Perturbation-based user-input-validation testing of web applications

Journal of Systems and Software

Volumn 83, Issue 11, 2010, Pages 2263-2274

  Li, Nuo ^a   Xie, Tao ^a   Jin, Maozhong ^b   Liu, Chao ^b  

^a North Carolina State University   (United States)

^b BEIHANG UNIVERSITY   (China)

Author keywords

Software testing; User input validation testing; Web application testing

Indexed keywords

APPLICATION-LEVEL ATTACKS; EMPIRICAL RESULTS; EMPIRICAL STUDIES; NEW APPROACHES; SIDE INFORMATION; TEST INPUTS; TEST TOOLS; VALIDATION TESTING; VULNERABILITY SCANNER; WEB APPLICATION; WEB-APPLICATION TESTING;

COMPUTER SOFTWARE SELECTION AND EVALUATION; INFORMATION USE; SCANNING; SEMANTIC WEB; SOFTWARE TESTING;

WORLD WIDE WEB;

EID: 77957332722     PISSN: 01641212     EISSN: None     Source Type: Journal    
DOI: 10.1016/j.jss.2010.07.007     Document Type: Article

References (48)

1. Acunetix Web Vulnerability Scanner, http://www.acunetix.com/ (2008).
2. A. Andrews, J. Offutt, and R. Alexander Testing web applications by modeling with fsms Software Syst. Model. 4 3 2005 326 345
3. Appscan Suite for Web Application Security Testing, http://www.watchfire. com/products/appscan/default.aspx (2008).
4. K. Beaver, The importance of input validation, http:// searchsoftwarequality.techtarget.com/tip/0,289483,sid92-gci1214373,00.html (2006).
5. M. Benedikt, J. Freire, and P. Godefroid Veriweb: Automatically testing dynamic web sites Proc. WWW 2002
6. M. Bolin, M. Webber, P. Rha, T. Wilson, and R.C. Miller Automation and customization of rendered web pages Proc. UIST 2005 163 172
7. Burp proxy, http://www.portswigger.net/proxy/ (2009).
8. G. Di Lucca, M. Di Penta, and A. Fasolino An approach to identify duplicated web pages Proc. CMPSAC 2002 481 486
9. dk.brics.automaton, http://www.brics.dk/automaton/index.html (2007).
10. S. Elbaum, S. Karre, and G. Rothermel Improving web application testing with user session data Proc. ICSE 2003 49 59
11. S. Elbaum, G. Rothermel, S. Karre, and M. Fisher II Leveraging user-session data to support web application testing IEEE Trans. Softw. Eng. 31 3 2005 187 202
12. Fiddler, http://www.fiddlertool.com/fiddler/ (2009).
13. Fielding, R,; Gettys, J,; Mogul, J,; Frystyk, H,; Masinter, L,; Leach, P,; Berners-Lee, T,; Hypertext transfer protocol - http/1.1, http://www.w3.org/Protocols/rfc2616/rfc2616.html (2007).
14. Google Hacking Database, http://johnny.ihackstuff.com/ghdb.php (2008).
15. HTML DOM Tutorial, http://www.w3schools.com/HTMLDOM/default.asp (2009).
16. W.G.J. Halfond, and A. Orso Improving test case generation for web applications using automated interface discovery Proc. ESEC-FSE 2007 145 154
17. D. Hirschberg A linear space algorithm for computing maximal common subsequences Commun. ACM 18 6 1975 341 343
18. M. Howard, and D. LeBlanc Writing Secure Code 2003 Microsoft Press Redmond, Wash
19. HTML Parser, http://htmlparser.sourceforge.net/ (2006).
20. Y. Huang, S. Huang, T. Lin, and C. Tsai Web application security assessment by fault injection and behavior monitoring Proc. WWW 2003 148 159
21. Y.W. Huang, F. Yu, C. Hang, C. Tsai, D.T. Lee, and S. Kuo Securing web application code by static analysis and runtime protection Proc. WWW 2004 40 52
22. Hunt, J.W,; McIlroy, M.D,; An Algorithm for Differential File Comparison, Technical Report SECLAB-05-04, Bell Laboratories (1976).
23. Koders, http://www.koders.com/ (2008).
24. A. Koesnandar, S. Elbaum, G. Rothermel, L. Hochstein, C. Scaffidi, and K.T. Stolee Using assertions to help end-user programmers create dependable web macros Proc. SIGSOFT/FSE 2008 124 134
25. H. Liu, and H.B.K. Tan Automated verification and test case generation for input validation Proc. AST 2006 9 14
26. C.-H. Liu, D.C. Kung, P. Hsia, and C.-T. Hsu Object-based data flow testing of web applications Proc. APAQS 2000 7 16
27. C.-H. Liu, D.C. Kung, P. Hsia, and C.-T. Hsu Structural testing of web applications Proc. ISSRE 2000 84 96
28. G.A.D. Lucca, and A.R. Fasolino Testing web-based applications: the state of the art and future trends Inf. Softw. Technol. 48 12 2006 1172 1186
29. G.D. Lucca, A. Fasolino, and F. Faralli Testing web applications Proc. ICSM 2002 310 319
30. A.D. Lucia, G. Scanniello, and G. Tortora Using a competitive clustering algorithm to comprehend web applications Proc. WSE 2006 33 40
31. D. Maier The complexity of some problems on subsequences and supersequences J. ACM 25 2 1978 322 336
32. Mvnforum, http://www.mvnforum.com/mvnforumweb/index.jsp (2006).
33. Nikto2 release 2.02, http://www.cirt.net/code/nikto.shtml (2008).
34. NIST SAMATE Reference Dataset Project, http://samate.nist.gov/SRD/index. php (2007).
35. J. Offutt, Y. Wu, X. Du, and H. Huang Bypass testing of web applications Proc. ISSRE 2004 187 197
36. Open Source Vulnerability Database, http://osvdb.org/ (2008).
37. Open Web Application Security Project, Top 10 2007. http://www.owasp.org/ index.php/Top-10-2007.
38. Paros - for Web Application Security Assessment, http://www.parosproxy. org/index.shtml (2008).
39. Perturbation-based User-Input-Validation Testing of Web Applications, https://sites.google.com/site/asergrp/projects/PIUIVT (2010).
40. Regular Expression Library, http://regexlib.com/ (2007).
41. F. Ricca, and P. Tonella Analysis and testing of web applications Proc. ICSE 2001 25 34
42. S. Sprenkle, E. Gibson, S. Sampath, and L. Pollock Automated replay and failure detection for web applications Proc. ASE 2005 253 262
43. Tamperie, http://www.bayden.com/TamperIE/ (2009).
44. H.F. Tipton, and M. Krause Information Security Management Handbook 6th ed. 2006 Auerbach Publications New York
45. Top 10 Web Vulnerability Scanners, http://sectools.org/web-scanners.html (2006).
46. Q. Wang, L. Quan, and F. Ying Online testing of web-based applications Proc. COMPSAC 2004 166 169
47. C. Weber, Testing Your Web Applications for Cross Site Scripting Vulnerabilities, http://www.microsoft.com/technet/community/columns/secmvp/ sv0505.mspx (2005).
48. Wikto: Web Server Assessment Tool, http://www.sensepost.com/research/ wikto/ (2008).