-
8/10/2019 Synapseindia Monjurul-Bugs in Dynamic Web Applications -Part1
1/19
Finding Bugs in Dynamic Web
Applications
-
8/10/2019 Synapseindia Monjurul-Bugs in Dynamic Web Applications -Part1
2/19
Presented By
Md. Monjurul Hasan
CSE 6329
Special Topics inAdvanced Software Engineering
-
8/10/2019 Synapseindia Monjurul-Bugs in Dynamic Web Applications -Part1
3/19
Dynamic Web Application
Generates pages (HTML contents) on-the-fly
Content varies on user and user-specified
criteria
Obtained by server-side programming
We can say that all big, known web
applications are Dynamic Web Application
Source: Dynamic Web Application Development using PHP and MySQL
By Simon Stobart and David Parsons
-
8/10/2019 Synapseindia Monjurul-Bugs in Dynamic Web Applications -Part1
4/19
Web Threats
Web script crashes and malformed
dynamically-generated Web pages impact
usability of Web applications
Current tools for Web-page validationcannothandlethe dynamically-generatedpages
-
8/10/2019 Synapseindia Monjurul-Bugs in Dynamic Web Applications -Part1
5/19
Web Script Crash
Missing included file
Call to undefined method
Wrong Database query Uncaught exceptions
-
8/10/2019 Synapseindia Monjurul-Bugs in Dynamic Web Applications -Part1
6/19
-
8/10/2019 Synapseindia Monjurul-Bugs in Dynamic Web Applications -Part1
7/19
The Problem
Bad scripts creating syntactically-malformed
HTML
Partially displayable or Non-displayable HTML
Browsers attempt to correctcrashes
Slower HTML rendering
Discard important information
Trouble indexing correct pages for search engines
Example
-
8/10/2019 Synapseindia Monjurul-Bugs in Dynamic Web Applications -Part1
8/19
More Problems
Dynamic web page testing challenges
HTML validation tools only perform testing of
static page
Can not fully capture behavior since not all of
functionality of code is found in the HTML result
No automatic validator for scripting languages
that dynamically generate HTML pages HTML Kit validates every generated page but requires manual
generation of inputs that lead to displaying pages
-
8/10/2019 Synapseindia Monjurul-Bugs in Dynamic Web Applications -Part1
9/19
What this paper presents
Presents automatedtechnique for finding faults
manifested as Web script crashes or malformed-
HTMLextends dynamic test generationto
scripting languages.
Identifies minimalpart of input responsible for
triggering failures
Uses an oracle to determine well-formed HTML Creates a tool, Apollothat implements all these in
the context of PHP
-
8/10/2019 Synapseindia Monjurul-Bugs in Dynamic Web Applications -Part1
10/19
Why ?
Widely used in Web development
Network interactions
Database
HTTP processing Object oriented
Scripting
21 millions domains1
(75%) are poweredincluding large websites like Wikipedia,WordPress, Facebook, Dig etc.
1
Source Netcraft, April 2007
-
8/10/2019 Synapseindia Monjurul-Bugs in Dynamic Web Applications -Part1
11/19
Example: program
SchoolMate.php
Allows school administrators to manage classes
and users, teachers to manage assignments and
grades and students to access their information
Typical URL:
schoolmate.php?page=1&page2=100&login=1&
username=user&password=password
-
8/10/2019 Synapseindia Monjurul-Bugs in Dynamic Web Applications -Part1
12/19
-
8/10/2019 Synapseindia Monjurul-Bugs in Dynamic Web Applications -Part1
13/19
printReportCards.phpmissing
make_footer() not executed in certain
situationsunclosed HTML tag
Generates illegal tag
-
8/10/2019 Synapseindia Monjurul-Bugs in Dynamic Web Applications -Part1
14/19
Failures in PHP programs
Targets twotypes of failures
Execution failures
Web Script Crashes
HTML failures
Malformed HTML
-
8/10/2019 Synapseindia Monjurul-Bugs in Dynamic Web Applications -Part1
15/19
Failure-Finding in PHP
Applications
Concolic Testing Dynamic Test Generation Technique
Execute application on1. Initially on empty input
2. Then on additional inputs, obtained by solving
constraints that are derived from control flow paths Extensions
Validate to correctness of program output by usingoracle
Use isset, isempty, require, etc. to require generation ofconstraints absent in other OOPLs
Use pre-specified set of values for databaseauthentication
Simulate each user input by transforming source code
-
8/10/2019 Synapseindia Monjurul-Bugs in Dynamic Web Applications -Part1
16/19
Transformation of Code
Interactive HTML pages with buttons and
menus
For each page (h) that contains Nbuttons
Add additional input parameterpto PHP program
Values range from 1 to N
Switch statement inserted including appropriate
PHP source file, depending onp
-
8/10/2019 Synapseindia Monjurul-Bugs in Dynamic Web Applications -Part1
17/19
An example
-
8/10/2019 Synapseindia Monjurul-Bugs in Dynamic Web Applications -Part1
18/19
The Failure Detection Algorithm
parameters: Program P, oracle O result : Bug reports B;
B : setOf ()
1. PsimulateUserInput(P);
2. Bempty;
3. pcQueue emptyQueue();
4. enqueue(pcQueue, emptyPathConstraint());
5. while not empty(pcQueue) and not timeExpired() do
6. pathConstraintdequeue(pcQueue);
7. input solve(pathConstraint);
8. if input not equals tothen
9. output executeConcrete(P, input);
10. failures getFailures(O, output);
11. foreachf in failures do
12. merge into B;
13. c1 . . . cn executeSymbolic(P, input); foreach i = 1,. . . ,n do
newPC c1 . . . ci1 ci;
queue(pcQueue, newPC);
1. return B;
-
8/10/2019 Synapseindia Monjurul-Bugs in Dynamic Web Applications -Part1
19/19
Example: Execution 1 (Expose Third
Fault)
truesets page = 0
false
GoTo(20)
Execution
HTML validation tool determines output is legal
NotSet(page) page2 1337 login 1
parameters: Program P, oracle O
result : Bug reports B;
B : setOf ()
1.PsimulateUserInput(P);
2.Bempty;3.pcQueue emptyQueue();
4.enqueue(pcQueue, emptyPathConstraint());
5.while not empty(pcQueue) and not timeExpired()
do
6. pathConstraint dequeue(pcQueue);
7. input solve(pathConstraint);
8. if input not equals tothen
9. output executeConcrete(P, input);
10. failures getFailures(O, output);
11. foreachf in failures do
12. merge into B;
13. c1 . . . cn executeSymbolic(P, input);
foreach i = 1,. . . ,n do newPC c1 . . . ci1 ci;
queue(pcQueue, newPC);
1.return B;
NotSet(page)page2 1337 login = 1NotSet(page) page2 = 1337
Set(page)