Perturbation-based User-Input-Validation Testing of Web Applications

PROJECT SUMMARY

User-Input Validation (UIV) is the first barricade that protects web applications from application-level attacks. Most UIV test tools cannot detect semantics-related vulnerabilities in validators, such as filling a five-digit number to a field that accepts a year. To address this issue, we propose a new approach to generate test inputs for UIV based on the analysis of client-side information. In particular, we use input-field information to generate valid inputs, and then perturb valid inputs to generate invalid test inputs. We conducted an empirical study to evaluate our approach. The empirical result shows that, in comparison to existing vulnerability scanners, our approach is more effective than existing vulnerability scanners in finding semantics-related vulnerabilities of UIV for web applications.

PEOPLE

Faculty

Tao Xie (Principal Investigator)

Students

Nuo Li (PhD Student)

Collaborators

Maozhong Jin and Chao Liu (Beihang University, China)

SURVEY OF INPUT FIELDS IN 50 WEBSITES

We performed a manual analysis on descriptive text for 462 input fields among 50 popular websites to observe whether it is feasible to get an input field’s description text based on capturing their surrounding text, whether it is feasible to associate description text to a key word, and whether it is feasible to get a regular expression for an input field. The detailed analysis results can be found here.