Presentation is loading. Please wait.

Presentation is loading. Please wait.

Bypass Testing of Web Applications

Published byShon Carroll Modified over 6 years ago

Similar presentations

Presentation on theme: "Bypass Testing of Web Applications"— Presentation transcript:

1 Bypass Testing of Web Applications
Jeff Offutt SWE 737 Advanced Software Testing

2 Abbreviated HTML <FORM >
<INPUT Type=“text” Name=“username” Size=20> <INPUT Type=“text” Name=“age” Size=3 Maxlength=3> <P> Version to purchase: <INPUT Type=“radio” Name=“version” Value=“150” Checked> <INPUT Type=“radio” Name=“version” Value=“250”> <INPUT Type=“radio” Name=“version” Value=“500”> <INPUT Type=“submit” onClick=“return checkInfo(this.form)”> <INPUT Type=“hidden” isLoggedIn=“no”> </FORM> SWE 737 © Jeff Offutt

3 Bypass Behavior Extremely loose coupling …
combined with the stateless protocol … allows users to easily bypass client-side checking : Users can save and modify the HTML SWE 737 © Jeff Offutt

4 Saved & Modified HTML <FORM >
<INPUT Type=“text” Name=“username” Size=20> <INPUT Type=“text” Name=“age” Size=3 Maxlength=3> <P> Version to purchase: <INPUT Type=“radio” Name=“version” Value=“150”> <INPUT Type=“radio” Name=“version” Value=“250”> <INPUT Type=“radio” Name=“version” Value=“500” Checked> <INPUT Type=“submit” onClick=“return checkInfo (this.form)”> <INPUT Type=“hidden” isLoggedIn= “no” > </FORM> Allows an input with arbitrary age, no checking, cost=$25 … ‘<‘ can crash an XML parser Text fields can have SQL statements 25 yes SWE 737 © Jeff Offutt

5 SQL Injection User Name: turing Password: enigma Original SQL:
SELECT username FROM adminuser WHERE username=‘turing’ AND password =‘enigma’ “injected” SQL: SELECT username FROM adminuser WHERE username=‘turing’ OR ‘1’ = ‘1’ AND password =‘enigma’ OR ‘1’ = ‘1’ SWE 737 © Jeff Offutt

6 Bypass Testing This example illustrates how users can “bypass” client-side constraint enforcement Bypass testing constructs tests to intentionally violate constraints Eases test automation Checks robustness Evaluates security Preliminary results Rules for constructing tests Successfully found errors in numerous Web apps SWE 737 © Jeff Offutt

7 Applying Bypass Testing
Validating input data on the client is like asking your opponent to hold your shield in a sword fight Analyze HTML to extract each form element Model constraints imposed by HTML and JavaScript Rules for data generation : From client-side constraints Typical security violations Common input mistakes SWE 737 © Jeff Offutt

8 Client Input Validation
Client side input validation is performed by HTML form controls, their attributes, and client side scripts Validation types are categorized as HTML and scripting HTML supports syntactic validation Client scripting can perform both syntactic and semantic validation HTML Constraints Scripting Constraints Length (max input characters) Value (preset values) Transfer Mode (GET or POST) Field Element (preset fields) Target URL (links with values) Data Type (e.g. integer check) Data Format (e.g. ZIP code format) Data Value (e.g. age value range) Inter-Value (e.g. credit # + exp. date) Invalid Characters (e.g. <,../,&) SWE 737 © Jeff Offutt

9 Client-Side Constraint Rules
Violate size restrictions on strings Introduce values not included in static choices Radio boxes Select (drop-down) lists Violate hard-coded values Use values that JavaScripts flag as errors Change “transfer mode” (get, post, …) Change destination URLs SWE 737 © Jeff Offutt

10 Server-Side Constraint Rules
Data type conversion Data format validation Inter-field constraint validation Inter-request data fields (cookies, hidden) SWE 737 © Jeff Offutt

