Synapseindia Monjurul-Bugs in Dynamic Web Applications -Part1

8/10/2019 Synapseindia Monjurul-Bugs in Dynamic Web Applications -Part1

1/19

Finding Bugs in Dynamic Web

Applications


2/19

Presented By

Md. Monjurul Hasan

CSE 6329

Special Topics inAdvanced Software Engineering


3/19

Dynamic Web Application

Generates pages (HTML contents) on-the-fly

Content varies on user and user-specified

criteria

Obtained by server-side programming

We can say that all big, known web

applications are Dynamic Web Application

Source: Dynamic Web Application Development using PHP and MySQL

By Simon Stobart and David Parsons


4/19

Web Threats

Web script crashes and malformed

dynamically-generated Web pages impact

usability of Web applications

Current tools for Web-page validationcannothandlethe dynamically-generatedpages


5/19

Web Script Crash

Missing included file

Call to undefined method

Wrong Database query Uncaught exceptions


6/19


7/19

The Problem

Bad scripts creating syntactically-malformed

HTML

Partially displayable or Non-displayable HTML

Browsers attempt to correctcrashes

Slower HTML rendering

Discard important information

Trouble indexing correct pages for search engines

Example


8/19

More Problems

Dynamic web page testing challenges

HTML validation tools only perform testing of

static page

Can not fully capture behavior since not all of

functionality of code is found in the HTML result

No automatic validator for scripting languages

that dynamically generate HTML pages HTML Kit validates every generated page but requires manual

generation of inputs that lead to displaying pages


9/19

What this paper presents

Presents automatedtechnique for finding faults

manifested as Web script crashes or malformed-

HTMLextends dynamic test generationto

scripting languages.

Identifies minimalpart of input responsible for

triggering failures

Uses an oracle to determine well-formed HTML Creates a tool, Apollothat implements all these in

the context of PHP


10/19

Why ?

Widely used in Web development

Network interactions

Database

HTTP processing Object oriented

Scripting

21 millions domains1

(75%) are poweredincluding large websites like Wikipedia,WordPress, Facebook, Dig etc.

1

Source Netcraft, April 2007


11/19

Example: program

SchoolMate.php

Allows school administrators to manage classes

and users, teachers to manage assignments and

grades and students to access their information

Typical URL:

schoolmate.php?page=1&page2=100&login=1&

username=user&password=password


12/19


13/19

printReportCards.phpmissing

make_footer() not executed in certain

situationsunclosed HTML tag

Generates illegal tag


14/19

Failures in PHP programs

Targets twotypes of failures

Execution failures

Web Script Crashes

HTML failures

Malformed HTML


15/19

Failure-Finding in PHP

Applications

Concolic Testing Dynamic Test Generation Technique

Execute application on1. Initially on empty input

2. Then on additional inputs, obtained by solving

constraints that are derived from control flow paths Extensions

Validate to correctness of program output by usingoracle

Use isset, isempty, require, etc. to require generation ofconstraints absent in other OOPLs

Use pre-specified set of values for databaseauthentication

Simulate each user input by transforming source code


16/19

Transformation of Code

Interactive HTML pages with buttons and

menus

For each page (h) that contains Nbuttons

Add additional input parameterpto PHP program

Values range from 1 to N

Switch statement inserted including appropriate

PHP source file, depending onp


17/19

An example


18/19

The Failure Detection Algorithm

parameters: Program P, oracle O result : Bug reports B;

B : setOf ()

1. PsimulateUserInput(P);

2. Bempty;

3. pcQueue emptyQueue();

4. enqueue(pcQueue, emptyPathConstraint());

5. while not empty(pcQueue) and not timeExpired() do

6. pathConstraintdequeue(pcQueue);

7. input solve(pathConstraint);

8. if input not equals tothen

9. output executeConcrete(P, input);

10. failures getFailures(O, output);

11. foreachf in failures do

12. merge into B;

13. c1 . . . cn executeSymbolic(P, input); foreach i = 1,. . . ,n do

newPC c1 . . . ci1 ci;

queue(pcQueue, newPC);

1. return B;


19/19

Example: Execution 1 (Expose Third

Fault)

truesets page = 0

false

GoTo(20)

Execution

HTML validation tool determines output is legal

NotSet(page) page2 1337 login 1

parameters: Program P, oracle O

result : Bug reports B;

B : setOf ()

1.PsimulateUserInput(P);

2.Bempty;3.pcQueue emptyQueue();

4.enqueue(pcQueue, emptyPathConstraint());

5.while not empty(pcQueue) and not timeExpired()

do

6. pathConstraint dequeue(pcQueue);

7. input solve(pathConstraint);

8. if input not equals tothen

9. output executeConcrete(P, input);

10. failures getFailures(O, output);

11. foreachf in failures do

12. merge into B;

13. c1 . . . cn executeSymbolic(P, input);

foreach i = 1,. . . ,n do newPC c1 . . . ci1 ci;

queue(pcQueue, newPC);

1.return B;

NotSet(page)page2 1337 login = 1NotSet(page) page2 = 1337

Set(page)

Documents

Synapseindia Monjurul-Bugs in Dynamic Web Applications -Part1