Abstract
As web applications become more complex, automated techniques for their testing and verification have become essential. Many of these techniques, such as ones for identifying security vulnerabilities, require information about a web application’s control flow. Currently, this information is manually specified or automatically generated using techniques that cannot give strong guarantees of completeness. This paper presents a new static analysis based approach for identifying control flow in web applications that is both automated and provides stronger guarantees of completeness. The empirical evaluation of the approach shows that it is able to identify more complete control flow information than other approaches with comparable analysis run time.
Chapter PDF
References
Andrews, A.A., Offutt, J., Alexander, R.T.: Testing Web Applications by Modeling with FSMs. Software Systems and Modeling 4(3), 326–345 (2005)
Balzarotti, D., Cova, M., Felmetsger, V.V., Vigna, G.: Multi-module vulnerability analysis of web-based applications. In: Proceedings of the 14th ACM Conference on Computer and Communications Security, CCS 2007, pp. 25–35. ACM, New York (2007)
Benedikt, M., Freire, J., Godefroid, P.: VeriWeb: automatically testing dynamic web sites. In: Proceedings the International World Wide Web Conference. ACM Press, New York, May 2002
Christensen, A.S., Møller, A., Schwartzbach, M.I.: Precise analysis of string expressions. In: Cousot, R. (ed.) SAS 2003. LNCS, vol. 2694, pp. 1–18. Springer, Heidelberg (2003)
Deng, Y., Frankl, P., Wang, J.: Testing Web Database Applications. SIGSOFT Software Engineering Notes 29(5), 1–10 (2004)
Desmet, L., Verbaeten, P., Joosen, W., Piessens, F.: Provable protection against web application vulnerabilities related to session data dependencies. IEEE Transactions on Software Engineering 34(1), 50–64 (2008)
Elbaum, S., Rothermel, G., Karre II, S.: Leveraging User-Session Data to Support Web Application Testing. Transactions On. Software Engineering 31(3), 187–202 (2005)
Halfond, W.G.J.: Automated checking of web application invocations. In: Proceedings of the 23rd IEEE International Symposium on Software Reliability Engineering (ISSRE), pp. 111–120. IEEE, New York (2012)
Halfond, W.G., Orso, A.: Automated identification of parameter mismatches in web applications. In: Proceedings of the Symposium on the Foundations of Software Engineering, pp. 181–191. ACM, New York (2008)
Hallé, S., Ettema, T., Bunch, C., Bultan, T.: Eliminating navigation errors in web applications via model checking and runtime enforcement of navigation state machines. In: Proceedings of the IEEE/ACM International Conference on Automated Software Engineering, ASE 2010, pp. 235–244. ACM, New York (2010)
Han, M., Hofmeister, C.: Modeling and verification of adaptive navigation in web applications. In: Proceedings of the 6th International Conference on Web Engineering, ICWE 2006, pp. 329–336. ACM, New York (2006)
Han, M., Hofmeister, C.: Relating navigation and request routing models in web applications. In: Engels, G., Opdyke, B., Schmidt, D.C., Weil, F. (eds.) MODELS 2007. LNCS, vol. 4735, pp. 346–359. Springer, Heidelberg (2007)
Haydar, M.: Formal framework for automated analysis and verification of web-based applications. In: Proceedings of the 19th IEEE International Conference on Automated Software Engineering, pp. 410–413. IEEE Computer Society, Washington, DC (2004)
Huang, Y., Huang, S., Lin, T., Tsai, C.: Web application security assessment by fault injection and behavior monitoring. In: Proceedings of the International World Wide Web Conference, pp. 148–159. ACM, New York (2003)
Jia, X., Liu, H.: Rigorous and automatic testing of web applications. In: Proceedings of the International Conference on Software Engineering and Applications, pp. 280–285. ACTA Press, Cambridge, MA (2002)
Licata, D., Krishnamurthi, S.: Verifying interactive web programs. In: Proceedings of the International Conference on Automated Software Engineering, pp. 164–173. IEEE Computer Society, Washington, DC (2004)
Mesbah, A., Bozdag, E., van Deursen, A.: Crawling ajax by inferring user interface state changes. In: Schwabe, D., Curbera, F., Dantzig, P. (eds.) Proceedings of the International Conference on Web Engineering, pp. 122–134. IEEE Computer Society, Washington, DC (2008)
Mesbah, A., van Deursen, A.: Invariant-based automatic testing of ajax user interfaces. In: Proceedings of the 31st International Conference on Software Engineering (ICSE 2009). Research Papers, pp. 210–220. IEEE Computer Society, Washington, DC (2009)
Minamide, Y.: Static approximation of dynamically generated web pages. In: Proceedings of the International World Wide Web Conference, pp. 432–441. ACM Press, New York (2005)
Ricca, F., Tonella, P.: Analysis and testing of web applications. In: Proceedings of the International Conference on Software Engineering, pp. 25–34. IEEE, Washington, DC (2001)
Ricca, F., Tonella, P.: Web application slicing. In: Proceedings of the International Conference on Software Maintenance, pp. 148–157. IEEE Computer Society, Los Alamitos (2001)
Sun, F., Xu, L., Su, Z.: Static detection of access control vulnerabilities in web applications. In: Proceedings of the USENIX Security Symposium, p. 1. USENIX Association, Berkeley (2011)
Tonella, P., Ricca, F.: Dynamic model extraction and statistical analysis of web applications. In: Proceedings of the Fourth International Workshop on Web Site Evolution, pp. 43–52. IEEE, Washington, DC (2002)
Tonella, P., Ricca, F.: A 2-Layer model for the white-box testing of web applications. In: Proceedings of the International Workshop Web Site Evolution, pp. 11–19. IEEE Computer Society, Washington, DC (2004)
Tonella, P., Ricca, F.: Web Application Slicing in Presence of Dynamic Code Generation. Automated Software Engineering 12(2), 259–288 (2005)
Yang, J., Huang, J., Wang, F., Chu, W.: Constructing control-flow-based testing tools for web application. In: Proc. of the 11th Software Enginnering and Knowledge Enginnering Conference (SEKE), p. 1. World Scientific Publishing, Singapore (1999)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2015 Springer International Publishing Switzerland
About this paper
Cite this paper
Halfond, W.G.J. (2015). Identifying Inter-Component Control Flow in Web Applications. In: Cimiano, P., Frasincar, F., Houben, GJ., Schwabe, D. (eds) Engineering the Web in the Big Data Era. ICWE 2015. Lecture Notes in Computer Science(), vol 9114. Springer, Cham. https://doi.org/10.1007/978-3-319-19890-3_5
Download citation
DOI: https://doi.org/10.1007/978-3-319-19890-3_5
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-19889-7
Online ISBN: 978-3-319-19890-3
eBook Packages: Computer ScienceComputer Science (R0)