Perturbation-based user-input-validation testing of web applications

Nuo Li, Tao Xie, Maozhong Jin, Chao Liu

Research output: Contribution to journalArticlepeer-review


User-input-validation (UIV) is the first barricade that protects web applications from application-level attacks. Most UIV test tools cannot detect semantics-related vulnerabilities in validators, such as filling a five-digit number to a field that accepts a year. To address this issue, we propose a new approach to generate test inputs for UIV based on the analysis of client-side information. In particular, we use input-field information to generate valid inputs, and then perturb valid inputs to generate invalid test inputs. We conducted an empirical study to evaluate our approach. The empirical result shows that, in comparison to existing vulnerability scanners, our approach is more effective than existing vulnerability scanners in finding semantics-related vulnerabilities of UIV for web applications.

Original languageEnglish (US)
Pages (from-to)2263-2274
Number of pages12
JournalJournal of Systems and Software
Issue number11
StatePublished - Nov 2010
Externally publishedYes


  • Software testing
  • User-input-validation testing
  • Web-application testing

ASJC Scopus subject areas

  • Software
  • Information Systems
  • Hardware and Architecture


Dive into the research topics of 'Perturbation-based user-input-validation testing of web applications'. Together they form a unique fingerprint.

Cite this