Sensitive Paths Oriented Automatic Test Cases Generation For Web Applications Based On Client EFSM

Currently,more than 90%of web applications are vulnerable to attack.Once a web application becomes invalid or fails,it will seriously threaten the data security of the web application and even cause economic loss.Therefore,how to improve the quality and reliability of Web applications and reduce software security vulnerabilities has become a research issue that many scholars and software practitioners attach great importance to.Test case generation is a very important technique in web application testing.However,most existing studies focus on how to generate test cases from client-side or server-side to detect vulnerabilities,regardless of the connection between client and server.Those approaches are easy to have insufficient testing problems,because a bug in a web application may exist in the client-side,server-side or both.If we can takes both the client and the server into account,it can better detect the failure in the web application.Therefore,in this paper,we propose a test cases generation approach that considers client and server side simultaneously for web applications.This method uses the vulnerable sensitive path of the server-side as the coverage target,the coverage information of the sensitive path is used as the entry point for the combination of the client and the server,the Memetic evolution algorithm is used to guide the automatic test cases generation of the client EFSM model.In addition,in order to solve the problem that the abstract test cases generated by the model can't be directly executed,this paper proposes a Selenium-based automatic test script construction method.The method analyzes the features of all transitions on the EFSM model to cluster the transitions and combines Selenium's grammar specification and mapping rules Then the method transforms each type of transitions into executable test scripts and forms a transition script library to support test case generation.In order to evaluate the effectiveness and efficiency of the proposed method,five PHP Web applications were selected as the tested objects for a series of experiments.The experimental results show that selenium-based automated test script generation method can effectively make the abstract test cases from model executable.And the client-side EFSM model based approach can generate test cases to cover sensitive paths automatically.