research-article

Testing and analysis of web applications using page models

Authors:

Snigdha Athaiya,

Raghavan KomondoorAuthors Info & Claims

ISSTA 2017: Proceedings of the 26th ACM SIGSOFT International Symposium on Software Testing and Analysis

Pages 181 - 191

https://doi.org/10.1145/3092703.3092734

Published: 10 July 2017 Publication History

Abstract

Web applications are difficult to analyze using code-based tools because data-flow and control-flow through the application occurs via both server-side code and client-side pages. Client-side pages are typically specified in a scripting language that is different from the main server-side language; moreover, the pages are generated dynamically from the scripts. To address these issues we propose a static-analysis approach that automatically constructs a ``model'' of each page in a given application. A page model is a code fragment in the same language as the server-side code, which faithfully over-approximates the possible elements of the page as well as the control-flows and data-flows due to these elements. The server-side code in conjunction with the page models then becomes a standard (non-web) program, thus amenable to analysis using standard code-based tools. We have implemented our approach in the context of J2EE applications. We demonstrate the versatility and usefulness of our approach by applying three standard analysis tools on the resultant programs from our approach: a concolic-execution based model checker (JPF), a dynamic fault localization tool (Zoltar), and a static slicer (Wala).

References

[1]

Shay Artzi, Julian Dolby, Frank Tip, and Marco Pistoia. 2010. Practical fault localization for dynamic web applications. In Software Engineering, 2010 ACM/IEEE 32nd International Conference on, Vol. 1. IEEE, 265–274.

Digital Library

[2]

Shay Artzi, Adam Kiezun, Julian Dolby, Frank Tip, Daniel Dig, Amit Paradkar, and Michael D Ernst. 2010.

[3]

Finding bugs in web applications using dynamic test generation and explicit-state model checking. IEEE Transactions on Software Engineering 36, 4 (2010), 474–494.

Digital Library

[4]

Guillaume Brat, Klaus Havelund, SeungJoon Park, and Willem Visser. 2000. Java PathFinder-second generation of a Java model checker. In Proc. Workshop on Advances in Verification. Citeseer.

[5]

José Campos, André Riboira, Alexandre Perez, and Rui Abreu. 2012. Gzoltar: an eclipse plug-in for testing and debugging. In Proceedings of the 27th IEEE/ACM International Conference on Automated Software Engineering. ACM, 378–381.

Digital Library

[6]

Vahid Garousi, Ali Mesbah, Aysu Betin-Can, and Shabnam Mirshokraie. 2013. A systematic mapping study of web application testing. Information and Software Technology 55, 8 (2013), 1374–1396.

Digital Library

[7]

William GJ Halfond. 2015. Identifying Inter-Component Control Flow in Web Applications. In ICWE. 52–70.

[8]

William GJ Halfond, Saswat Anand, and Alessandro Orso. 2009. Precise interface identification to improve testing and analysis of web applications. In Proceedings of the eighteenth international symposium on Software testing and analysis. ACM, 285–296.

Digital Library

[9]

helpdesk 2013. Help Desk Wiki. https://sourceforge.net/projects/helpdeskwiki/. (March 2013).

[10]

Christian Kirkegaard and Anders Møller. 2006. Static analysis for Java Servlets and JSP. In Proc. Symposium on Static Analysis (SAS). 336–352.

Digital Library

[11]

Chien-Hung Liu. 2006. Data flow analysis and testing of JSP-based Web applications. Information and Software Technology 48, 12 (2006), 1137–1147.

Digital Library

[12]

Anders Møller and Mathias Schwarz. 2014. Automated detection of client-state manipulation vulnerabilities. ACM Transactions on Software Engineering and Methodology (TOSEM) 23, 4 (2014), 29.

Digital Library

[13]

music 2016.

[14]

MusicStore. https://github.com/cooervo/ musicStore-Servlets-JSPJPA. (April 2016).

[15]

Hung Viet Nguyen, Christian Kästner, and Tien N Nguyen. 2015. Cross-language program slicing for dynamic web applications. In Proc. Foundations of Software Engineering (FSE). ACM, 369–380.

Digital Library

[16]

Oracle. 2016.

[17]

Expression Language Reference. http://download.oracle.com/ otndocs/jcp/el- 3_0frevalspec/index.html. (April 2016).

[18]

Corina S Pasareanu, Peter C Mehlitz, David H Bushnell, Karen Gundy-Burlet, Michael Lowry, Suzette Person, and Mark Pape. 2008.

[19]

Combining unit-level symbolic execution and system-level concrete execution for testing NASA software. In Proc. International Symposium on Software Testing and Analysis (ISSTA). 15–26.

