bypass testing of web applications
play

Bypass Testing of Web Applications Jeff Offutt George Mason - PowerPoint PPT Presentation

Nov 05, 2022 •271 likes •587 views

Bypass Testing of Web Applications Jeff Offutt George Mason University Professor of Software Engineering www.cs.gmu.edu/~offutt My bypass testing playmates Ye Wu Vasileios Papadimitriou Joann J. Ordille Xiaochen Du Qingxian Wang Upsorn

  1. Bypass Testing of Web Applications Jeff Offutt George Mason University Professor of Software Engineering www.cs.gmu.edu/~offutt

  2. My bypass testing playmates Ye Wu Vasileios Papadimitriou Joann J. Ordille Xiaochen Du Qingxian Wang Upsorn Praphamontripong Hong Huang November 2020 Jeff Offutt 2 of 30

  3. Deploying software • Bundled : Pre-installed on computer • Shrink-wrap : Bought and installed by end-users • Contract : Purchaser pays developer to develop and install, usually for a fixed price • Embedded : Installed on a hardware device, usually with no direct communication with user • Web : Executed across the Internet through HTTP 3 November 2020 Jeff Offutt of 30

  4. Problem parameters HTTP is a stateless protocol • – Each request is independent of previous requests Servers have little information about where a request • comes from Web site software is extremely loosely coupled • – Coupled through the Internet – separated by space – Coupled to diverse hardware devices – Written in diverse software languages November 2020 Jeff Offutt 4 of 30

  5. Web application input validation Bad Data Check data • Corrupts data base • Crashes server Check data • Security violations Sensitive Data Client Server Malicious Data Can “bypass” data checking November 2020 Jeff Offutt 5 of 30

  6. Bypass testing • Users can easily “ bypass ” client-side constraint enforcement • Bypass testing constructs tests to intentionally violate constraints : – Eases test automation – Validates input validation – Checks robustness – Evaluates security J Offutt, Y Wu, X Du, and H Huang. Bypass Testing of Web Applications. IEEE International Symposium on Software Reliability Engineering, November 2004 6 November 2020 Jeff Offutt of 30

  7. Simple example web page User Name: Age: Version to purchase: Small Medium Large $150 $250 $500 November 2020 Jeff Offutt 7 of 30

  8. Proper behavior Invalid data, please correct … User Name: Age: Alan<Turing 500 Username should Age should be be plain text only. between 18 and 150. Version to purchase: Small Medium Large $150 $250 $500 November 2020 Jeff Offutt 8 of 30

  9. Abbreviated HTML <form> <input type=“text” name=“username” size=20> <input type=“text” name=“age” size=3 maxlength=3> <p> Version to purchase: … <input type=“radio” name=“version” value=“150” Checked> <input type=“radio” name=“version” value=“250”> <input type=“radio” name=“version” value=“500”> <input type="submit" onClick="return checkInfo(this.form)"> <input type=“hidden” isLoggedIn=“no”> </form> November 2020 Jeff Offutt 9 of 30

  10. Bypass behavior Extremely loose coupling … combined with the stateless protocol … allows users to easily bypass client-side checking Users can save and modify the HTML November 2020 Jeff Offutt 10 of 30

  11. Saved & modified HTML <form> <input type=“text” name=“username” size=20> <input type=“text” name=“age” size=3 maxlength=3> Allows an input with arbitrary age, <p> Version to purchase: no checking, cost=$25 … … ‘<‘ can crash an XML parser <input type=“radio” name=“version” value=“150” Checked> Text fields can have SQL statements <input type=“radio” name=“version” value=“250”> <input type=“radio” name=“version” value=“500”> 25 <input type="submit" onClick="return checkInfo(this.form)"> yes <input type=“hidden” isLoggedIn=“no”> </form> November 2020 Jeff Offutt 11 of 30

