Nothing Special   »   [go: up one dir, main page]

skip to main content
10.1145/1390630.1390662acmconferencesArticle/Chapter ViewAbstractPublication PagesisstaConference Proceedingsconference-collections
research-article

Finding bugs in dynamic web applications

Published: 20 July 2008 Publication History

Abstract

Web script crashes and malformed dynamically-generated Web pages are common errors, and they seriously impact usability of Web applications. Current tools for Web-page validation cannot handle the dynamically-generated pages that are ubiquitous on today's Internet. In this work, we apply a dynamic test generation technique, based on combined concrete and symbolic execution, to the domain of dynamic Web applications. The technique generates tests automatically, uses the tests to detect failures, and minimizes the conditions on the inputs exposing each failure, so that the resulting bug reports are small and useful in finding and fixing the underlying faults. Our tool Apollo implements the technique for PHP. Apollo generates test inputs for the Web application, monitors the application for crashes, and validates that the output conforms to the HTML specification. This paper presents Apollo's algorithms and implementation, and an experimental evaluation that revealed 214 faults in 4 PHP Web applications.

References

[1]
S. Anand, P. Godefroid, and N. Tillmann. Demand-driven compositional symbolic execution. In TACAS, 2008.
[2]
M. Benedikt, J. Freire, and P. Godefroid. VeriWeb: Automatically testing dynamic Web sites. In WWW, 2002.
[3]
C. Braband, A. Moller, and M. Schwartzbach. Static validation dynamically generated HTML. In PASTE, 2001.
[4]
C. Cadar and D. R. Engler. Execution generated test cases: How to make systems code crash itself. In SPIN, 2005.
[5]
C. Cadar and D. R. Engler. Execution generated test cases: How to make systems code crash itself. In SPIN, 2005.
[6]
H. Cleve and A. Zeller. Locating causes of program failures. In ICSE, 2005.
[7]
C. Csallner, N. Tillmann, and Y. Smaragdakis. DySy: Dynamic symbolic execution for invariant inference. In ICSE, 2008.
[8]
D. Dean and D. Wagner. Intrusion detection via static analysis. In Symposium on Research in Security and Privacy, May 2001.
[9]
S. Elbaum, K.-R. Chilakamarri, M. Fisher, and G. Rothermel. Web application characterization through directed requests. In WODA, 2006.
[10]
S. Elbaum, S. Karre, G. Rothermel, and M. Fisher. Leveraging user-session data to support Web application testing. IEEE Trans. Softw. Eng., 31(3), 2005.
[11]
M. Emmi, R. Majumdar, and K. Sen. Dynamic test input generation for database applications. In ISSTA, 2007.
[12]
M. Fisher, S. G. Elbaum, and G. Rothermel. Dynamic characterization of Web application interfaces. In FASE, 2007.
[13]
P. Godefroid. Compositional dynamic test generation. In POPL, 2007.
[14]
P. Godefroid, A. Kiezun, and M. Y. Levin. Grammar-based whitebox fuzzing. In PLDI, 2008.
[15]
P. Godefroid, N. Klarlund, and K. Sen. DART: Directed automated random testing. In PLDI, 2005.
[16]
P. Godefroid, M. Y. Levin, and D. Molnar. Automated whitebox fuzz testing. In NDSS, 2008.
[17]
W. G. J. Halfond and A. Orso. Improving test case generation for Web applications using automated interface discovery. In ESEC-FSE, 2007.
[18]
K. Inkumsah and T. Xie. Evacon: a framework for integrating evolutionary and concolic testing for object-oriented programs. In ASE, 2007.
[19]
M. Johns and C. Beyerlein. SMask: preventing injection attacks in Web applications by approximating automatic data/code separation. In SAC, 2007.
[20]
N. Jovanovic, C. Kruegel, and E. Kirda. Pixy: A static analysis tool for detecting Web application vulnerabilities (short paper). In Security and Privacy, 2006.
[21]
R. Majumdar and K. Sen. Hybrid concolic testing. In ICSE, 2007.
[22]
R. Majumdar and R.-G. Xu. Directed test generation using symbolic grammars. In ASE, 2007.
[23]
Y. Minamide. Static approximation of dynamically generated Web pages. In WWW, 2005.
[24]
G. Misherghi and Z. Su. HDD: hierarchical delta debugging. In ICSE, 2006.
[25]
R. O'Callahan. Personal communication, 2008.
[26]
T. Pietraszek and C. V. Berghe. Defending against injection attacks through context-sensitive string evaluation. In RAID, 2005.
[27]
F. Ricca and P. Tonella. Analysis and testing of Web applications. In ICSE, 2001.
[28]
K. Sen, D. Marinov, and G. Agha. CUTE: A concolic unit testing engine for C. In FSE, 2005.
[29]
S. Sprenkle, E. Gibson, S. Sampath, and L. Pollock. Automated replay and failure detection for Web applications. In ASE, 2005.
[30]
Z. Su and G. Wassermann. The essence of command injection attacks in Web applications. In POPL, 2006.
[31]
G. Wassermann and Z. Su. Sound and precise analysis of Web applications for injection vulnerabilities. In PLDI, 2007.
[32]
G. Wassermann and Z. Su. Static detection of cross-site scripting vulnerabilities. In ICSE, 2008.
[33]
Y. Xie and A. Aiken. Static detection of security vulnerabilities in scripting languages. In USENIX-SS, 2006.
[34]
A. Zeller. Yesterday, my program worked. Today, it does not. Why? In FSE, 1999.