Digital Library

[20]

pit 2016. PIT Mutation Testing, http://pitest.org. (April 2016).

[21]

Sreeranga P Rajan, Oksana Tkachuk, Mukul Prasad, Indradeep Ghosh, Nitin Goel, and Tadahiro Uehara. 2009. Weave: Web applications validation environment. In International Conference on Software Engineering (ICSE) - Companion Volume. 101–111.

[22]

NCSU RealSearch Group. 2016. iTrust. https://sourceforge.net/projects/itrust/. (Jan. 2016).

[23]

Filippo Ricca and Paolo Tonella. 2001. Analysis and testing of web applications. In Proceedings of the 23rd International Conference on Software Engineering (ICSE). 25–34.

Digital Library

[24]

Filippo Ricca and Paolo Tonella. 2002. Construction of the system dependence graph for web application slicing. In Proc. IEEE International Workshop on Source Code Analysis and Manipulation (SCAM). 123–132.

Digital Library

[25]

Hannes Schmidt. 2016.

[26]

JSP pages to JSP documents conversion. https://code. google.com/archive/p/jsp2x/. (April 2016).

[27]

Manu Sridharan, Shay Artzi, Marco Pistoia, Salvatore Guarnieri, Omer Tripp, and Ryan Berg. 2011. F4F: Taint analysis of framework-based web applications. In Proc. ACM International Conference on Object-Oriented Programming Systems, Languages, and Applications (OOPSLA). 1053–1068.

Digital Library

[28]

Manu Sridharan, Stephen J. Fink, and Rastislav Bodik. 2007. Thin slicing. In Proc. ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI). 112–122.

Digital Library

[29]

Andrea Stocco, Maurizio Leotta, Filippo Ricca, and Paolo Tonella. 2016. APOGEN: automatic page object generator for web testing. Software Quality Journal (2016), 1–33.

[30]

Suresh Thummalapenta, K Vasanta Lakshmi, Saurabh Sinha, Nishant Sinha, and Swarup Chandra. 2013.

[31]

Guided test generation for web applications. In International Conference on Software Engineering (ICSE). 162–171.

Digital Library

[32]

Paolo Tonella and Filippo Ricca. 2005. Web application slicing in presence of dynamic code generation. Automated Software Engineering 12, 2 (2005), 259–288.

Digital Library

[33]

travel 2016. Royal Odyssey, Travel and tourism management application. http:// www.postslush.com/2014/01/ewheelztravel- andtoursismmanagement.html. (April 2016).

[34]

Omer Tripp, Marco Pistoia, Stephen J Fink, Manu Sridharan, and Omri Weisman. 2009. TAJ: Effective taint analysis of web applications. In Proc. ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI). 87–97.

Digital Library

[35]

Itoro Udoh. 2016.

[36]

Trainers Direct,. https://github.com/aityworld/ JavaEEe-Commerce-Application. (April 2016).

[37]

Wala 2016. T. J. Watson Libraries for Analysis, http://wala.sourceforge.net. (April 2016).

[38]

Gary Wassermann, Dachuan Yu, Ajay Chander, Dinakar Dhurjati, Hiroshi Inamura, and Zhendong Su. 2008. Dynamic test input generation for web applications. In Proceedings of the 2008 Int. Symposium on Software Testing and Analysis. ACM, 249–260.

Digital Library

[39]

M. Weiser. 1981.

Cited By

Yu SFang CLi XLing YChen ZSu Z(2024)Effective, Platform-Independent GUI Testing via Image Embedding and Reinforcement LearningACM Transactions on Software Engineering and Methodology10.1145/367472833:7(1-27)Online publication date: 21-Jun-2024
https://dl.acm.org/doi/10.1145/3674728
Chawla GAman NKomondoor RBokil AKharat NDwyer MDamian DZeller A(2022)Verification of ORM-based controllers by summary inferenceProceedings of the 44th International Conference on Software Engineering10.1145/3510003.3510148(2340-2351)Online publication date: 21-May-2022
https://dl.acm.org/doi/10.1145/3510003.3510148
Qiu ZShao SZhao QJin GSpinellis DGousios GChechik MDi Penta M(2021)Understanding and detecting server-side request races in web applicationsProceedings of the 29th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering10.1145/3468264.3468594(842-854)Online publication date: 20-Aug-2021
https://dl.acm.org/doi/10.1145/3468264.3468594
Show More Cited By

Index Terms

Testing and analysis of web applications using page models
1. Information systems
  1. World Wide Web
    1. Web applications
2. Software and its engineering
  1. Software organization and properties
    1. Software functional properties
      1. Correctness
        Functionality
      2. Formal methods
        Automated static analysis
        Dynamic analysis

