slide1 l.
Skip this Video
Loading SlideShow in 5 Seconds..
Automating Bypass Testing for Web Applications Vasileios Papadimitriou The Volgenau School of Informat PowerPoint Presentation
Download Presentation
Automating Bypass Testing for Web Applications Vasileios Papadimitriou The Volgenau School of Informat

Loading in 2 Seconds...

play fullscreen
1 / 25

Automating Bypass Testing for Web Applications Vasileios Papadimitriou The Volgenau School of Informat - PowerPoint PPT Presentation

  • Uploaded on

Automating Bypass Testing for Web Applications Vasileios Papadimitriou The Volgenau School of Information Technology & Engineering Dept. of Information & Software Engineering George Mason University Fairfax, VA USA. Introduction.

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'Automating Bypass Testing for Web Applications Vasileios Papadimitriou The Volgenau School of Informat' - neith

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

Automating Bypass Testing

for Web Applications

Vasileios Papadimitriou

The Volgenau School of Information Technology & Engineering

Dept. of Information & Software Engineering

George Mason University

Fairfax, VA USA

Vasileios Papadimitriou

  • World Wide Web changed the methods of software development and deployment
    • We value reliability, usability, and security more than “time to market”
    • “Extremely loosely coupled” systems
    • Browser based clients
    • HTTP
  • Web applications become vulnerable to input manipulation that may:
    • Reduce reliability
    • Compromise security

Vasileios Papadimitriou

introduction cont
Introduction (cont.)
  • Offutt and Wu's work on bypass testing of web application is extended
    • Theoretical background is revised to support use of automated approach
  • HttpUnit is used to build a prototype software application that automatically:
    • Parses HMTL pages
    • Identifies forms and their fields
    • Creates bypass test cases
    • Submits test cases to the application’s server

Vasileios Papadimitriou

presentation outline
Presentation Outline
  • Client side validation types & rules to automatically generate test cases
  • AutoBypass testing tool and demo
  • Experiment design
  • Results
  • Conclusions

Vasileios Papadimitriou

types of client input validation
Types of Client Input Validation
  • Client side input validation is performed by HTML form controls, their attributes, and client side scripts that access DOM
  • Validation types are categorized in HTML and Scripting.
    • HTML supports syntactic validation
    • Client scripting can perform both syntactic and semantic validation

Vasileios Papadimitriou

example interface yahoo registration form
Example Interface:yahoo registration form

Preset Transfer Mode

in form definition (HTML)

Preset Values (HTML)

Limited Length (HTML)

URL with preset Values


Inter Value

validation (script)

Preset No of Fields


Data Value, Type, & Format

validation (script)

Vasileios Papadimitriou

test value selection
Test Value Selection
  • Challenge:
    • How to automatically provide effective test values?
  • “Semantic Domain Problem” (SDP)
    • Values within the application domain are needed
    • Enumeration of all possible test values is inefficient
  • Possible Solutions
    • Random Values (ineffective)
    • Automatically generated values (too hard)
    • Study application and construct a set of values (feasible)
    • Tester input (feasible)
  • AutoBypass uses a input domain created by parsing the interface and tester input

Vasileios Papadimitriou

  • AutoBypass Steps (the big picture)



Set Default



Test Cases

& Run Tests



  • All HTML violation rules are used to generate test cases
  • This version of AutoBypass does NOT automatically violate scripting validation, but:
    • AutoBypass behaves as a browser with scripts disabled
    • Tester can provide test inputs that will bypass scripting validation.

Vasileios Papadimitriou

  • Demo:


Vasileios Papadimitriou

autobypass architecture
AutoBypass Architecture


Vasileios Papadimitriou

experiment design
Experiment Design

How well can the tool perform on real web applications?

  • Null Hypothesis:
    • Bypass testing of web applications will NOT expose more faults than standard testing.
  • Independent Variable:
    • Method of testing web applications.
    • Two values are compared:
      • Bypass method
      • Industry standard testing method

Vasileios Papadimitriou

experiment design cont
Experiment Design (cont.)

