1 / 23

Automated Identification of Parameter Mismatches in Web Applications

Automated Identification of Parameter Mismatches in Web Applications. William G.J. Halfond and Alessandro Orso Georgia Institute of Technology. End Users. Web Server. Example Web Application. Web Application. Initial Visit. searchpage.jsp. dosearch.jsp.

bona
Download Presentation

Automated Identification of Parameter Mismatches in Web Applications

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Automated Identification of Parameter Mismatches in Web Applications William G.J. Halfond and Alessandro Orso Georgia Institute of Technology

  2. End Users Web Server Example Web Application Web Application Initial Visit searchpage.jsp dosearch.jsp http://host/dosearch.jsp?search=bagels&business=bakery Search Results

  3. Generating Invocations: searchpage.jsp void service(Request req) { 1. print( "<html><body><h1>Business Search</h1>" ); 2. print( "<form method=GET action=dosearch.jsp>" ); 3. print( "<input type=text name=search><br>" ); 4. if (conf.searchPref.equals( "zip" )) { 5. print( "<font color=black>Zip:</font>" ); 6. print( "<input type=text name=zip><br>" ); 7. } else if(conf.searchPref.equals( "type" )) { 8. printTypes( “business” ); 9. } else { 10. print( "<font color=black>City:</font>" ); 11. print( "<input type=text name=city><br>" ); 12. print( "<font color=black>State:</font>" ); 13. print( "<input type=text name=state><br>" ); 14. } 15. print( "<input type=hidden name=searchPref value=" + conf.searchPref + ">"); 16. print( "<input name=Submit type=submit>" ); 17. print( "</form></body></html>" ); 18. }

  4. search • searchpref • zip • search • searchpref • busines • search • searchpref • state Receiving Invocations: dosearch.jsp void service(Request req) { 1. String dbQuery = "select businesses from db where " ; 2. String search = req.getParameter( "search" ); 3. String dbQuery += "name like '" + search + "' " ; 4. String searchType = req.getParameter( "searchPref" ); 5. if (searchType.equals( "zip" )) { 6. String zip = req.getParameter( "zip" ); 7. dbQuery+= "zip=" +zip; 8. } else if(searchType.equals( "type" )) { 9. String type = req.getParameter( "busines" ); 10. dbQuery+= "type=" +type; 11. } else { 12. String state = req.getParameter( "state" ); 13. dbQuery+= "state=" +state; 14. } 15. ResultSet results = execute(dbQuery); 16. print(results);

  5. Web Application Errors in Example Servlets searchpage.jsp dosearch.jsp Interfaces search, searchpref, zip search, searchpref, busines search, searchpref, state Invocations search, searchpref, zip search, searchpref, business search, searchpref, city, state Error #1: Mispelling Error #2: Ignored Parameter

  6. Current Approaches • Compilers • HTML validators • Developer specification • Manual inspection • Traditional testing

  7. Our Approach • Identify accepted interfaces • Identify interface invocations • Verify invocations against accepted interfaces

  8. Web Application HTML Servlets Step 1: Identify Accepted Interfaces WAM (Interface Discovery) [FSE 2007] Accepted Interfaces

  9. Step 2: Identify Interface Invocations 1. Direct – via API calls String urlString = “dosearch.jsp?search=bagels” URLConnectionurl = new URLConnection(); InputStream response = url.open(urlString); 2. Indirect – via user client

  10. Direct Invocations String urlString = “dosearch.jsp?search=bagels” URLConnectionurl = new URLConnection(); InputStream response = url.open(urlString); • Scan code to find direct invocation API calls • Identify parameter containing invocation • Perform string analysis on parameter • Parse the URL strings

  11. Web Application HTML Servlets Indirect Invocations: Overview Analysis to Identify Indirect Invocations Indirect Interface Invocations Servlet • For each method m: • Identify HTML content of each output statement • Group content along a path into HTML fragments • Intermediate parsing of HTML fragments • Add HTML fragment to m’s summary • Combine summaries up to root method