  12. In-class exercise 1 Saved and modified HTML Open the HTML file: https://cs.gmu.edu/~offutt/calculate.html 1. Save it to your computer: i. <ctrl>-u in your browser ii. Copy and paste to your local computer 2. Open the HTML file in your computer 3. Identify elements that could be “bypassed” November 2020 Jeff Offutt 12 of 30

  13. Applying bypass testing Validating input data on the client is like asking your opponent to hold your shield in a sword fight • Analyze HTML to extract form elements • Model constraints imposed by HTML and JavaScript • Rules for data generation : – From client-side constraints – Typical security violations – Common input mistakes November 2020 Jeff Offutt 13 of 30

  14. Client-side constraint rules Violate size restrictions on strings Introduce values not included in static choices • Radio boxes • Select (drop-down) lists Violate hard-coded values Use values that JavaScripts flag as errors Change “transfer mode” (get, post, …) Change destination URLs November 2020 Jeff Offutt 14 of 30

  15. Server-side constraint rules Data type conversion Data format validation Inter-field constraint validation Inter-request data fields (cookies, hidden) November 2020 Jeff Offutt 15 of 30

  16. Example security violation rules Potential Illegal Character Symbol Empty String Commas , Single and double quotes ’ or ” Tag symbols Tag symbols < and > Directory paths .. ../ Strings starting with forward slash / Strings starting with a period . Ampersands & Control character NIL, newline Characters with high bit set 254 and 255 Script symbols < javascript > or < vbscript > November 2020 Jeff Offutt 16 of 30

  17. In-class exercise 2 What can happen? Run this program: https://cs.gmu.edu:8443/offutt/jsp/gradecalculate.jsp Look at the source (<ctrl>-u) and identify client-side validation rules November 2020 Jeff Offutt 17 of 30

  18. Research validation of bypass testing • Autobypass : A web application that accepts a URL and generates input data for the HTML form fields – Also accepts any needed login data – MS thesis by Vasileios Papadimitriou • Built on top of HttpUnit (which extends JUnit) – Parses HMTL pages – Identifies formsand their fields – Creates bypass test cases – Submitstest cases to the application’s server Generate Parse Set default Review test vases interface values results & run tests November 2020 Jeff Offutt 18 of 30

  19. Types of client input validation • Client side input validation is performed by HTML form controls, their attributes, and client side scripts • Validation types are categorized as HTML and scripting – HTML supports syntactic validation – Client scripting can perform both syntactic and semantic validation HTML constraints Scripting constraints • Length (max input characters) • Data Type (e.g. integer check) • Value (preset values) • Data Format (e.g. ZIP code format) • Transfer Mode (GET or POST) • Data Value (e.g. age value range) • Field Element (preset fields) • Inter-Value (e.g. credit # + exp. date) • Target URL (links with values) • Invalid Characters (e.g. <,../,&) November 2020 Jeff Offutt 19 of 30

  20. Example interface: yahoo registration form Preset Transfer Mode Preset Values (HTML) in form definition (HTML) Limited Length (HTML) URL with preset Values (HTML) Inter Value validation (script) Preset number of Fields Data Value , Type , & Format (HTML) validation (script) November 2020 Jeff Offutt 20 of 30

  21. Real-world examples atutor.ca nytimes.com bankofamerica.com Atalker Us-markets ATM locator, Site search demo.joomla.or mutex.gmu.edu comcast.com Login form Poll, Users Service availability phpMyAdmin yahoo.com ecost.com Main page, Notepad, Composer, Detail submit, Set Theme, Search reminder, Shopping cart control Weather Search SQL Query, google.com DB Stats barnesandnoble.com Froogle, Language tools brainbench.com Cart manager, Pure black-box testing pageflakes.com Book search/results Submit Request means Info, New user Registration amazon.com no source (or permission) needed myspace.com wellsfargolife.com Item dispatch, Events & Music Quote search Handle buy Search November 2020 Jeff Offutt 21 of 30

