Effective Testing of Web Services Using Client-side Information
Publication Date: 2012-Oct-17
The IP.com Prior Art Database
The approach of this disclosure is based on a static analysis of the client-side programs using a given web method to derive constraints on parameter values and create functional tests based on this parameter analysis. What makes this approach promising is the prevalent concept of client-side validation: The client-side code often runs checks on the input parameters (by the user) to ensure that the calls it launches are eligible.
Page 01 of 2
Effective Testing of Web Services Using Client -side Information
Automated black-box testing of web services for functional problems (e.g., security vulnerabilities) is a tough challenge. This is primarily because the scanning tool doesn't have access to the internals of the web service, and thus it's not clear which input payloads the tool should choose when invoking the web service. This disclosure proposes a method for inferring constraints on the input parameters of a web method, such that the method can be tested effectively for functional issues. Given this assumption, we propose to apply static analysis to the client-side programs using a given web method to derive constraints on parameter values. What makes this approach promising is the prevalent concept of client-side validation: The client-side code often runs checks on the input parameters (by the user) to ensure that the calls it launches are eligible.
Our approach is predicated on the assumption that the scanning tool has access to client-side code that uses the web service:
· If the web service is scanned as part of a web application that consumes its services, then client-side code from the web application meets this assumption.
· Otherwise, it may be possible to find such code using specialized search engines, such as Koders.
o Web service s
o Web method m belonging to s
o Constraints on parameters of m
1. Find client-side code accessing m (e.g., by scanning the code of a web application using s and/or by searching through online code repositories).
2. If no such call is found, then default to standard heuristics for generating constraints, such as using the parameter types in s 's WSDL file.
3. Otherwise, for each client-side call c to m , use static analysis to find which validation steps may be performed as part of the call. One way of doing this is
by identifying validation functions within the HTML and checking for data dependencies between each of the validators and the parameters used in c .
It needs to be emphasized that client-side validators often use standard framework-based (micro-)validators and/or regular-expression matching on user inputs, and can thus be detected with relative ease.
4. Let v be a validator that was found to govern c (in the previous step). Use v to discover constraints on the parameters in c by applying static analysis to v :
a. For regular expressions constraining parameters of type string, derive the regular exp...