  12. Indirect Invocations: Example 19. voidprintTypes(String name) { 20. print( "<select name=“ + name + “>" ); 21. optValues[] = [ "Jewelry", "Bakery", "Restaurant" ]; 22. for (String opt :optValues) { 23. print( "<option value=" + opt + ">" + opt + "</option>" ); 24. } 25. print( "</select><br>" ); 26. } HTML Fragment for Method printTypes <select name=1> <option value=Jewelry>Jewelry</option> <option value=Bakery>Bakery</option> <option value=Restaurant>Restaurant</option> </select> <br>

  13. Indirect Invocations: Example <html><body> <h1>Business Search</h1> <form method=GET action=dosearch.jsp> <font color=black>Search terms:</font> <input type=text name=search> <font color=black>City:</font> <input type=text name=city> <font color=black>State:</font> <input type=text name=state> <br> <input type=hidden name=searchPref value=zip> <input name=Submit type=submit> </form> </body></html> voidservice(Request req) { 1. print( "<html><body><h1>Business Search</h1>" ); 2. print( "<form method=GET action=dosearch.jsp>" ); 3. print( "<input type=text name=search><br>" ); 4. if (conf.searchPref.equals( "zip" )) { 5. print( "<font color=black>Zip:</font>" ); 6. print( "<input type=text name=zip><br>" ); 7. } else if(conf.searchPref.equals( "type" )) { 8. printTypes( “business” ); 9. } else { 10. print( "<font color=black>City:</font>" ); 11. print( "<input type=text name=city><br>" ); 12. print( "<font color=black>State:</font>" ); 13. print( "<input type=text name=state><br>" ); 14. } 15. print( "<input type=hidden name=searchPref value=" + conf.searchPref + ">"); 16. print( "<input name=Submit type=submit>" ); 17. print( "</form></body></html>" ); 18. } <html><body> <h1>Business Search</h1> <form method=GET action=dosearch.jsp> <font color=black>Search terms:</font> <input type=text name=search> <font color=black>Type:</font> <select name=business> <option value=Bakery>Bakery</option> <option value=Jewelry>Jewelry</option> <option value=Restaurant>Restaurant</option> </select> <br> <input type=hidden name=searchPref value=zip> <input name=Submit type=submit> </form> </body></html> <html><body> <h1>Business Search</h1> <form method=GET action=dosearch.jsp> <font color=black>Search terms:</font> <input type=text name=search> <font color=black>Zip:</font> <input type=text name=zip> <input type=hidden name=searchPref value=zip> <input name=Submit type=submit> </form> </body></html>

  14. Step 3: Verification dosearch.jsp For each invocation: verify that its target has a matching interface. search, searchpref, state search, searchpref, zip search, searchpref, busines • Interface Invocations • search, searchpref, zip • search, searchpref, city, state • search, searchpref, business   

  15. Empirical Evaluation Research Questions: • How efficient is our analysis when run on real web applications? • What percentage of the reported parameter mismatches represent actual errors in the web applications?

  16. Tool Implementation • Written in Java • Accepted Interfaces => WAM • Interface Invocations => leveraged Soot, JSA, HTML Parser • Targets Java Enterprise Edition (JEE) • Analyzes bytecode and outputs mismatches

  17. Subject Applications • Applications available via SourceForge and GotoCode • Mix of commercial and open-source development

  18. RQ1: Efficiency • Overall time ranges from 10 minutes to 5 hours • 50-80% of time spent in call graph building • Manual inspection of four servletstook 12 hours

  19. RQ2: Precision • Ran WAIVE on four subject applications • Manually inspected each reported parameter mismatch • Classified each mismatch • Actual error or false positive • According to root cause

  20. Errors Identified • Effect of errors varied widely, but all caused significant problems • Underlying human error ranged from mistyping to complex logic errors

  21. False Positives • Dominant root causes addressable by engineering • WAM precision can be significantly improved

  22. Summary and Future Work • Technique to identify parameter mismatches • Implemented in prototype tool, WAIVE • Evaluation • Identified 151 mismatches • Only 18 false positives • Future work: Expand verification to include type checking

  23. Thank You. William G.J. Halfond Georgia Tech whalfond@cc.gatech.edu

More Related