11 Security Violation Rules
Potential Illegal Character Symbol Empty String Commas , Single and double quotes ’ or ” Tag symbols Tag symbols < and > Directory paths .. ../ Strings starting with forward slash / Strings starting with a period . Ampersands & Control character NIL, newline Characters with high bit set 254 and 255 Script symbols <javascript> or <vbscript> SWE 737 © Jeff Offutt

12 Test Value Selection Challenge: Semantic Domain Problem (SDP)
How to automatically provide effective test values? Semantic Domain Problem (SDP) Values within the application domain are needed Enumeration of all possible test values is inefficient Possible Solutions Random Values (ineffective – lots of junk) Automatically generated values (very hard) Taking values from session log files (feasible but incomplete) Tester input (feasible) Our tool used an input domain created by parsing the interface and tester input SWE 737 © Jeff Offutt

13 Real-World Examples Pure black-box testing means
atutor.ca Atalker demo.joomla.or Poll, Users phpMyAdmin Main page, Set Theme, SQL Query, DB Stats brainbench.com Submit Request Info, New user myspace.com Events & Music Search nytimes.com Us-markets mutex.gmu.edu Login form yahoo.com Notepad, Composer, Search reminder, Weather Search barnesandnoble.com Cart manager, Book search/results amazon.com Item dispatch, Handle buy bankofamerica.com ATM locator, Site search comcast.com Service availability ecost.com Detail submit, Shopping cart control google.com Froogle, Language tools pageflakes.com Registration wellsfargolife.com Quote search Pure black-box testing means no source (or permission) needed ! SWE 737 © Jeff Offutt

14 Output Checking (V) Valid Responses : invalid inputs are adequately processed by the server (F) Faults & Failures : invalid inputs that cause abnormal server behavior (typically caught by web server when application fails to handle the error) (E) Exposure : invalid input is not recognized by the server and abnormal software behavior is exposed to the users These do not capture whether the valid responses corrupted data on the server (V1) Server acknowledges the invalid request and provides an explicit message regarding the violation (V2) Server produces a generic error message (V3) Server apparently ignores the invalid request and produces an appropriate response (V4) Server apparently ignores the request completely SWE 737 © Jeff Offutt

15 Results v SWE 737 © Jeff Offutt

16 References Jeff Offutt, Vasileios Papadimitriou, and Upsorn Praphamontripong. A Case Study on Bypass Testing of Web Applications. Springer’s Empirical Software Engineering journal, July 2012 Mouelhi, Le Traon, Abgrall, Baudry, and Gombault. Tailored Shielding and Bypass Testing of Web Applications. Fourth International Conference on Software Testing, Verification and Validation (ICST), March 2011, pp Jeff Offutt, Qingxiang Wang and Joann J. Ordille. An Industrial Case Study of Bypass Testing on Web Applications. 1st IEEE International Conference on Software Testing, Verification and Validation , pages , April 2008, Lillehammer, Norway Jeff Offutt, Ye Wu, Xiaochen Du and Hong Huang. Bypass Testing of Web Applications. IEEE International Symposium on Software Reliability Engineering, pages , November 2004, Bretagne France SWE 737 © Jeff Offutt

Download ppt "Bypass Testing of Web Applications"

Similar presentations

WEB DESIGN TABLES, PAGE LAYOUT AND FORMS. Page Layout Page Layout is an important part of web design Why do you think your page layout is important?

WEB DESIGN TABLES, PAGE LAYOUT AND FORMS. Page Layout Page Layout is an important part of web design Why do you think your page layout is important?
ATTACKING AUTHENTICATION The Web Application Hacker’s Handbook, Ch. 6 Presenter: Jie Huang 10/31/2012.

ATTACKING AUTHENTICATION The Web Application Hacker’s Handbook, Ch. 6 Presenter: Jie Huang 10/31/2012.
Video, audio, embed, iframe, HTML Form

Video, audio, embed, iframe, HTML Form
Automating Bespoke Attack Ruei-Jiun Chapter 13. Outline Uses of bespoke automation ◦ Enumerating identifiers ◦ Harvesting data ◦ Web application fuzzing.