  22. Results v J Offutt, V Papadimitriou, and U Praphamontripong. A Case Study on Bypass Testing of Web Applications. Empirical Software Engineering, 19(1):69-104, February 2014 November 2020 Jeff Offutt 22 of 30

  23. In-class exercise 3 Construct bypass tests for gradeCalculate Encode your tests using URL rewriting Example valid test, 2 courses courseCount=2 courseName1=C1 courseName2=C2 courseGrade1=A courseGrade2=B courseCredit1=3 courseCredit2=3 Expected output: GPA=3.5 https://cs.gmu.edu:8443/offutt/jsp/gradecalculate.jsp?courseCount= 2&courseName1=xx&courseGrade1=A&courseCredit1=3&courseNam e2=yy&courseGrade2=B&courseCredit2=3 November 2020 Jeff Offutt 23 of 30

  24. Industrial case study • Inventionsfrom scientists are slow to move into industrial practice • We investigated whether the obstacles are : – Technical difficulties of applying to industrial use – Social barriers – Businessconstraints • Applied bypass testing through the research arm of a software company November 2020 Jeff Offutt 24 of 30

Recommend

Web testing Image by C Watts What is web testing? Testing web applications Applications of which

Web testing Image by C Watts What is web testing? Testing web applications Applications of which

Web testing Image by C Watts What is web testing? Testing web applications Applications of which the client runs in a web browser In this lecture on web testing What to test How to test it What to test Back end Front end HTTP (server)

356 views • 31 slides
Westerham Bypass Presentation for town meeting on 25 th February Context to Bypass discussions

Westerham Bypass Presentation for town meeting on 25 th February Context to Bypass discussions

Westerham Bypass Presentation for town meeting on 25 th February Context to Bypass discussions Squerryes has been asked by WTC to review feasibility of bypass. It is at a very early stage. Bypass has been on the agenda for circa 40 plus

97 views • 8 slides
Mini-Gastric Bypass Whats in a Name? Mini gastric bypass (MGB) since 1997 Rutledge 2001

Mini-Gastric Bypass Whats in a Name? Mini gastric bypass (MGB) since 1997 Rutledge 2001

Mini-Gastric Bypass Whats in a Name? Mini gastric bypass (MGB) since 1997 Rutledge 2001 One-anastomosis gastric bypass (OAGB) Garcia-Caballero in 2004 Single-anastomosis gastric bypass (SAGB) Lee 2014 Omega loop

814 views • 48 slides
Web Applications Testing Automated testing and JP Galeotti, Alessandra Gorla verification

Web Applications Testing Automated testing and JP Galeotti, Alessandra Gorla verification

Web Applications Testing Automated testing and JP Galeotti, Alessandra Gorla verification Thursday, January 31, 13 Why are Web applications different Web 1.0: Static content Client and Server side execution Different components and

442 views • 33 slides
US 81 Bypass of Chickasha US 81 Bypass of Chickasha Environmental Assessment Environmental

US 81 Bypass of Chickasha US 81 Bypass of Chickasha Environmental Assessment Environmental

US 81 Bypass of Chickasha US 81 Bypass of Chickasha Environmental Assessment Environmental Assessment Public Meeting Public Meeting March 14, 2013 US 81 Bypass Environmental Assessment Introductions ODOT FHWA SAIC US 81 Bypass

964 views • 48 slides
WELCOME BERRY BYPASS COMMUNITY MEETING 6 DECEMBER 2011 Berry bypass RMS Steve Zhivanovich

WELCOME BERRY BYPASS COMMUNITY MEETING 6 DECEMBER 2011 Berry bypass RMS Steve Zhivanovich

Berry bypass WELCOME BERRY BYPASS COMMUNITY MEETING 6 DECEMBER 2011 Berry bypass RMS Steve Zhivanovich Project director Ron de Rooy Project manager Carla Brookes Project communications Michael Sheridan Design Joy Duncan

372 views • 24 slides
Worksite Visit 9 November 2018 SA TRBA Bypass of Couvin Video TRBA Bypass of Couvin SA

