Program analysis to support quality assurance techniques for web applications

As web applications occupy an increasingly important role in the day-to-day lives of millions of people, testing and analysis techniques that ensure that these applications function with a high level of quality are becoming even more essential. However, many software quality assurance techniques are not directly applicable to modern web applications. Certain characteristics, such as the use of HTTP and generated object programs, can make it difficult to identify software abstractions used by traditional quality assurance techniques. More generally, many of these abstractions are implemented differently in web applications, and the lack of techniques to identify them complicates the application of existing quality assurance techniques to web applications. This dissertation describes the development of program analysis techniques for modern web applications and shows that these techniques can be used to improve quality assurance. The first part of the research focuses on the development of a suite of program analysis techniques that identifies useful abstractions in web applications. The second part of the research evaluates whether these program analysis techniques can be used to successfully adapt traditional quality assurance techniques to web applications, improve existing web application quality assurance techniques, and develop new techniques focused on web application-specific issues. The work in quality assurance techniques focuses on improving three different areas: generating test inputs, verifying interface invocations, and detecting vulnerabilities. The evaluations of the resulting techniques show that the use of the program analyses results in significant improvements in existing quality assurance techniques and facilitates the development of new useful techniques.Ph.D.Committee Chair: Orso, Alessandro; Committee Member: Giffin, Jon; Committee Member: Harrold, Mary Jean; Committee Member: Rugaber, Spencer; Committee Member: Tip, Fran

You shall not pass: Mitigating SQL Injection Attacks on Legacy Web Applications

SQL injection (SQLi) attacks pose a significant threat to the security of web applications. Existing approaches do not support object-oriented programming that renders these approaches unable to protect the real-world web apps such as Wordpress, Joomla, or Drupal against SQLi attacks. We propose a novel hybrid static-dynamic analysis for PHP web applications that limits each PHP function for accessing the database. Our tool, SQLBlock, reduces the attack surface of the vulnerable PHP functions in a web application to a set of query descriptors that demonstrate the benign functionality of the PHP function. We implement SQLBlock as a plugin for MySQL and PHP. Our approach does not require any modification to the web app. W evaluate SQLBlock on 11 SQLi vulnerabilities in Wordpress, Joomla, Drupal, Magento, and their plugins. We demonstrate that SQLBlock successfully prevents all 11 SQLi exploits with negligible performance overhead (i.e., a maximum of 3% on a heavily-loaded web server)Comment: Accepted in ASIACCS 202

Automated repair of internationalization presentation failures in web pages using style similarity clustering and search-based techniques

Internationalization enables companies to reach a global audience by adapting their websites to locale specific language and content. However, such translations can often introduce Internationalization Presentation Failures (IPFs) - distortions in the intended appearance of a website. It is challenging for developers to design websites that can inherently adapt to varying lengths of text from different languages. Debugging and repairing IPFs is complicated by the large number of HTML elements and CSS properties that define a web page's appearance. Tool support is also limited as existing techniques can only detect IPFs, with the repair remaining a labor intensive manual task. To address this problem, we propose a search-based technique for automatically repairing IPFs in web applications. Our empirical evaluation showed that our approach was able to successfully resolve 98% of the reported IPFs for 23 real-world web pages. In a user study, participants rated the visual quality of our fixes significantly higher than the unfixed versions

Security Testing: A Survey

Identifying vulnerabilities and ensuring security functionality by security testing is a widely applied measure to evaluate and improve the security of software. Due to the openness of modern software-based systems, applying appropriate security testing techniques is of growing importance and essential to perform effective and efficient security testing. Therefore, an overview of actual security testing techniques is of high value both for researchers to evaluate and refine the techniques and for practitioners to apply and disseminate them. This chapter fulfills this need and provides an overview of recent security testing techniques. For this purpose, it first summarize the required background of testing and security engineering. Then, basics and recent developments of security testing techniques applied during the secure software development lifecycle, i.e., model-based security testing, code-based testing and static analysis, penetration testing and dynamic analysis, as well as security regression testing are discussed. Finally, the security testing techniques are illustrated by adopting them for an example three-tiered web-based business application

Body Image and Sexuality Among Latino Youth

In the U.S., the Latino youth population is large and growing rapidly and many Latino youth are sexually active. These relatively high rates of sexual activity are concerning because Latino boys and girls, compared to other youth, have the lowest rate of contraceptive use and high rates of sexually transmitted infections (STI’s) and teen pregnancy. Thus, the need for greater attention to factors that influence Latino adolescent sexual health such as sexual risk behavior and attitudes is imperative. An understudied area with respect to Latino youth sexual behavior is the role that an adolescent’s perception of his/her body has on sexual risk attitudes and behaviors and the possible moderating role of cultural factors. To address this gap in the literature, this study obtained data from one hundred and fifty Latino adolescents who completed a survey that assessed sexual risk attitudes and intentions, body image, ethnic identity, and acculturation. Results indicated that both weight concerns and shape concerns were marginally positively associated with more positive attitudes towards condoms among females and with less positive attitudes towards condoms among males. Gender did not moderate relations when examining attitudes towards pregnancy and intentions as outcome variables. At lower levels of Anglo acculturation, negative body image was associated with less sexual risk attitudes among females whereas positive body image was associated with higher risk attitudes towards pregnancy among males. At low levels of Mexican Orientation, more positive attitudes towards condoms were associated with negative body image among males. Results indicated that none of the interactions of participant’s ethnic identity score with the three body image variables were significant in predicting sexual risk attitudes or intentions for either females or males. The findings shed light on the role of body image and cultural factors on sexual risk attitudes and intentions among Latino adolescents