Recently, testing techniques based on dynamic exploration, which try to automatically exercise every possible user interface element, have been extensively used to facilitate fully testing web applications. Most of su...Recently, testing techniques based on dynamic exploration, which try to automatically exercise every possible user interface element, have been extensively used to facilitate fully testing web applications. Most of such testing tools are however not effective in reaching dynamic pages induced by form interactions due to their emphasis on handling client-side scripting. In this paper, we present a combinatorial strategy to achieve a full form test and build an automated test model. We propose an algorithm called pairwise testing with constraints (PTC) to iraplement the strategy. Our PTC algorithm uses pairwise coverage and handles the issues of semantic constraints and illegal values. We have implemented a prototype tool ComjaxTest and conducted an empirical study on five web applications. Experimental results indicate that our PTC algorithm generates less form test cases while achieving a higher coverage of dynamic pages than the general pairwise testing algorithm. Additionally, our ComjaxTest generates a relatively complete test model and then detects more faults in a reasonable amount of time, as compared with other existing tools based on dynamic exploration.展开更多
In order to improve the efficiency of regression testing in web application,the control flow graph and the greedy algorithm are adopted.This paper considers a web page as a basic unit and introduces a test case select...In order to improve the efficiency of regression testing in web application,the control flow graph and the greedy algorithm are adopted.This paper considers a web page as a basic unit and introduces a test case selection method for web application regression testing based on the control flow graph.This method is safe enough to the test case selection.On the base of features of request sequence in web application,the minimization technique and the priority of test cases are taken into consideration in the process of execution of test cases in regression testing for web application.The improved greedy algorithm is also raised resulting in optimization of execution of test cases.The experiments indicate that the number of test cases which need to be retested is reduced,and the efficiency of execution of test cases is also improved.展开更多
JavaScript has become one of the most widely used languages for Web development.Its dynamic and event-driven features make it challenging to ensure the correctness of Web applications written in JavaScript.A variety o...JavaScript has become one of the most widely used languages for Web development.Its dynamic and event-driven features make it challenging to ensure the correctness of Web applications written in JavaScript.A variety of dynamic analysis techniques have been proposed which are,however,limited in either coverage or scalability.In this paper,we propose a simple,yet effective,model-based automated testing approach to achieve a high code-coverage within the time budget via testing with longer event sequences.We implement our approach as an open-source tool LJS,and perform extensive experiments on 21 publicly available benchmarks.On average,LJS is able to achieve 86.5%line coverage in 10 minutes.Compared with JSDEP,a state-of-the-art breadth-first search based automated testing tool enriched with partial order reduction,the coverage of LJS is 11%-19%higher than that of JSDEP on real-world large Web applications.Our empirical findings support that proper longer test sequences can achieve a higher code coverage in JavaScript Web application testing.展开更多
Forms enhance both the dynamic and interactive abilities of Web applications and the system complexity. And it is especially important to test forms completely and thoroughly. Therefore, this paper discusses how to ca...Forms enhance both the dynamic and interactive abilities of Web applications and the system complexity. And it is especially important to test forms completely and thoroughly. Therefore, this paper discusses how to carry out the form testing by different methods in the related testing phases. Namely, at first, automatically abstracting forms in the Web pages by parsing the HTML documents; then, ohtai ning the testing data with a certain strategies, such as by requirement specifications, by mining users' hefore input informarion or by recording meehanism; and next executing the testing actions automatically due to the well formed test cases; finally, a case study is given to illustrate the convenient and effective of these methods.展开更多
A formal model representing the navigation behavior of a Web application as the Kripke structure is proposed and an approach that applies model checking to test case generation is presented. The Object Relation Diagra...A formal model representing the navigation behavior of a Web application as the Kripke structure is proposed and an approach that applies model checking to test case generation is presented. The Object Relation Diagram as the object model is employed to describe the object structure of a Web application design and can be translated into the behavior model. A key problem of model checking-based test generation for a Web application is how to construct a set of trap properties that intend to cause the violations of model checking against the behavior model and output of counterexamples used to construct the test sequences. We give an algorithm that derives trap properties from the object model with respect to node and edge coverage criteria.展开更多
