Crawling Ajax-Based Web Applications through Dynamic Analysis of User Interface State Changes

Mesbah, Ali; Deursen, Arie van; Lenselink, Stefan

doi:10.1145/2109205.2109208

Cited by 236 publications

(209 citation statements)

References 31 publications

Supporting

Mentioning

205

Contrasting

Unclassified

Order By: Relevance

“…Other related researches focus on the efficient generation of test data, recognition of test interface, and how to determine whether the actual output according with expectations [8,18] . The popular black box testing tools about Web application security testing include IBM AppScan [29] …”

Section: Detection Methods Based On Software Testingmentioning

confidence: 99%

See 1 more Smart Citation

Review of XSS Attack and Detection on Web Applications

Zhao¹,

Wang²,

Ding³

2017

Proceedings of the International Conference on Computer Networks and Communication Technology (CNCT 2016)

View full text Add to dashboard Cite

Abstract. Aiming at the difficulties to prevent Web applications to be maliciously injected which are increased by all kinds of dynamic Web technologies applied, concentrate on XSS attack, this paper reviews the research progresses of Web application injection vulnerabilities detection in recent years. It summarizes the classification and causes of the XSS injection security vulnerabilities, analyzes the complexity of security vulnerabilities detection; then proposes the key technologies of the existing detection approached, including analyzing and identifying the injection points, injection detection by software analysis and testing, symbolic execution, taint analysis; finally presents its future development direction.

show abstract

Section: Detection Methods Based On Software Testingmentioning

confidence: 99%

“…First, users interacting with Web applications in more flexible and dynamic ways [7][8]] also provides attackers many more hidden approaches for illegal operation and attack. Second, browser script sets up many obstacles for attack detection.…”

Section: Introductionmentioning

confidence: 99%

Review of XSS Attack and Detection on Web Applications

Zhao¹,

Wang²,

Ding³

2017

Proceedings of the International Conference on Computer Networks and Communication Technology (CNCT 2016)

View full text Add to dashboard Cite

show abstract

“…Tools such as Artemis [3], Kudzu [28], and CrawlJax [19] perform automated testing, or crawling, typically aiming for achieving high code coverage with various heuristics to guide the exploration and not specifically targeting errors related to nondeterminism. As an example, running Artemis on the five web applications with known bugs mentioned in Section 5.5 with a time budget of one hour per web application detected none of the bugs.…”

Section: Algorithm Domain Comparisonmentioning

confidence: 99%

Stateless model checking of event-driven applications

Jensen

Møller

Raychev

et al. 2015

Proceedings of the 2015 ACM SIGPLAN International Conference on Object-Oriented Programming, Systems, Languages, and Applicatio

View full text Add to dashboard Cite

Modern event-driven applications, such as, web pages and mobile apps, rely on asynchrony to ensure smooth end-user experience. Unfortunately, even though these applications are executed by a single event-loop thread, they can still exhibit nondeterministic behaviors depending on the execution order of interfering asynchronous events. As in classic shared-memory concurrency, this nondeterminism makes it challenging to discover errors that manifest only in specific schedules of events.In this work we propose the first stateless model checker for event-driven applications, called R4. Our algorithm systematically explores the nondeterminism in the application and concisely exposes its overall effect, which is useful for bug discovery. The algorithm builds on a combination of three key insights: (i) a dynamic partial order reduction (DPOR) technique for reducing the search space, tailored to the domain of event-driven applications, (ii) conflict-reversal bounding based on a hypothesis that most errors occur with a small number of event reorderings, and (iii) approximate replay of event sequences, which is critical for separating harmless from harmful nondeterminism.We instantiate R4 for the domain of client-side web applications and use it to analyze event interference in a number of real-world programs. The experimental results indicate that the precision and overall exploration capabilities of our system significantly exceed that of existing techniques.

show abstract

“…The JSBench tool [25] uses this strategy to synthesize standalone web benchmarks. Derived inputs may improve the results of state-exploration tools such as Crawljax [17] by providing real, captured input traces.…”

Section: Supporting Behavior Reproduction and Disseminationmentioning

confidence: 99%

Interactive record/replay for web application debugging

Burg

Bailey

et al. 2013

Proceedings of the 26th Annual ACM Symposium on User Interface Software and Technology

113

View full text Add to dashboard Cite

During debugging, a developer must repeatedly and manually reproduce faulty behaviors in order to inspect different facets of the program's execution. Existing tools for reproducing such behaviors prevent the use of debugging aids such as breakpoints and logging, and are not designed for interactive, random-access exploration of recorded behavior. This paper presents Timelapse, a tool for quickly recording, reproducing, and debugging interactive behaviors in web applications. Developers can use Timelapse to browse, visualize, and seek within recorded program executions while simultaneously using familiar debugging tools such as breakpoints and logging. Testers and end-users can use Timelapse to demonstrate failures in situ and share recorded behaviors with developers, improving bug report quality by obviating the need for detailed reproduction steps. Timelapse is built on Dolos, a novel record/replay infrastructure that ensures deterministic execution by capturing and reusing program inputs both from the user and from external sources such as the network. Dolos introduces negligible overhead and does not interfere with breakpoints and logging. In a small user evaluation, participants used Timelapse to accelerate existing reproduction activities, but were not significantly faster or more successful in completing the larger tasks at hand. Together, the Dolos infrastructure and Timelapse developer tool support systematic bug reporting and debugging practices.

show abstract

Crawling Ajax-Based Web Applications through Dynamic Analysis of User Interface State Changes

Cited by 236 publications

References 31 publications

Review of XSS Attack and Detection on Web Applications

Review of XSS Attack and Detection on Web Applications

Stateless model checking of event-driven applications

Interactive record/replay for web application debugging

Contact Info

Product

Resources

About