Automating Bespoke Attack Ruei-Jiun Chapter 13. Outline Uses of bespoke automation ◦ Enumerating identifiers ◦ Harvesting data ◦ Web application fuzzing.
9/9/2005 Developing Secure Web Applications 1 Methods & Concepts for Developing “Secure” Web Applications Peter Y. Hammond, Developer Wasatch Front Regional.

9/9/2005 Developing "Secure" Web Applications 1 Methods & Concepts for Developing “Secure” Web Applications Peter Y. Hammond, Developer Wasatch Front Regional.
By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.

By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.
Creating Web Page Forms. Objectives Describe how Web forms can interact with a server-based program Insert a form into a Web page Create and format a.

Creating Web Page Forms. Objectives Describe how Web forms can interact with a server-based program Insert a form into a Web page Create and format a.
Forms Review. 2 Using Forms tag  Contains the form elements on a web page  Container tag tag  Configures a variety of form elements including text.

Forms Review. 2 Using Forms tag  Contains the form elements on a web page  Container tag tag  Configures a variety of form elements including text.
Leveraging User Interactions for In-Depth Testing of Web Applications Sean McAllister, Engin Kirda, and Christopher Kruegel RAID ’08 1 Seoyeon Kang November.

Leveraging User Interactions for In-Depth Testing of Web Applications Sean McAllister, Engin Kirda, and Christopher Kruegel RAID ’08 1 Seoyeon Kang November.
Aug. 2, 2005Vasileios Papadimitriou1 Automating Bypass Testing for Web Applications Vasileios Papadimitriou The Volgenau School of Information.

Aug. 2, 2005Vasileios Papadimitriou1 Automating Bypass Testing for Web Applications Vasileios Papadimitriou The Volgenau School of Information.
Web Development & Design Foundations with XHTML Chapter 9 Key Concepts.

Web Development & Design Foundations with XHTML Chapter 9 Key Concepts.
Form Handling, Validation and Functions. Form Handling Forms are a graphical user interfaces (GUIs) that enables the interaction between users and servers.

Form Handling, Validation and Functions. Form Handling Forms are a graphical user interfaces (GUIs) that enables the interaction between users and servers.
1 Web Developer & Design Foundations with XHTML Chapter 6 Key Concepts.

1 Web Developer & Design Foundations with XHTML Chapter 6 Key Concepts.
4-Sep-15 HTML Forms Mrs. Goins Web Design Class. Parts of a Web Form A Form is an area that can contain Form Control/Elements. Each piece of information.

4-Sep-15 HTML Forms Mrs. Goins Web Design Class. Parts of a Web Form A Form is an area that can contain Form Control/Elements. Each piece of information.
1 CS 3870/CS 5870 Static and Dynamic Web Pages ASP.NET and IIS.

1 CS 3870/CS 5870 Static and Dynamic Web Pages ASP.NET and IIS.
XP Tutorial 6New Perspectives on Creating Web Pages with HTML, XHTML, and XML 1 Creating Web Page Forms Designing a Product Registration Form Tutorial.

XP Tutorial 6New Perspectives on Creating Web Pages with HTML, XHTML, and XML 1 Creating Web Page Forms Designing a Product Registration Form Tutorial.
Introduction to Software Testing Chapter 7.2 Engineering Criteria for Technologies Paul Ammann & Jeff Offutt

Introduction to Software Testing Chapter 7.2 Engineering Criteria for Technologies Paul Ammann & Jeff Offutt
1 Forms A form is the usual way that information is gotten from a browser to a server –HTML has tags to create a collection of objects that implement this.

1 Forms A form is the usual way that information is gotten from a browser to a server –HTML has tags to create a collection of objects that implement this.
1 CS 3870/CS 5870 Static and Dynamic Web Pages ASP.NET and IIS.

1 CS 3870/CS 5870 Static and Dynamic Web Pages ASP.NET and IIS.
Testing Dynamic Aspects of Web Applications Jeff Offutt Professor, Software Engineering George Mason University Fairfax, VA USA

Testing Dynamic Aspects of Web Applications Jeff Offutt Professor, Software Engineering George Mason University Fairfax, VA USA

Similar presentations

Ads by Google