Recommendations

Inferring page models for web application analysis
ISSTA 2017: Proceedings of the 26th ACM SIGSOFT International Symposium on Software Testing and Analysis

Web applications are difficult to analyze using code-based tools because data-flow and control-flow through the application occurs via both server-side code and client-side pages. Client-side pages are typically specified in a scripting language that ...
Securing web applications with static and dynamic information flow tracking
PEPM '08: Proceedings of the 2008 ACM SIGPLAN symposium on Partial evaluation and semantics-based program manipulation

SQL injection and cross-site scripting are two of the most common security vulnerabilities that plague web applications today. These and many others result from having unchecked data input reach security-sensitive operations. This paper describes a ...
Flexible pointer analysis using assign-fetch graphs
SAC '08: Proceedings of the 2008 ACM symposium on Applied computing

We propose a new abstraction for pointer analysis that represents reads and writes to memory instead of traditional points-to relations. Compared to points-to graphs, our Assign-Fetch Graph (AFG) leads to concise procedure summaries that can be used in ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

ISSTA 2017: Proceedings of the 26th ACM SIGSOFT International Symposium on Software Testing and Analysis

July 2017

447 pages

ISBN:9781450350761

DOI:10.1145/3092703

General Chair:
Tevfik Bultan
University of California at Santa Barbara, USA
,
Program Chair:
Koushik Sen
University of California at Berkeley, USA

Copyright © 2017 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Sponsors

SIGSOFT: ACM Special Interest Group on Software Engineering

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 10 July 2017

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Badges

Artifacts Evaluated & Functional

Author Tags

Qualifiers

Research-article

Conference

ISSTA '17

Sponsor:

SIGSOFT

ISSTA '17: International Symposium on Software Testing and Analysis

July 10 - 14, 2017

CA, Santa Barbara, USA

Acceptance Rates

Overall Acceptance Rate 58 of 213 submissions, 27%

Upcoming Conference

ISSTA '25

Sponsor:
sigsoft

34th ACM SIGSOFT International Symposium on Software Testing and Analysis

June 25 - 28, 2025

Trondheim , Norway

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

6
Total Citations
View Citations
485
Total Downloads

Downloads (Last 12 months)10
Downloads (Last 6 weeks)1

Reflects downloads up to 07 Mar 2025

Other Metrics

View Author Metrics

Citations

Cited By

Yu SFang CLi XLing YChen ZSu Z(2024)Effective, Platform-Independent GUI Testing via Image Embedding and Reinforcement LearningACM Transactions on Software Engineering and Methodology10.1145/367472833:7(1-27)Online publication date: 21-Jun-2024
https://dl.acm.org/doi/10.1145/3674728
Chawla GAman NKomondoor RBokil AKharat NDwyer MDamian DZeller A(2022)Verification of ORM-based controllers by summary inferenceProceedings of the 44th International Conference on Software Engineering10.1145/3510003.3510148(2340-2351)Online publication date: 21-May-2022
https://dl.acm.org/doi/10.1145/3510003.3510148
Qiu ZShao SZhao QJin GSpinellis DGousios GChechik MDi Penta M(2021)Understanding and detecting server-side request races in web applicationsProceedings of the 29th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering10.1145/3468264.3468594(842-854)Online publication date: 20-Aug-2021
https://dl.acm.org/doi/10.1145/3468264.3468594
Qiu ZShao SZhao QJin G(2021)A Characteristic Study of Deadlocks in Database-Backed Web Applications2021 IEEE 32nd International Symposium on Software Reliability Engineering (ISSRE)10.1109/ISSRE52982.2021.00059(510-521)Online publication date: Oct-2021
https://doi.org/10.1109/ISSRE52982.2021.00059
Zheng YLiu YXie XLiu YMa LHao JLiu Y(2021)Automatic Web Testing Using Curiosity-Driven Reinforcement LearningProceedings of the 43rd International Conference on Software Engineering10.1109/ICSE43902.2021.00048(423-435)Online publication date: 22-May-2021
https://dl.acm.org/doi/10.1109/ICSE43902.2021.00048
Yu XJin GChaudron MCrnkovic IChechik MHarman M(2018)Dataflow tunnelingProceedings of the 40th International Conference on Software Engineering10.1145/3180155.3180171(586-597)Online publication date: 27-May-2018
https://dl.acm.org/doi/10.1145/3180155.3180171
Athaiya SBultan TSen K(2017)Inferring page models for web application analysisProceedings of the 26th ACM SIGSOFT International Symposium on Software Testing and Analysis10.1145/3092703.3098240(412-415)Online publication date: 10-Jul-2017
https://dl.acm.org/doi/10.1145/3092703.3098240

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Figures

Tables

Media

View Table of Conten