TY - GEN
T1 - Bypass testing of web applications
AU - Offutt, Jeff
AU - Wu, Ye
AU - Du, Xiaochen
AU - Huang, Hong
PY - 2004
Y1 - 2004
N2 - Web software applications are increasingly being deployed in sensitive situations. Web applications are used to transmit, accept and store data that is personal, company confidential and sensitive. Input validation testing (IVT) checks user inputs to ensure that they conform to the program's requirements, which is particularly important for software that relies on user inputs, including Web applications. A common technique in Web applications is to perform input validation on the client with scripting languages such as JavaScript. An insidious problem with client-side input validation is that end users can bypass this validation. Bypassing validation can cause failures in the software, and can also break the security on Web applications, leading to unauthorized access to data, system failures, invalid purchases and entry of bogus data. We are developing a strategy called bypass testing to create client-side tests for Web applications that intentionally violate explicit and implicit checks on user inputs. This paper describes the strategy, defines specific rules and adequacy criteria for tests, describes a proof-of-concept automated tool, and presents initial empirical results from applying bypass testing.
AB - Web software applications are increasingly being deployed in sensitive situations. Web applications are used to transmit, accept and store data that is personal, company confidential and sensitive. Input validation testing (IVT) checks user inputs to ensure that they conform to the program's requirements, which is particularly important for software that relies on user inputs, including Web applications. A common technique in Web applications is to perform input validation on the client with scripting languages such as JavaScript. An insidious problem with client-side input validation is that end users can bypass this validation. Bypassing validation can cause failures in the software, and can also break the security on Web applications, leading to unauthorized access to data, system failures, invalid purchases and entry of bogus data. We are developing a strategy called bypass testing to create client-side tests for Web applications that intentionally violate explicit and implicit checks on user inputs. This paper describes the strategy, defines specific rules and adequacy criteria for tests, describes a proof-of-concept automated tool, and presents initial empirical results from applying bypass testing.
UR - https://www.scopus.com/pages/publications/16244370108
U2 - 10.1109/ISSRE.2004.13
DO - 10.1109/ISSRE.2004.13
M3 - Conference contribution
SN - 0769522157
T3 - Proceedings - International Symposium on Software Reliability Engineering, ISSRE
SP - 187
EP - 197
BT - ISSRE 2004 Proceedings; 15th International Symposium on Software Reliability Engineering
T2 - ISSRE 2004 Proceedings; 15th International Symposium on Software Reliability Engineering
Y2 - 2 November 2004 through 5 November 2004
ER -