Parallel to the considerable growth in applications of web-based systems, there are increasing demands for methods and tools to assure their quality. Testing these systems, due to their inherent complexities and speci...Parallel to the considerable growth in applications of web-based systems, there are increasing demands for methods and tools to assure their quality. Testing these systems, due to their inherent complexities and special characteristics, is complex, time-consuming and challenging. In this paper a novel multi-agent framework for automated testing of web-based systems is presented. The main design goals have been to develop an effective and flexible framework that supports different types of tests and utilize different sources of information about the system under test to automate the test process. A prototype of the proposed framework has been implemented and is used to perform some experiments. The results are promising and prove the overall design of the framework.展开更多
Security weaknesses in web applications deployed in cloud architectures can seriously affect its data confidentiality and integrity.The construction of the procedure utilized in the static analysis tools of source cod...Security weaknesses in web applications deployed in cloud architectures can seriously affect its data confidentiality and integrity.The construction of the procedure utilized in the static analysis tools of source code security differs and therefore each tool finds a different number of each weakness type for which it is designed.To utilize the possible synergies different static analysis tools may process,this work uses a new method to combine several source codes aiming to investigate how to increase the performance of security weakness detection while reducing the number of false positives.Specifically,five static analysis tools will be combined with the designed method to study their behavior using an updated benchmark for OWASP Top Ten Security Weaknesses(OWASP TTSW).The method selects specific metrics to rank the tools for different criticality levels of web applications considering different weights in the ratios.The findings show that simply including more tools in a combination is not synonymous with better results;it depends on the specific tools included in the combination due to their different designs and techniques.展开更多
In order to analyze and test the component-based web application and decide when to stop the testing process, the concept of coverage criteria and test requirement reduction approach are proposed. First, four adequacy...In order to analyze and test the component-based web application and decide when to stop the testing process, the concept of coverage criteria and test requirement reduction approach are proposed. First, four adequacy criteria are defined and subsumption relationships among them are proved. Then, a translation algorithm is presented to transfer the test model into a web application decision-to-decision graph(WADDGraph)which is used to reduce testing requirements. Finally, different sets of test requirements can be generated from WADDGraph by analyzing subsumption and equivalence relationships among edges based on different coverage criteria, and testers can select different test requirements according to different testing environments. The case study indicates that coverage criteria follow linear subsumption relationships in real web applications. Test requirements can be reduced more than 55% on average based on different coverage criteria and the size of test requirements increases with the increase in the complexity of the coverage criteria.展开更多
This study presents a methodology to evaluate and prevent security vulnerabilities issues for web applications.The analysis process is based on the use of techniques and tools that allow to perform security assessment...This study presents a methodology to evaluate and prevent security vulnerabilities issues for web applications.The analysis process is based on the use of techniques and tools that allow to perform security assessments of white box and black box,to carry out the security validation of a web application in an agile and precise way.The objective of the methodology is to take advantage of the synergies of semi-automatic static and dynamic security analysis tools and manual checks.Each one of the phases contemplated in the methodology is supported by security analysis tools of different degrees of coverage,so that the results generated in one phase are used as feed for the following phases in order to get an optimized global security analysis result.The methodology can be used as part of other more general methodologies that do not cover how to use static and dynamic analysis tools in the implementation and testing phases of a Secure Software Development Life Cycle(SSDLC).A practical application of the methodology to analyze the security of a real web application demonstrates its effectiveness by obtaining a better optimized vulnerability detection result against the true and false positive metrics.Dynamic analysis with manual checking is used to audit the results,24.6 per cent of security vulnerabilities reported by the static analysis has been checked and it allows to study which vulnerabilities can be directly exploited externally.This phase is very important because it permits that each reported vulnerability can be checked by a dynamic second tool to confirm whether a vulnerability is true or false positive and it allows to study which vulnerabilities can be directly exploited externally.Dynamic analysis finds six(6)additional critical vulnerabilities.Access control analysis finds other five(5)important vulnerabilities such as Insufficient Protected Passwords or Weak Password Policy and Excessive Authentication Attacks,two vulnerabilities that permit brute force attacks.展开更多
Building an abstract model of the web application is the chief task of software test based on model, which is an efficient way for testing the web application. One problem with current web application test technologie...Building an abstract model of the web application is the chief task of software test based on model, which is an efficient way for testing the web application. One problem with current web application test technologies is the lack of tools for modeling the whole web software, especially the lack of support for describing web application from the view of action and function. This paper is concerned with providing the support for development and test of the web application. The presented novel model, named component-based and tree-oriented web application development model (CBTOWADM), abstracts the web application as a tree based on its system function and business process. CBTOWADM not only simplifies the design and development of the web application, but also acts as the model middleware for software test. The basic model definition, the system framework and the application in software test of CBTOWADM is described.展开更多
Web application fingerprint recognition is an effective security technology designed to identify and classify web applications,thereby enhancing the detection of potential threats and attacks.Traditional fingerprint r...Web application fingerprint recognition is an effective security technology designed to identify and classify web applications,thereby enhancing the detection of potential threats and attacks.Traditional fingerprint recognition methods,which rely on preannotated feature matching,face inherent limitations due to the ever-evolving nature and diverse landscape of web applications.In response to these challenges,this work proposes an innovative web application fingerprint recognition method founded on clustering techniques.The method involves extensive data collection from the Tranco List,employing adjusted feature selection built upon Wappalyzer and noise reduction through truncated SVD dimensionality reduction.The core of the methodology lies in the application of the unsupervised OPTICS clustering algorithm,eliminating the need for preannotated labels.By transforming web applications into feature vectors and leveraging clustering algorithms,our approach accurately categorizes diverse web applications,providing comprehensive and precise fingerprint recognition.The experimental results,which are obtained on a dataset featuring various web application types,affirm the efficacy of the method,demonstrating its ability to achieve high accuracy and broad coverage.This novel approach not only distinguishes between different web application types effectively but also demonstrates superiority in terms of classification accuracy and coverage,offering a robust solution to the challenges of web application fingerprint recognition.展开更多
In recent years large corporations as well as smaller commercial enterprises have begun to devote increased attention to software testing and software quality. This paper introduces a novel tool—the Framework for Ext...In recent years large corporations as well as smaller commercial enterprises have begun to devote increased attention to software testing and software quality. This paper introduces a novel tool—the Framework for Extensible Application Testing (FEAT), implemented by the author and applicable for automatic generation and execution of test cases. The paper discusses system requirements, design, architecture and modes of operation. It also contains a detailed comparison of the FEAT framework with existing test environments, focusing in particular on the STAF/STAX framework. The final section is devoted to experimental research into the applicability and efficiency of the presented tools in various projects and configurations, as reflected by quality metrics.展开更多
To ensure the quality of Web applications, Web testing is one of the effective methods. The testing is a process of revealing errors that is used to give confidence that the implementation of a Web application meets i...To ensure the quality of Web applications, Web testing is one of the effective methods. The testing is a process of revealing errors that is used to give confidence that the implementation of a Web application meets its original specification. This work proposes a Web testing framework based on Stream X-Machines (SXMs), which provides a way to derive test cases for a Web application. It starts from constructing the SXM model, from which a test translator is employed to extract the test paths and then translates them into an XML-style test specification, which is the input of test engine. The test engine generates test cases and then executes them, and finally produces test report. This testing method is a significant contribution to informed research.展开更多
基金This work is supported by the National Natural Science Foundation of China under Grant Nos. 61472076, 61472077, and 61300054.
文摘Recently, testing techniques based on dynamic exploration, which try to automatically exercise every possible user interface element, have been extensively used to facilitate fully testing web applications. Most of such testing tools are however not effective in reaching dynamic pages induced by form interactions due to their emphasis on handling client-side scripting. In this paper, we present a combinatorial strategy to achieve a full form test and build an automated test model. We propose an algorithm called pairwise testing with constraints (PTC) to iraplement the strategy. Our PTC algorithm uses pairwise coverage and handles the issues of semantic constraints and illegal values. We have implemented a prototype tool ComjaxTest and conducted an empirical study on five web applications. Experimental results indicate that our PTC algorithm generates less form test cases while achieving a higher coverage of dynamic pages than the general pairwise testing algorithm. Additionally, our ComjaxTest generates a relatively complete test model and then detects more faults in a reasonable amount of time, as compared with other existing tools based on dynamic exploration.
基金The National Natural Science Foundation of China(No.60503020,60503033,60703086)Opening Foundation of Jiangsu Key Laboratory of Computer Information Processing Technology in Soochow University(No.KJS0714)
文摘In order to improve the efficiency of regression testing in web application,the control flow graph and the greedy algorithm are adopted.This paper considers a web page as a basic unit and introduces a test case selection method for web application regression testing based on the control flow graph.This method is safe enough to the test case selection.On the base of features of request sequence in web application,the minimization technique and the priority of test cases are taken into consideration in the process of execution of test cases in regression testing for web application.The improved greedy algorithm is also raised resulting in optimization of execution of test cases.The experiments indicate that the number of test cases which need to be retested is reduced,and the efficiency of execution of test cases is also improved.
基金P.Gao,Y.Xu and F.Song were partially supported by the National Natural Science Foundation of China(NSFC)(Grant Nos.62072309,61532019,61761136011)T.Chen is partially supported by the National Natural Science Foundation of China(Grant No.61872340)+1 种基金Guangdong Science and Technology Department(2018B010107004)Natural Science Foundation of Guangdong Province(2019A1515011689).
文摘JavaScript has become one of the most widely used languages for Web development.Its dynamic and event-driven features make it challenging to ensure the correctness of Web applications written in JavaScript.A variety of dynamic analysis techniques have been proposed which are,however,limited in either coverage or scalability.In this paper,we propose a simple,yet effective,model-based automated testing approach to achieve a high code-coverage within the time budget via testing with longer event sequences.We implement our approach as an open-source tool LJS,and perform extensive experiments on 21 publicly available benchmarks.On average,LJS is able to achieve 86.5%line coverage in 10 minutes.Compared with JSDEP,a state-of-the-art breadth-first search based automated testing tool enriched with partial order reduction,the coverage of LJS is 11%-19%higher than that of JSDEP on real-world large Web applications.Our empirical findings support that proper longer test sequences can achieve a higher code coverage in JavaScript Web application testing.
基金Supported by the National Natural Science Foun-dation of China (60425206 ,90412003 ,60503033)the National Bas-ic Research Program of China (973 Program 2002CB312000 ) Opening Foundation of State Key Laboratory of Software Engineeringin Wuhan University, High Technology Research Project of JiangsuProvince (BG2005032)
文摘Forms enhance both the dynamic and interactive abilities of Web applications and the system complexity. And it is especially important to test forms completely and thoroughly. Therefore, this paper discusses how to carry out the form testing by different methods in the related testing phases. Namely, at first, automatically abstracting forms in the Web pages by parsing the HTML documents; then, ohtai ning the testing data with a certain strategies, such as by requirement specifications, by mining users' hefore input informarion or by recording meehanism; and next executing the testing actions automatically due to the well formed test cases; finally, a case study is given to illustrate the convenient and effective of these methods.
基金Supported by the National Natural Science Foundation of China (60673115)the National Basic Research Program of China (973 Program) (2002CB312001)the Open Foundation of State Key Laboratory of Soft-ware Engineering (SKLSE05-13)
文摘A formal model representing the navigation behavior of a Web application as the Kripke structure is proposed and an approach that applies model checking to test case generation is presented. The Object Relation Diagram as the object model is employed to describe the object structure of a Web application design and can be translated into the behavior model. A key problem of model checking-based test generation for a Web application is how to construct a set of trap properties that intend to cause the violations of model checking against the behavior model and output of counterexamples used to construct the test sequences. We give an algorithm that derives trap properties from the object model with respect to node and edge coverage criteria.
文摘Parallel to the considerable growth in applications of web-based systems, there are increasing demands for methods and tools to assure their quality. Testing these systems, due to their inherent complexities and special characteristics, is complex, time-consuming and challenging. In this paper a novel multi-agent framework for automated testing of web-based systems is presented. The main design goals have been to develop an effective and flexible framework that supports different types of tests and utilize different sources of information about the system under test to automate the test process. A prototype of the proposed framework has been implemented and is used to perform some experiments. The results are promising and prove the overall design of the framework.
基金Acknowledgements: This work was supported by National High-Technology Research and Development Program (863 Program) of China under grant (No. 2007AA01Z144), National Natural Science Foundation of China (NSFC) under grant (No. 60673115) and National Grand Basic Research Program (973 Program) of China under grant (No. 2007CB310800).
文摘Security weaknesses in web applications deployed in cloud architectures can seriously affect its data confidentiality and integrity.The construction of the procedure utilized in the static analysis tools of source code security differs and therefore each tool finds a different number of each weakness type for which it is designed.To utilize the possible synergies different static analysis tools may process,this work uses a new method to combine several source codes aiming to investigate how to increase the performance of security weakness detection while reducing the number of false positives.Specifically,five static analysis tools will be combined with the designed method to study their behavior using an updated benchmark for OWASP Top Ten Security Weaknesses(OWASP TTSW).The method selects specific metrics to rank the tools for different criticality levels of web applications considering different weights in the ratios.The findings show that simply including more tools in a combination is not synonymous with better results;it depends on the specific tools included in the combination due to their different designs and techniques.
基金The National Natural Science Foundation of China(No.90818027,60873050)the National High Technology Research andDevelopment Program of China (863 Program) (No.2009AA01Z147)+2 种基金Opening Foundation of State Key Laboratory Software Engineering in Wu-han University(No.SKLSE20080717)Opening Foundation of State KeyLaboratory for Novel Software Technology in Nanjing University(No.ZZ-KT2008F12)the Key Laboratory Foundation of Shanghai Municipal Science and Technology Commission (No.09DZ2272600)
文摘In order to analyze and test the component-based web application and decide when to stop the testing process, the concept of coverage criteria and test requirement reduction approach are proposed. First, four adequacy criteria are defined and subsumption relationships among them are proved. Then, a translation algorithm is presented to transfer the test model into a web application decision-to-decision graph(WADDGraph)which is used to reduce testing requirements. Finally, different sets of test requirements can be generated from WADDGraph by analyzing subsumption and equivalence relationships among edges based on different coverage criteria, and testers can select different test requirements according to different testing environments. The case study indicates that coverage criteria follow linear subsumption relationships in real web applications. Test requirements can be reduced more than 55% on average based on different coverage criteria and the size of test requirements increases with the increase in the complexity of the coverage criteria.
文摘This study presents a methodology to evaluate and prevent security vulnerabilities issues for web applications.The analysis process is based on the use of techniques and tools that allow to perform security assessments of white box and black box,to carry out the security validation of a web application in an agile and precise way.The objective of the methodology is to take advantage of the synergies of semi-automatic static and dynamic security analysis tools and manual checks.Each one of the phases contemplated in the methodology is supported by security analysis tools of different degrees of coverage,so that the results generated in one phase are used as feed for the following phases in order to get an optimized global security analysis result.The methodology can be used as part of other more general methodologies that do not cover how to use static and dynamic analysis tools in the implementation and testing phases of a Secure Software Development Life Cycle(SSDLC).A practical application of the methodology to analyze the security of a real web application demonstrates its effectiveness by obtaining a better optimized vulnerability detection result against the true and false positive metrics.Dynamic analysis with manual checking is used to audit the results,24.6 per cent of security vulnerabilities reported by the static analysis has been checked and it allows to study which vulnerabilities can be directly exploited externally.This phase is very important because it permits that each reported vulnerability can be checked by a dynamic second tool to confirm whether a vulnerability is true or false positive and it allows to study which vulnerabilities can be directly exploited externally.Dynamic analysis finds six(6)additional critical vulnerabilities.Access control analysis finds other five(5)important vulnerabilities such as Insufficient Protected Passwords or Weak Password Policy and Excessive Authentication Attacks,two vulnerabilities that permit brute force attacks.
基金Project supported by the National High-Technology Research and Development Program of China(Grant No.2007AA01Z144)the Shanghai Leading Academic Discipline Project(Grant No.J50103)
文摘Building an abstract model of the web application is the chief task of software test based on model, which is an efficient way for testing the web application. One problem with current web application test technologies is the lack of tools for modeling the whole web software, especially the lack of support for describing web application from the view of action and function. This paper is concerned with providing the support for development and test of the web application. The presented novel model, named component-based and tree-oriented web application development model (CBTOWADM), abstracts the web application as a tree based on its system function and business process. CBTOWADM not only simplifies the design and development of the web application, but also acts as the model middleware for software test. The basic model definition, the system framework and the application in software test of CBTOWADM is described.
基金supported in part by the National Science Foundation of China under Grants U22B2027,62172297,62102262,61902276 and 62272311,Tianjin Intelligent Manufacturing Special Fund Project under Grant 20211097the China Guangxi Science and Technology Plan Project(Guangxi Science and Technology Base and Talent Special Project)under Grant AD23026096(Application Number 2022AC20001)+1 种基金Hainan Provincial Natural Science Foundation of China under Grant 622RC616CCF-Nsfocus Kunpeng Fund Project under Grant CCF-NSFOCUS202207.
文摘Web application fingerprint recognition is an effective security technology designed to identify and classify web applications,thereby enhancing the detection of potential threats and attacks.Traditional fingerprint recognition methods,which rely on preannotated feature matching,face inherent limitations due to the ever-evolving nature and diverse landscape of web applications.In response to these challenges,this work proposes an innovative web application fingerprint recognition method founded on clustering techniques.The method involves extensive data collection from the Tranco List,employing adjusted feature selection built upon Wappalyzer and noise reduction through truncated SVD dimensionality reduction.The core of the methodology lies in the application of the unsupervised OPTICS clustering algorithm,eliminating the need for preannotated labels.By transforming web applications into feature vectors and leveraging clustering algorithms,our approach accurately categorizes diverse web applications,providing comprehensive and precise fingerprint recognition.The experimental results,which are obtained on a dataset featuring various web application types,affirm the efficacy of the method,demonstrating its ability to achieve high accuracy and broad coverage.This novel approach not only distinguishes between different web application types effectively but also demonstrates superiority in terms of classification accuracy and coverage,offering a robust solution to the challenges of web application fingerprint recognition.
文摘In recent years large corporations as well as smaller commercial enterprises have begun to devote increased attention to software testing and software quality. This paper introduces a novel tool—the Framework for Extensible Application Testing (FEAT), implemented by the author and applicable for automatic generation and execution of test cases. The paper discusses system requirements, design, architecture and modes of operation. It also contains a detailed comparison of the FEAT framework with existing test environments, focusing in particular on the STAF/STAX framework. The final section is devoted to experimental research into the applicability and efficiency of the presented tools in various projects and configurations, as reflected by quality metrics.
文摘To ensure the quality of Web applications, Web testing is one of the effective methods. The testing is a process of revealing errors that is used to give confidence that the implementation of a Web application meets its original specification. This work proposes a Web testing framework based on Stream X-Machines (SXMs), which provides a way to derive test cases for a Web application. It starts from constructing the SXM model, from which a test translator is employed to extract the test paths and then translates them into an XML-style test specification, which is the input of test engine. The test engine generates test cases and then executes them, and finally produces test report. This testing method is a significant contribution to informed research.