Dependent Variable:

  • Type of the server response given an invalid request submission:
    • (V) Valid Responses: invalid inputs are adequately processed by the server
    • (F) Faults & Failures: invalid inputs that cause abnormal server behavior (typically caught by web server when application fails to handle the error)
    • (E) Exposure: invalid input is not recognized by the server and abnormal software behavior is exposed to the users

* both F & E are invalid responses

Vasileios Papadimitriou

experiment design cont13
Experiment Design (cont.)
  • Appropriateness vs. Expectancy
    • Responses for Invalid inputs are not defined
  • Preliminary results show a variety of “valid” responses
    • Further classification is defined
  • It is unknown whether valid responses have actually resulted to corrupted data on the server.

Vasileios Papadimitriou

subject selection
Subject Selection
  • Criteria:
    • Complexity of the application
    • Ability to perform bypass testing
  • Assumptions for web applications tested:
    • Products designed by professionals
    • Tested by their designers (yet testing methods are not well known or well defined)
    • Used by significant number of users

Vasileios Papadimitriou




Poll, Users


Main page,

Set Theme,

SQL Query,

DB Stats

Submit Request Info, New user

Events & Music Search


Login form

Notepad, Composer,

Search reminder, Weather Search

Cart manager,

Book search/results

Item dispatch,

Handle buy

ATM locator, Site search

Service availability

Detail submit,

Shopping cart control

Froogle, Language tools


Quote search

Vasileios Papadimitriou

results 1 of 2
Results (1 of 2)

Vasileios Papadimitriou

results 2 of 2
Results (2 of 2)

Vasileios Papadimitriou

result graphs
Result Graphs


Vasileios Papadimitriou

results summary
Results Summary
  • 24% of tests caused invalid responses
  • Hypothesis is rejected

* with the exception of Google and Amazon

  • Problems Found:
    • Crashes and incorrect output

(and possibly corrupt data on the servers)

    • Potential security vulnerabilities
      • Invalid input passed to the application without validation
      • Invalid input reached database queries

Vasileios Papadimitriou

results summary cont
Results Summary (cont.)
  • Testing Cost
    • Average of 1.8 hours per module tested

~ 1¾ hours of human labor & 5 minutes computer processing

  • Violation Rules effectiveness

Vasileios Papadimitriou

confounding variables
Confounding Variables
  • AutoBypass Implementation
    • Tested for validity of results
    • Some Violation rules are not implemented (Scripting rules)
  • Sample Selection
    • Complex interfaces could not be parsed
    • Selected only public, non-critical applications
    • Some interfaces had to be modified to allow testing

Vasileios Papadimitriou

confounding variables cont
Confounding Variables (cont.)
  • Tester Value Selection
    • Selection of additional values that violated the constraints
    • Little or no familiarity with the application domain
  • Result Evaluation
    • Challenging process

~ 90% of the testing cost

    • No access to server –faults may not be detected
    • Manual verification
    • Cross Rater evaluation would be helpful

Vasileios Papadimitriou

  • Bypass testing can reveal errors in web applications beyond what standard testing can find
    • Programs are still designed to depend on client’s side interface constraints
    • Subjects with significant number of users were less affected
      • Assumed to be the most expensive software
  • Web development can benefit from bypass testing
    • Inexpensive to test applications in terms of resources and human labor.
    • Efficient method creating limited test cases
    • AutoBypass performs testing on external system level
      • Access to the application source or server is NOT required.
      • Platform independent
      • Can be combined with standard testing.

Vasileios Papadimitriou

ways to improve autobypass
Ways to improve AutoBypass
  • Improve interface parser
    • Eliminate scripting limitations
  • Implement scripting violation rules
  • Widen the scope of testing from a form/page to a site
    • Test sequence of events
    • Application level Input Domain
  • Explore possibilities for automated response evaluation

Vasileios Papadimitriou


Vasileios Papadimitriou

Vasileios Papadimitriou