Worksite Visit 9 November 2018 SA TRBA Bypass of Couvin Video TRBA Bypass of Couvin SA

Countournement de Couvin Worksite Visit 9 November 2018 SA TRBA Bypass of Couvin Video TRBA Bypass of Couvin SA TRBA Bypass of Couvin 2 nd phase Section between La Platinerie and French border (5100 13700) 200

243 views • 23 slides
TESTING JAVASCRIPT BUILDING JAVASCRIPT APPLICATIONS YOU WON'T HATE 1/45 Testing Javascript

TESTING JAVASCRIPT BUILDING JAVASCRIPT APPLICATIONS YOU WON'T HATE 1/45 Testing Javascript

TESTING JAVASCRIPT BUILDING JAVASCRIPT APPLICATIONS YOU WON'T HATE 1/45 Testing Javascript Called Testing JS but really about embracing the front end Classic JS meme about &quot;this&quot; This tweet could have ended half way through and

844 views • 45 slides
Turbine Bypass System ISO 9001 Certified E n g i n e e r e d S o l u t i o n s

Turbine Bypass System ISO 9001 Certified E n g i n e e r e d S o l u t i o n s

Turbine Bypass System ISO 9001 Certified E n g i n e e r e d S o l u t i o n s Valvtechnologies, Inc. Turbine Bypass System STAY ON-LINE The steam turbine bypass system will allow the operator to keep the gas turbine and the heat recovery

203 views • 4 slides
Towards Regression Testing for Database Applications Gregory M. Kapfhammer Department of

Towards Regression Testing for Database Applications Gregory M. Kapfhammer Department of

Introduction to Database Applications Database-Aware Test Coverage Monitoring Regression Testing Experimental Study Future Work and Conclusions Towards Regression Testing for Database Applications Gregory M. Kapfhammer Department of

475 views • 23 slides
Mod 670R Avoiding inefficient bypass Idea 3: Cost reflective bypass avoidance charge Basis

Mod 670R Avoiding inefficient bypass Idea 3: Cost reflective bypass avoidance charge Basis

Mod 670R Avoiding inefficient bypass Idea 3: Cost reflective bypass avoidance charge Basis of idea The following elements have been considered in creating the idea Creation of a capacity based charge for relevant routes Based on a

110 views • 9 slides
Albion Park Rail bypass Albion Park Rail bypass Agenda Agenda Welcome and introductions

Albion Park Rail bypass Albion Park Rail bypass Agenda Agenda Welcome and introductions

Albion Park Rail bypass Albion Park Rail bypass Agenda Agenda Welcome and introductions Role of the Role of the group and Terms of Reference gro p and T erms o f Reference Project up pdate Floodplain updates from council

786 views • 14 slides
CSSE 220 Unit Testing GUI Applications Checkout TicTacToeTesting project from SVN Questions Why

CSSE 220 Unit Testing GUI Applications Checkout TicTacToeTesting project from SVN Questions Why

CSSE 220 Unit Testing GUI Applications Checkout TicTacToeTesting project from SVN Questions Why do software engineers do unit testing? UNIT TESTING REVIEW Why do unit testing? Get code right Keep code right as changes are made

332 views • 10 slides
Conquering the Testing Challenges of Serverless Applications

Conquering the Testing Challenges of Serverless Applications

W2 DevOps &amp; The Cloud Wednesday, October 2nd, 2019 11:30 AM Conquering the Testing Challenges of Serverless Applications Presented by: Peter Varhol

495 views • 31 slides
Software Engineering Large Practical: Testing Android applications Stephen Gilmore School of

Software Engineering Large Practical: Testing Android applications Stephen Gilmore School of

Software Engineering Large Practical: Testing Android applications Stephen Gilmore School of Informatics Wednesday 1 st November, 2017 Contents 1. Software testing 2. Recording user interface tests 3. Running tests 1 Software testing

521 views • 30 slides
Security Testing - Where Automation Fails Today How does security testing of web

