Test Case Generation Based On Client-server Of Web Applications By Memetic Algorithm

With the popularity and rapid development of web technology,web applications have penetrated into all fields of social life,providing convenient services for users.However,due to the rapid increase in the number and complexity of web applications,the vulnerability of itself and operating environment,the security of web applications is worthy of attention on the Internet.Therefore,how to reduce the security threats of web applications and improve their security are the key issues facing the current Internet security.Software testing is a widely used security verification technology.However,the characteristics of web application,such as front-end separation,asynchronous communication and event driven,make the traditional software security testing methods no longer applicable,and bring new challenges to web application security testing.At present,the research on web application security testing mainly focuses on model-based testing for client-side web applications and server-side code oriented testing for web applications.Most of model-based testing for client-side web applications takes the states/transitions/transition sequence coverage of the model as the goal of test case generation.But because the server-side code is not considered in model based testing,the coverage of the server-side code by those test cases is very low.Thus,it is difficult for model-based testing to test the server-side security vulnerability effectively.In addition,the current models for client-side web applications mainly focuses on web pages and events,neglecting the relationship between triggering conditions and pages,as well as the changes of parameters or DOM elements caused by user event callback or server message.This makes the model difficult to accurately and completely represent web application.Further,it is not conducive to automatic test case generation based on the model.The server-side code oriented web application security testing either improves its security by improving the server-side code coverage,or attempts to inject malicious data into server-side code to detect whether there is a vulnerability in web application.This kind of method does not consider the client-side behavior of web applications,which makes it difficult to analyze and detect complex security issues.In addition,because web application is an event driven program,test case generation method considering server-side code only,and needs to construct event sequence manually,which is not conducive to the automation of test case generation of web application.Thus,it is imperative to discuss the generation of web application test cases from the client and server.On the other hand,parallel test case generation can make full use of system resources and improve the efficiency of test generation.Therefore,it is an effective way to improve the efficiency of web application test case parallel evolution generation.Moreover,most of the current malicious data generation methods are based on the existing attack vector/mode,and the detection ability of new unknown vulnerabilities is low.Therefore,it is necessary to study the malicious data generation of web application for vulnerability detection.Therefore,this paper first proposes a test case generation based on client-server of web applications by memetic algorithm to improve the security of web applications.The contributions of this work are as below.(1)The construction and optimization of modern web application client-side behavior modelModel-based testing provides an effective solution for web application testing,but most of the current behavior models for web applications only focus on event sequence,which is difficult to accurately and completely represent the dynamic behavior of web applications.Therefore,this paper defines a new client-side behavior model(CBM)for web applications,and puts forward a method of building and optimizing CBM model based on user behavior trace,in order to solve the representation problem of web application model and lay a foundation for automatic test case generation based on the model.(2)Test case generation based on client-server of web applications by memetic algorithmTest case generation plays an important role in web application testing.However,most of the existing studies focus on generating test cases unilaterally from the client-side or the server-side to detect vulnerabilities,ignoring the interaction between the client-side and server-side.It is difficult for those test cases to effectively analyze and detect complex vulnerabilities.Thus,we propose a client-server based test case generation method for web applications by memetic algorithm.That is to say,aiming at the vulnerable path in the server-side code of web application,the memetic search algorithm is used to automatically generate test cases from the client-side behavior model CBM.In addition,because CBM model is an abstract representation of client-side behavior of web application,its test cases can not directly simulate user operations to drive web application execution.Therefore,to make test cases generated from CBM executable,this paper designs an automatic test script generation method to realize the automatic transformation from CBM test cases to executable test scripts.The experimental results show that our method can automatically generate test cases from the client-side behavior model CBM,covering the vulnerable path in server-side code,so as to assist security vulnerability detection for web applications more effectively.(3)Parallelization of test case generation based on client-server of web applications by memetic algorithmWhen the memetic algorithm is applied to the generation of web application test cases,the serial execution of individuals of a population will frequently start the browser to execute the event sequence of each individual,and the calculation of individual fitness value is also time-consuming,because the individual execution needs to simulate the user’s operation on the web application in the browser.This causes the generation of test cases time-consuming.To improve the efficiency of test case generation,this paper introduces the parallel computing into test case generation based on client-server of web applications by memetic algorithm.Through the design of thread pool and scheduling logic,the management of multi browser process and the acquisition of server-side vulnerable path coverage,the parallel execution of individuals on multi browser and the parallel computing of fitness value are realized.The experimental results show that the parallel test case generation method can make full use of system resources and improve the efficiency of test case generation for web applications.(4)Malicious data generation for vulnerability detection with client-side model of web applicationTest case generation based on client-server of web applications by memetic algorithm aims at the vulnerable path coverage,so test cases generated by this method have limited ability to detect vulnerabilities.To further improve the vulnerability detection ability for test cases,the second stage of malicious data generation is raised based on the CBM test cases generated by memetic algorithm.This malicious data generation method is based on data mining and genetic algorithm.Specifically,the vulnerability characteristics in the server-side vulnerable path and the characteristics of the malicious data itself are analyzed,the relationship between them is mined,and the vulnerability prediction model is constructed to provide guidance for the malicious data generation.To ensure the aggressiveness of malicious data in the GA evolution process,the attack pattern is designed,which provides the basis for population initialization and genetic operator design.The experimental results show that the vulnerability prediction model can effectively guide the generation of malicious data,and the malicious data generation method can effectively detect web application security vulnerabilities.