Dynamic model extraction and statistical analysis of Web applications

Tonella, Paolo; Ricca, Filippo

doi:10.1109/wse.2002.1134088

Cited by 53 publications

(44 citation statements)

References 10 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Existing work on the application of static analysis to web applications focuses on modeling applications, and especially on building navigation models. Bordbar and Anastasakis [4], for example, model a user's interaction with a web application using UML, and perform bounded verification of properties of that interaction by translating the UML model into Alloy using UML2Alloy; other approaches ( [22,34,29]) perform similar tasks but provide less automation. Nijjar and Bultan [27] translate Rails data models into Alloy to find inconsistencies, but do not examine controller code.…”

Section: Related Workmentioning

confidence: 99%

Finding security bugs in web applications using a catalog of access control patterns

Near

Jackson

2016

Proceedings of the 38th International Conference on Software Engineering

View full text Add to dashboard Cite

We propose a specification-free technique for finding missing security checks in web applications using a catalog of access control patterns in which each pattern models a common access control use case. Our implementation, Space, checks that every data exposure allowed by an application's code matches an allowed exposure from a security pattern in our catalog. The only user-provided input is a mapping from application types to the types of the catalog; the rest of the process is entirely automatic. In an evaluation on the 50 most watched Ruby on Rails applications on Github, Space reported 33 possible bugs-23 previously unknown security bugs, and 10 false positives.

show abstract

Section: Related Workmentioning

confidence: 99%

Finding security bugs in web applications using a catalog of access control patterns

Near

Jackson

2016

Proceedings of the 38th International Conference on Software Engineering

View full text Add to dashboard Cite

show abstract

“…Early Web application reverse engineering efforts were mainly focused on architecture reconstruction, e.g., (Hassan and Holt 2002;Ricca and Tonella 2001;Di Lucca et al 2002;Tonella et al 2002;Antoniol et al 2004). Static analysis alone does not suffice because of the dynamic nature of Web applications (Tonella et al 2002;Antoniol et al 2004), so in most cases the static analysis is complemented by dynamic analysis.…”

Section: Dynamic Analysis For Understanding Web Applicationsmentioning

confidence: 99%

“…Static analysis alone does not suffice because of the dynamic nature of Web applications (Tonella et al 2002;Antoniol et al 2004), so in most cases the static analysis is complemented by dynamic analysis. However, many client-side aspects that are common in Ajax applications are not taken into account.…”

Section: Dynamic Analysis For Understanding Web Applicationsmentioning

confidence: 99%

Understanding Ajax applications by connecting client and server-side execution traces

et al. 2012

View full text Add to dashboard Cite

Ajax-enabled Web applications are a new breed of highly interactive, highly dynamic Web applications. Although Ajax allows developers to create rich Web applications, Ajax applications can be difficult to comprehend and thus to maintain. For this reason, we have created FireDetective, a tool that uses dynamic analysis at both the client (browser) and server-side to facilitate the understanding of Ajax applications. We evaluate FireDetective using (1) a pretest-posttest user study and (2) a field user study. Preliminary evidence shows that the FireDetective tool is an effective aid for Web developers striving to understand Ajax applications.

show abstract

“…This model, merely a class diagram, is mainly used for the static analysis of web applications: HTML code inspection and scanning, data flow analysis, and semi automatic test case generation. In [31], the above mentioned modeling technique is extended such that a web application is executed to extract models for dynamic web pages using server's access logs. These logs present limited information on the requests since only the request headers are logged.…”

Section: Related Workmentioning

confidence: 99%

Formal Verification of Web Applications Modeled by Communicating Automata

Haydar

Petrenko

Sahraoui

2004

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Abstract. In this paper, we present an approach for modeling an existing web application using communicating finite automata model based on the userdefined properties to be validated. We elaborate a method for automatic generation of such a model from a recorded browsing session. The obtained model could then be used to verify properties with a model checker, as well as for regression testing and documentation. Unlike previous attempts, our approach is oriented towards complex multi-window/frame applications. We present an implementation of the approach that uses the model checker Spin and provide an example.

show abstract

Dynamic model extraction and statistical analysis of Web applications

Abstract: The

Cited by 53 publications

References 10 publications

Finding security bugs in web applications using a catalog of access control patterns

Finding security bugs in web applications using a catalog of access control patterns

Understanding Ajax applications by connecting client and server-side execution traces

Formal Verification of Web Applications Modeled by Communicating Automata

Contact Info

Product

Resources

About