Security Testing - Where Automation Fails Today How does security testing of web

Security Testing - Where Automation Fails Today How does security testing of web applications work What does the tooling landscape look like How does automated security testing fail What can we do Image courtesy of

583 views • 56 slides
Berry bypass review Q &amp; A presentation 3 July 2012 Community Q &amp; A session # 5 Welcome

Berry bypass review Q &amp; A presentation 3 July 2012 Community Q &amp; A session # 5 Welcome

Foxground and Berry bypass Berry bypass review Q &amp; A presentation 3 July 2012 Community Q &amp; A session # 5 Welcome Who is here? Chair, Lucy Cole-Edelstein, Straight Talk Gareth Ward, Member for Kiama Q &amp; A presentation 3 July 2012

442 views • 31 slides
Georgetown Bypass Sound Attenuation Solutions September 22, 2011 The Purpose of Todays

Georgetown Bypass Sound Attenuation Solutions September 22, 2011 The Purpose of Todays

Georgetown Bypass Sound Attenuation Solutions September 22, 2011 The Purpose of Todays Meeting To discuss the results of the March 10 meeting. To offer concept solutions based on the comments received. General Bypass Alignment

517 views • 17 slides
Kalispell Bypass (US 93 Alternate) Information Meeting June 18, 2014 Presentation

Kalispell Bypass (US 93 Alternate) Information Meeting June 18, 2014 Presentation

Kalispell Bypass (US 93 Alternate) Information Meeting June 18, 2014 Presentation Introductions Purpose of Meeting Construction Three Mile Drive: 2014 - 2015 Remaining Bypass: 2015 - 2017 Parkridge Drive Closure Noise Walls Questions

236 views • 11 slides
LC/MS/MS and GC/MS Applications in Testing Illicit Substances Substances Dr. Darcie Wallace

LC/MS/MS and GC/MS Applications in Testing Illicit Substances Substances Dr. Darcie Wallace

LC/MS/MS and GC/MS Applications in Testing Illicit Substances Substances Dr. Darcie Wallace Duckworth Assistant Director of Training Aegis Sciences Corporation March 17, 2009 What is forensic toxicology? ABFT defines as the study and

459 views • 44 slides
Settlement Meter Data Applications Working Group (SE-113) Test Approach Teleconference February

Settlement Meter Data Applications Working Group (SE-113) Test Approach Teleconference February

Settlement Meter Data Applications Working Group (SE-113) Test Approach Teleconference February 19, 2014 Agenda Approach and Timing Overview Vendor Testing IESO Testing Market Participant Readiness Testing Discussion

304 views • 9 slides
Efficient Concolic Testing of MPI Applications Hongbo Li Zizhong Chen Rajiv Gupta CC19,

Efficient Concolic Testing of MPI Applications Hongbo Li Zizhong Chen Rajiv Gupta CC19,

Efficient Concolic Testing of MPI Applications Hongbo Li Zizhong Chen Rajiv Gupta CC19, Washington DC, USA Feb. 17, 2019 Concolic Testing Symbolic Execution Concrete Execution It Is Popular Programming languages: Binary machine

769 views • 37 slides
Statistics for Applications Chapter 6: Testing goodness of fit 1/25 Goodness of fit

Statistics for Applications Chapter 6: Testing goodness of fit 1/25 Goodness of fit

Statistics for Applications Chapter 6: Testing goodness of fit 1/25 Goodness of fit tests Let X be a r.v. Given i.i.d copies of X we want to answer the following types of questions: Does X have distribution N (0 , 1) ?

631 views • 24 slides
ECE 3574: Applied Software Design Integration Testing Today we will take a look at integration

ECE 3574: Applied Software Design Integration Testing Today we will take a look at integration

ECE 3574: Applied Software Design Integration Testing Today we will take a look at integration testing and QtTest. Techniques for testing command-line applications GUI Testing using QtTest Examples Exercise Recall our discussion

360 views • 16 slides

More recommend