposium on Software testing and analysis

Pages 285 - 296

https://doi.org/10.1145/1572272.1572305

Published: 19 July 2009 Publication History

Abstract

As web applications become more widespread, sophisticated, and complex, automated quality assurance techniques for such applications have grown in importance. Accurate interface identification is fundamental for many of these techniques, as the components of a web application communicate extensively via implicitly-defined interfaces to generate customized and dynamic content. However, current techniques for identifying web application interfaces can be incomplete or imprecise, which hinders the effectiveness of quality assurance techniques. To address these limitations, we present a new approach for identifying web application interfaces that is based on a specialized form of symbolic execution. In our empirical evaluation, we show that the set of interfaces identified by our approach is more accurate than those identified by other approaches. We also show that this increased accuracy leads to improvements in several important quality assurance techniques for web applications: test-input generation, penetration testing, and invocation verification.

References

[1]

S. Anand, A. Orso, and M. J. Harrold. Type-dependence Analysis and Program Transformation for Symbolic Execution. In Proc. TACAS, pages 117--133, 2007.

Digital Library

[2]

S. Anand, C. S. Pasareanu, and W. Visser. JPF-SE: A Symbolic Execution Extension to Java Pathfinder. In Proc. TACAS, pages 134--138, 2007.

Digital Library

[3]

A. A. Andrews, J. Offutt, and R. T. Alexander. Testing Web Applications by Modeling with FSMs. In Software Systems and Modeling, pages 326--345, July 2005.

Digital Library

[4]

S. Artzi, A. Kieżun, J. Dolby, F. Tip, D. Dig, A. Paradkar, and M. D. Ernst. Finding Bugs in Dynamic Web Applications. In Proceedings of the International Symposium on Software Testing and Analysis, July 2008.

Digital Library

[5]

Y. Deng, P. Frankl, and J. Wang. Testing Web Database Applications. SIGSOFT Software Engineering Notes, 29(5):1--10, 2004.

Digital Library

[6]

S. Elbaum, K.-R. Chilakamarri, M. F. II, and G. Rothermel. Web Application Characterization Through Directed Requests. In International Workshop on Dynamic Analysis, pages 49--56, May 2006.

Digital Library

[7]

S. Elbaum, S. Karre, and G. Rothermel. Improving Web Application Testing with User Session Data. In International Conference on Software Engineering, pages 49--59, November 2003.

Digital Library

[8]

S. Elbaum, G. Rothermel, S. Karre, and M. F. II. Leveraging User-Session Data to Support Web Application Testing. IEEE Transactions On Software Engineering, 31(3):187--202, March 2005.

Digital Library

[9]

M. Emmi, R. Majumdar, and K. Sen. Dynamic test input generation for database applications. In ISSTA, pages 151--162, 2007.

Digital Library

[10]

W. G. Halfond, S. R. Choudhary, and A. Orso. Penetration Testing with Improved Input Vector Identification. In Proceedings of the IEEE International Conference on Software Testing, April 2009.

Digital Library

[11]

W. G. Halfond and A. Orso. Command-Form Coverage for Testing Database Applications. In The IEEE and ACM International Conference on Automated Software Engineering, pages 69--78, September 2006.

Digital Library

[12]

W. G. Halfond and A. Orso. Improving Test Case Generation for Web Applications Using Automated Interface Discovery. In Proceedings of the Joint ESEC/SIGSOFT Symposium on the Foundations of Software Engineering, September 2007.

Digital Library

[13]

W. G. Halfond and A. Orso. Automated Identification of Parameter Mismatches in Web Applications. In Proceedings of the ACM SIGSOFT Symposium on the Foundations of Software Engineering, November 2008.

Digital Library

[14]

Y. Huang, S. Huang, T. Lin, and C. Tsai. Web Application Security Assessment by Fault Injection and Behavior Monitoring. In Proc. of the 12th International World Wide Web Conference (WWW 03), pages 148--159, May 2003.

Digital Library

[15]

X. Jia and H. Liu. Rigorous and Automatic Testing of Web Applications. In 6th IASTED International Conference on Software Engineering and Applications, pages 280--285, November 2002.

