Finding Bugs in Dynamic Web

Applications

CSE 6329
Special Topics in
Advanced Software Engineering
Presented By

Md. Monjurul Hasan

Dynamic Web Application

Generates pages (HTML contents) on-the-fly
Content varies on user and user-specified
criteria
Obtained by server-side programming
We can say that all big, known web
applications are Dynamic Web Application

Source: Dynamic Web Application Development using PHP and MySQL

By Simon Stobart and David Parsons

Web Threats
Web script crashes and malformed
dynamically-generated Web pages impact
usability of Web applications

Current tools for Web-page validation cannot

handle the dynamically-generated pages

Web Script Crash

Missing included file

Call to undefined method
Wrong Database query
Uncaught exceptions

Malformed HTML
HTML that does not conform to the WDG (Web
Design Group) or W3Cs (World Wide Web
Consortium) standard
Not using defined tags by W3C (e.g.
<html><table><div>..etc.)
Not maintaining the structure(e.g.
<html><header></header><body> .. </body></html>)
Not using proper opening and matching closing tag
etc.

Web Scripting language can generate HTML

The Problem
Bad scripts creating syntactically-malformed
HTML
Partially displayable or Non-displayable HTML
Browsers attempt to correct crashes
Slower HTML rendering
Discard important information
Trouble indexing correct pages for search engines

Example

More Problems
Dynamic web page testing challenges
HTML validation tools only perform testing of
static page
Can not fully capture behavior since not all of
functionality of code is found in the HTML result
No automatic validator for scripting languages
that dynamically generate HTML pages
HTML Kit validates every generated page but requires manual
generation of inputs that lead to displaying pages

What this paper presents

Presents automated technique for finding faults
manifested as Web script crashes or malformedHTML extends dynamic test generation to
scripting languages.
Identifies minimal part of input responsible for
triggering failures
Uses an oracle to determine well-formed HTML
Creates a tool, Apollo that implements all these in
the context of PHP

Why

Widely used in Web development

Network interactions
Database
HTTP processing

Object oriented
Scripting
21 millions domains1 (75%) are powered
including large websites like Wikipedia,
WordPress, Facebook, Dig etc.
1Source

Netcraft, April 2007

Example:

program

SchoolMate.php
Allows school administrators to manage classes
and users, teachers to manage assignments and
grades and students to access their information

Typical URL:
schoolmate.php?page=1&page2=100&login=1&
username=user&password=password

printReportCards.php
missing

make_footer() not executed in certain

situations unclosed HTML tag

Generates illegal <j2> tag

Failures in PHP programs

Targets two types of failures
Execution failures
Web Script Crashes

HTML failures
Malformed HTML

Failure-Finding in PHP
Applications
Concolic Testing Dynamic Test Generation Technique
Execute application on
1. Initially on empty input
2. Then on additional inputs, obtained by solving
constraints that are derived from control flow paths

Extensions

Validate to correctness of program output by using

oracle
Use isset, isempty, require, etc. to require generation of
constraints absent in other OOPLs
Use pre-specified set of values for database
authentication
Simulate each user input by transforming source code

Transformation of Code
Interactive HTML pages with buttons and
menus
For each page (h) that contains N buttons
Add additional input parameter p to PHP program
Values range from 1 to N

Switch statement inserted including appropriate

PHP source file, depending on p

An example
<?php
echo <h2>Webchess .$Version. login</h2>;
?>
<form method = post action =
mainmenu.php>
<p>
Nick: <input name=txtNick type=text
size=15 /><br />
Password: <input name=pwdPassword
type=password size =15 />
</p>
<p>
<input name=login value=login
type=submit />
<input name=newAccount value=New
Account type=button onClick
=window.open(newuser.php, _self) />
</p>
</form>

<?
/* Simulated User Input
*/
Switch ($_GET*_btn+ ,
Case 1:
require_once(mainmenu.php);
break;
Case 2:
require_once (newuser.php);
break;
}
?>

The Failure Detection Algorithm

1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.

1.

parameters: Program P, oracle O

result : Bug reports B;
B : setOf (<failure, setOf (pathConstraint), setOf (input)>)
P simulateUserInput(P);
B empty;
pcQueue emptyQueue();
enqueue(pcQueue, emptyPathConstraint());
while not empty(pcQueue) and not timeExpired() do
pathConstraint dequeue(pcQueue);
input solve(pathConstraint);
if input not equals to then
output executeConcrete(P, input);
failures getFailures(O, output);
foreach f in failures do
merge <f , pathConstraint, input>into B;
c1 . . . cn executeSymbolic(P, input);
foreach i = 1,. . . ,n do
newPC c1 . . . ci1 ci;
queue(pcQueue, newPC);
return B;

Example: Execution 1 (Expose Third

Fault)

parameters: Program P, oracle O

result : Bug reports B;
B : setOf (<failure, setOf (pathConstraint), setOf
(input)>)
1.P simulateUserInput(P);
2.B empty;
3.pcQueue emptyQueue();
4.enqueue(pcQueue, emptyPathConstraint());
5.while not empty(pcQueue)
not timeExpired()
true setsand
page
= 0
do
6.
pathConstraint dequeue(pcQueue);
false
7.
input solve(pathConstraint);
NotSet(page)HTML
page2
1337 tool
login
=1
8. output
if input
not equals to then
validation
determines
is legal
executeConcrete(P, input);
NotSet(page)NotSet(page)
page2 = 1337 page2 13379. login output
1
10.
failures getFailures(O, output);
Set(page)
11.
foreachGoTo(20)
f in failures do
12.
merge <f , pathConstraint, input>into B;
13.
c1 . . . cn executeSymbolic(P, input);

foreach i = 1,. . . ,n do

newPC c1 . . . ci1 ci;

queue(pcQueue, newPC);
1.return B;
Execution