Perturbation-based user-input-validation testing of web applications

Nuo Li; Tao Xie; Maozhong Jin; Chao Liu

doi:10.1016/j.jss.2010.07.007

Perturbation-based user-input-validation testing of web applications

Nuo Li, Tao Xie, Maozhong Jin, Chao Liu

Research output: Contribution to journal › Article › peer-review

Abstract

User-input-validation (UIV) is the first barricade that protects web applications from application-level attacks. Most UIV test tools cannot detect semantics-related vulnerabilities in validators, such as filling a five-digit number to a field that accepts a year. To address this issue, we propose a new approach to generate test inputs for UIV based on the analysis of client-side information. In particular, we use input-field information to generate valid inputs, and then perturb valid inputs to generate invalid test inputs. We conducted an empirical study to evaluate our approach. The empirical result shows that, in comparison to existing vulnerability scanners, our approach is more effective than existing vulnerability scanners in finding semantics-related vulnerabilities of UIV for web applications.

Original language	English (US)
Pages (from-to)	2263-2274
Number of pages	12
Journal	Journal of Systems and Software
Volume	83
Issue number	11
DOIs	https://doi.org/10.1016/j.jss.2010.07.007
State	Published - Nov 2010
Externally published	Yes

Keywords

Software testing
User-input-validation testing
Web-application testing

ASJC Scopus subject areas

Software
Information Systems
Hardware and Architecture

Online availability

10.1016/j.jss.2010.07.007

Library availability

Discover UIUC Full Text

Cite this

@article{7b0f886d24d94c67b8bdaf9040367410,

title = "Perturbation-based user-input-validation testing of web applications",

abstract = "User-input-validation (UIV) is the first barricade that protects web applications from application-level attacks. Most UIV test tools cannot detect semantics-related vulnerabilities in validators, such as filling a five-digit number to a field that accepts a year. To address this issue, we propose a new approach to generate test inputs for UIV based on the analysis of client-side information. In particular, we use input-field information to generate valid inputs, and then perturb valid inputs to generate invalid test inputs. We conducted an empirical study to evaluate our approach. The empirical result shows that, in comparison to existing vulnerability scanners, our approach is more effective than existing vulnerability scanners in finding semantics-related vulnerabilities of UIV for web applications.",

keywords = "Software testing, User-input-validation testing, Web-application testing",

author = "Nuo Li and Tao Xie and Maozhong Jin and Chao Liu",

year = "2010",

month = nov,

doi = "10.1016/j.jss.2010.07.007",

language = "English (US)",

volume = "83",

pages = "2263--2274",

journal = "Journal of Systems and Software",

issn = "0164-1212",

publisher = "Elsevier Inc.",

number = "11",

}

TY - JOUR

T1 - Perturbation-based user-input-validation testing of web applications

AU - Li, Nuo

AU - Xie, Tao

AU - Jin, Maozhong

AU - Liu, Chao

PY - 2010/11

Y1 - 2010/11

N2 - User-input-validation (UIV) is the first barricade that protects web applications from application-level attacks. Most UIV test tools cannot detect semantics-related vulnerabilities in validators, such as filling a five-digit number to a field that accepts a year. To address this issue, we propose a new approach to generate test inputs for UIV based on the analysis of client-side information. In particular, we use input-field information to generate valid inputs, and then perturb valid inputs to generate invalid test inputs. We conducted an empirical study to evaluate our approach. The empirical result shows that, in comparison to existing vulnerability scanners, our approach is more effective than existing vulnerability scanners in finding semantics-related vulnerabilities of UIV for web applications.

AB - User-input-validation (UIV) is the first barricade that protects web applications from application-level attacks. Most UIV test tools cannot detect semantics-related vulnerabilities in validators, such as filling a five-digit number to a field that accepts a year. To address this issue, we propose a new approach to generate test inputs for UIV based on the analysis of client-side information. In particular, we use input-field information to generate valid inputs, and then perturb valid inputs to generate invalid test inputs. We conducted an empirical study to evaluate our approach. The empirical result shows that, in comparison to existing vulnerability scanners, our approach is more effective than existing vulnerability scanners in finding semantics-related vulnerabilities of UIV for web applications.

KW - Software testing

KW - User-input-validation testing

KW - Web-application testing

UR - http://www.scopus.com/inward/record.url?scp=77957332722&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=77957332722&partnerID=8YFLogxK

U2 - 10.1016/j.jss.2010.07.007

DO - 10.1016/j.jss.2010.07.007

M3 - Article

AN - SCOPUS:77957332722

SN - 0164-1212

VL - 83

SP - 2263

EP - 2274

JO - Journal of Systems and Software

JF - Journal of Systems and Software

IS - 11

ER -

Perturbation-based user-input-validation testing of web applications

Abstract

Keywords

ASJC Scopus subject areas

Online availability

Library availability

Related links

Fingerprint

Cite this