[16]

C. Kallepalli and J. Tian. Measuring and Modeling Usage and Reliability for Statistical Web Testing. IEEE Transactions on Software Engineering, 27(11):1023--1036, 2001.

Digital Library

[17]

S. Khurshid, C. Păsăreanu, and W. Visser. Generalized Symbolic Execution for Model Checking and Testing. In Proc. TACAS, pages 553--568, 2003.

Digital Library

[18]

J. C. King. Symbolic Execution and Program Testing. Commun. ACM, 19(7):385--394, 1976.

Digital Library

[19]

F. Ricca and P. Tonella. Analysis and Testing of Web Applications. In International Conference on Software Engineering, pages 25--34, May 2001.

Digital Library

[20]

J. Sant, A. Souter, and L. Greenwald. An Exploration of Statistical Models for Automated Test Case Generation. In Proceedings of the International Workshop on Dynamic Analysis, pages 1--7, May 2005.

Digital Library

[21]

P. Tonella and F. Ricca. Dynamic Model Extraction and Statistical Analysis of Web Applications. In Proceedings of the Fourth International Workshop on Web Site Evolution, pages 43--52, October 2002.

Digital Library

[22]

W. Visser, K. Havelund, G. Brat, S. J. Park, and F. Lerda. Model Checking Programs. Automated Software Engineering Journal, 10(2):203--232, April 2003.

Digital Library

[23]

G. Wassermann, D. Yu, A. Chander, D. Dhurjati, H. Inamura, and Z. Su. Dynamic Test Input Generation for Web Applications. In Proceedings of the International Symposium on Software Testing and Analysis, July 2008.

Digital Library

Cited By

Huang RMotwani MMartinez IOrso ARoychoudhury APaiva AAbreu RStorey M(2024)Generating REST API Specifications through Static AnalysisProceedings of the IEEE/ACM 46th International Conference on Software Engineering10.1145/3597503.3639137(1-13)Online publication date: 20-May-2024
https://dl.acm.org/doi/10.1145/3597503.3639137
Bier SFajardo BEzeadum OGuzman GSultana KAnu V(2021)Mitigating Remote Code Execution Vulnerabilities: A Study on Tomcat and Android Security Updates2021 IEEE International IOT, Electronics and Mechatronics Conference (IEMTRONICS)10.1109/IEMTRONICS52119.2021.9422666(1-6)Online publication date: 21-Apr-2021
https://doi.org/10.1109/IEMTRONICS52119.2021.9422666
Akbulut SGebreyesus YMishra AYazici A(2019)Systematic Mapping on Quality in Web Application Testing2019 1st International Informatics and Software Engineering Conference (UBMYK)10.1109/UBMYK48245.2019.8965472(1-5)Online publication date: Nov-2019
https://doi.org/10.1109/UBMYK48245.2019.8965472
Show More Cited By

Index Terms

Precise interface identification to improve testing and analysis of web applications
1. Software and its engineering
  1. Software creation and management
    1. Software verification and validation
      1. Software defect analysis
        Software testing and debugging

Recommendations

An automated tool for regression testing in web applications

Regression testing of web applications is a costly activity as it tends to generate more test cases than the previous stages of software testing. This cost can be reduced significantly by identifying and testing only the modified parts of a web ...
Testing Web-based applications: The state of the art and future trends

Software testing is a difficult task and testing Web-based applications may be even more difficult, due to the peculiarities of such applications. In the last years, several problems in the field of Web-based applications testing have been addressed by ...
Prioritizing User-Session-Based Test Cases for Web Applications Testing
ICST '08: Proceedings of the 2008 International Conference on Software Testing, Verification, and Validation

Web applications have rapidly become a critical part of business for many organizations. However, increased usage of web applications has not been reciprocated with corresponding increases in reliability. Unique characteristics, such as quick turnaround ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

ISSTA '09: Proceedings of the eighteenth international symposium on Software testing and analysis

July 2009

306 pages

ISBN:9781605583389

DOI:10.1145/1572272

General Chair:
Gregg Rothermel
University of Nebraska-Lincoln, USA
,
Program Chair:
Laura Dillon
Michigan State University, USA

Copyright © 2009 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 19 July 2009

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

ISSTA '09

Sponsor:

ISSTA '09: International Symposium on Software Testing and Analysis

July 19 - 23, 2009

IL, Chicago, USA

Acceptance Rates

Overall Acceptance Rate 58 of 213 submissions, 27%

Upcoming Conference

ISSTA '25

Sponsor:
sigsoft

34th ACM SIGSOFT International Symposium on Software Testing and Analysis

June 25 - 28, 2025

Trondheim , Norway

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

68
Total Citations
View Citations
1,036
Total Downloads

Downloads (Last 12 months)16
Downloads (Last 6 weeks)2

Reflects downloads up to 25 Oct 2024

Other Metrics

View Author Metrics

Citations

Cited By

Huang RMotwani MMartinez IOrso ARoychoudhury APaiva AAbreu RStorey M(2024)Generating REST API Specifications through Static AnalysisProceedings of the IEEE/ACM 46th International Conference on Software Engineering10.1145/3597503.3639137(1-13)Online publication date: 20-May-2024
https://dl.acm.org/doi/10.1145/3597503.3639137
Bier SFajardo BEzeadum OGuzman GSultana KAnu V(2021)Mitigating Remote Code Execution Vulnerabilities: A Study on Tomcat and Android Security Updates2021 IEEE International IOT, Electronics and Mechatronics Conference (IEMTRONICS)10.1109/IEMTRONICS52119.2021.9422666(1-6)Online publication date: 21-Apr-2021
https://doi.org/10.1109/IEMTRONICS52119.2021.9422666
Akbulut SGebreyesus YMishra AYazici A(2019)Systematic Mapping on Quality in Web Application Testing2019 1st International Informatics and Software Engineering Conference (UBMYK)10.1109/UBMYK48245.2019.8965472(1-5)Online publication date: Nov-2019
https://doi.org/10.1109/UBMYK48245.2019.8965472
Eda RDo H(2019)An efficient regression testing approach for PHP Web applications using test selection and reusable constraintsSoftware Quality Journal10.1007/s11219-019-09449-227:4(1383-1417)Online publication date: 11-Jun-2019
https://doi.org/10.1007/s11219-019-09449-2
Mendonça Dda Silva Tde Oliveira DBrandão JLopes HBarbosa SKalinowski Mvon Staa AOivo MMéndez DMockus A(2018)Applying pattern-driven maintenanceProceedings of the 12th ACM/IEEE International Symposium on Empirical Software Engineering and Measurement10.1145/3239235.3268924(1-10)Online publication date: 11-Oct-2018
https://dl.acm.org/doi/10.1145/3239235.3268924
Appelt DNguyen CPanichella ABriand L(2018)A Machine-Learning-Driven Evolutionary Approach for Testing Web Application FirewallsIEEE Transactions on Reliability10.1109/TR.2018.280576367:3(733-757)Online publication date: Sep-2018
https://doi.org/10.1109/TR.2018.2805763
Khurana MYadav RKumari M(2018)Buffer Overflow and SQL Injection: To Remotely Attack and Access InformationCyber Security10.1007/978-981-10-8536-9_30(301-313)Online publication date: 28-Apr-2018
https://doi.org/10.1007/978-981-10-8536-9_30
Athaiya SKomondoor RBultan TSen K(2017)Testing and analysis of web applications using page modelsProceedings of the 26th ACM SIGSOFT International Symposium on Software Testing and Analysis10.1145/3092703.3092734(181-191)Online publication date: 10-Jul-2017
https://dl.acm.org/doi/10.1145/3092703.3092734
Appelt DPanichella ABriand L(2017)Automatically Repairing Web Application Firewalls Based on Successful SQL Injection Attacks2017 IEEE 28th International Symposium on Software Reliability Engineering (ISSRE)10.1109/ISSRE.2017.28(339-350)Online publication date: Oct-2017
https://doi.org/10.1109/ISSRE.2017.28
Wittern EYing AZheng YDolby JLaredo JUchitel SOrso ARobillard M(2017)Statically checking web API requests in JavaScriptProceedings of the 39th International Conference on Software Engineering10.1109/ICSE.2017.30(244-254)Online publication date: 20-May-2017
https://dl.acm.org/doi/10.1109/ICSE.2017.30
Show More Cited By

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents