ABSTRACT
User-input validators play an essential role in guarding a web application against application-level attacks. Hence, the security of the web application can be compromised by defective validators. To detect defects in validators, testing is one of the most commonly used methodologies. Testing can be performed by manually writing test inputs and oracles, but this manual process is often labor-intensive and ineffective. On the other hand, automated test generators cannot generate test oracles in the absence of specifications, which are often not available in practice. To address this issue in testing validators, we propose a novel approach, called MiTV, that applies Multiple-implementation Testing for Validators, i.e., comparin gthe behavior of a validator under test with other validators of the same type. These other validators of the same type can be collected from either open or proprietary source code repositories. To show the effectiveness of MiTV, we applied MiTV on 53 different validators (of 6 common types) for web applications. Our results show that MiTV detected real defects in 70% of the validators.
- }}Google code search, http://www.google.com/codesearch.Google Scholar
- }}Krugle - code search for developers, http://www.krugle.org/.Google Scholar
- }}Pex and Moles - Isolation and White box Unit Testing for .NET. http://research.microsoft.com/Pex/.Google Scholar
- }}MiTV, https://sites.google.com/site/mitv2009.Google Scholar
- }}K. Beaver. The importance of input validation, 2006. http://searchsoftwarequality.techtarget.com/tip/0,289483,sid92_gci1214373,00.html.Google Scholar
- }}L. Chen and A. Avizienis. N-version programming: A fault-tolerance approach to reliability of software operation. In Proc. FTCS, pages 3--9, 1978.Google Scholar
- }}J. C. Knight and N. G. Leveson. An experimental evaluation of the assumption of independence in multiversion programming. IEEE TSE, 12(1):96--109, 1986. Google ScholarDigital Library
- }}H. Liu and H. B. K. Tan. Automated verification and test case generation for input validation. In Proc. AST, pages 9--14, 2006. Google ScholarDigital Library
- }}W. M. McKeeman. Differential testing for software. Digital Technical Journal of Digital Equipment Corporation, 10(1):100--107, 1998.Google Scholar
- }}K. Taneja and T. Xie. DiffGen: Automated regression unit-test generation. In Proc. ASE, pages 407--410, 2008. Google ScholarDigital Library
Index Terms
- MiTV: multiple-implementation testing of user-input validators for web applications
Recommendations
Covering code behavior on input validation in functional testing
Input validation is the enforcement built in software systems to ensure that only valid input is accepted to raise external effects. It is essential and very important to a large class of systems and usually forms a major part of a data-intensive ...
Towards automated oracles for GUI input validation
AST '11: Proceedings of the 6th International Workshop on Automation of Software TestTesting input validation in web applications from specifications is a challenging and laborious process. GUI testing tools - with their record-and-playback and data-driven capabilities - ease the pains of testing through automation. Out-of-the-box, ...
Increased Software Reliability Through Input Validation Analysis and Testing
ISSRE '99: Proceedings of the 10th International Symposium on Software Reliability EngineeringThe Input Validation Testing (IVT) technique has been developed to address the problem of statically analyzing input command syntax as defined in English textual interface and requirements specifications and then generating test cases for input ...
Comments