Cited By

View all
  • (2024)URadar: Discovering Unrestricted File Upload Vulnerabilities via Adaptive Dynamic TestingIEEE Transactions on Information Forensics and Security10.1109/TIFS.2023.333588519(1251-1266)Online publication date: 2024
  • (2024)Where URLs Become Weapons: Automated Discovery of SSRF Vulnerabilities in Web Applications2024 IEEE Symposium on Security and Privacy (SP)10.1109/SP54263.2024.00198(239-257)Online publication date: 19-May-2024
  • (2024)Holistic Concolic Execution for Dynamic Web Applications via Symbolic Interpreter Analysis2024 IEEE Symposium on Security and Privacy (SP)10.1109/SP54263.2024.00197(222-238)Online publication date: 19-May-2024
  • Show More Cited By

Recommendations

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Conferences
ISSTA '08: Proceedings of the 2008 international symposium on Software testing and analysis
July 2008
324 pages
ISBN:9781605580500
DOI:10.1145/1390630
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 20 July 2008

Permissions

Request permissions for this article.

Check for updates

Author Tags

  1. dynamic analysis
  2. php
  3. software testing
  4. web applications

Qualifiers

  • Research-article

Conference

ISSTA '08
Sponsor:

Acceptance Rates

Overall Acceptance Rate 58 of 213 submissions, 27%

Upcoming Conference

ISSTA '25

Contributors

Other Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

  • Downloads (Last 12 months)27
  • Downloads (Last 6 weeks)1
Reflects downloads up to 18 Nov 2024

Other Metrics

Citations

Cited By

View all
  • (2024)URadar: Discovering Unrestricted File Upload Vulnerabilities via Adaptive Dynamic TestingIEEE Transactions on Information Forensics and Security10.1109/TIFS.2023.333588519(1251-1266)Online publication date: 2024
  • (2024)Where URLs Become Weapons: Automated Discovery of SSRF Vulnerabilities in Web Applications2024 IEEE Symposium on Security and Privacy (SP)10.1109/SP54263.2024.00198(239-257)Online publication date: 19-May-2024
  • (2024)Holistic Concolic Execution for Dynamic Web Applications via Symbolic Interpreter Analysis2024 IEEE Symposium on Security and Privacy (SP)10.1109/SP54263.2024.00197(222-238)Online publication date: 19-May-2024
  • (2024)Twenty-two years since revealing cross-site scripting attacksComputer Science Review10.1016/j.cosrev.2024.10063452:COnline publication date: 1-May-2024
  • (2024)Tree-Based Synthesis of Web Test Sequences from Manual ActionsTheoretical Aspects of Software Engineering10.1007/978-3-031-64626-3_14(242-260)Online publication date: 14-Jul-2024
  • (2023)Access Control for Database Applications: Beyond Policy EnforcementProceedings of the 19th Workshop on Hot Topics in Operating Systems10.1145/3593856.3595905(223-230)Online publication date: 22-Jun-2023
  • (2022)FAUSTA: Scaling Dynamic Analysis with Traffic Generation at WhatsApp2022 IEEE Conference on Software Testing, Verification and Validation (ICST)10.1109/ICST53961.2022.00036(267-278)Online publication date: Apr-2022
  • (2021)UFuzzer: Lightweight Detection of PHP-Based Unrestricted File Upload Vulnerabilities Via Static-Fuzzing Co-AnalysisProceedings of the 24th International Symposium on Research in Attacks, Intrusions and Defenses10.1145/3471621.3471859(78-90)Online publication date: 6-Oct-2021
  • (2021)Learning to Explore Paths for Symbolic ExecutionProceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security10.1145/3460120.3484813(2526-2540)Online publication date: 12-Nov-2021
  • (2021)On the Feasibility of Automated Built-in Function Modeling for PHP Symbolic ExecutionProceedings of the Web Conference 202110.1145/3442381.3450002(58-69)Online publication date: 19-Apr-2021
  • Show More Cited By

View Options

Login options

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Media

Figures

Other

Tables

Share

Share

Share this Publication link

Share on social media