DOCSLIB.ORG

Model-Based Testing of Web Applications

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Model-Based Testing of Web Applications RADBOUD UNIVERSITY NIJMEGEN MASTER THESIS COMPUTER SCIENCE MODEL-BASED TESTING OF WEB APPLICATIONS 26 May 2015 Author: J.R. Monsma, BSc Radboud University Student No. s4236777 Comeniuslaan 4 6525 HP Nijmegen Internal Supervisor: The Netherlands Dr. ir. G.J. Tretmans Faculty of Science Second Supervisor: Huygens building Dr. G. Gousios Heyendaalseweg 135 6525 AJ Nijmegen External Supervisor The Netherlands Ing. B. Duijs, MSc Abstract Software shifts more and more to the online world. Testing web applications requires documents that specify what their correct behaviour is. Lack of documentation for smaller web application makes testing difficult. In this study, we try to find a solution to test web application based on a model-based testing approach. We use model-based testing for detection failures in web applications, the differences between the behaviours of the System under Test(SUT) and what is expected based on the specification. We have chosen for the model-based testing approach because it automates the testing process, adapts quicker to changes, it is time saving, and less error prone if the system is modelled correctly. Using G∀ST as a model-based testing tool, we generate test cases based on the model of the web application. PhantomJS, a headless browser is used to access a web application. With an adapter, we established the communication with the model-based testing tool and the headless browser. The adapter communicate with sockets to the model-based testing tool and translate received input from the model-based testing tool to useable input for the SUT. To create a generic model that is capable to test different web applications, we assume that every web page is the same, based on its content. Each page can hold links, events, images, and Styling- and JavaScript code. Based on this abstraction we created a small model that is applicable to test many web applications without any changes to the model. This model clicks on links and check for content errors. We extended this model to test forms, based on three options. Testing results show that the model is generic and capable of testing different web application. However, larger applications the amount of pages tested decreases based on the random generation of test cases by G∀ST, pages are tested multiple times instead of testing undiscovered pages. Testing webshop applications, the model requires an extension to test features that occur in a webshop. Results show that the model does not suits itself to test different webshop applications. The checkout phase of a webshop differs and it is hard to model it to a generic solution. However, the functionalities of a webshop stays the same and there we have chosen to allow changes in the model. Testing results show we can add and buy products, but the same problem with hold with generating test cases. Based on testing two web applications with forms and two webshop applications we can say that we can improve quality of web applications with model-based testing. However, the improvement is not enormous. There is improvement required on the test selection by G∀ST. To increase the quality even further more quality characteristics can be used to test on. 1 Acknowledgments I would like to take this opportunity to thank the people that have helped me with this thesis. First, I would like to thank Jan Tretmans and Bard Duijs for their supervision and their clear view and thoughts about this topic. Furthermore, I would like to thank Bard Duijs and Laurens Alers for giving me the opportunity to write this thesis at Bluenotion. It was great to spar with you guys to get fresh new insights. I also want to thank you for giving me the freedom to sail my own course and tackle certain problems I faced. I would also like to thank the developers of Bluention for setting up a test environment and solving some internal problems we faced during testing of the use cases. I appreciated their opinions and insights on the topic and their advice on how to address a certain problem. I would like to thank Pieter Koopman for his help with the Model-based testing tool G∀ST. Lastly, I would like to thank my friends and family, especially for the refreshing coffee breaks and having someone to talk to, and my parents and girlfriend for the pep talks when I needed those. 2 Contents ABSTRACT ........................................................................................................................................................... 1 ACKNOWLEDGMENTS ..................................................................................................................................... 2 1 INTRODUCTION ....................................................................................................................................... 5 1.1 AREA OF ONLINE WEB APPLICATIONS ........................................................................................................... 5 1.2 PROBLEM STATEMENT ..................................................................................................................................... 6 1.3 RESEARCH QUESTIONS ..................................................................................................................................... 7 1.4 RESEARCH CONTEXT......................................................................................................................................... 9 1.5 RESEARCH METHOD ......................................................................................................................................... 9 1.6 THESIS OUTLINE ................................................................................................................................................ 9 2 RELATED WORK ................................................................................................................................... 10 3 BACKGROUND ....................................................................................................................................... 12 3.1 WEB APPLICATIONS ........................................................................................................................................ 12 3.1.1 Forms ...................................................................................................................................................................13 3.2 SOFTWARE TESTING ....................................................................................................................................... 16 3.3 MODEL-BASED TESTING ................................................................................................................................ 18 3.3.1 Modelling languages ....................................................................................................................................18 3.3.2 Labelled Transition System .......................................................................................................................18 3.3.3 Finite State Machine ....................................................................................................................................19 3.3.4 Extended State Machine .............................................................................................................................20 3.4 MODEL-BASED TESTING TOOLS .................................................................................................................... 22 3.4.1 Overview of tools ............................................................................................................................................22 3.4.2 Graphwalker ....................................................................................................................................................22 3.4.3 TorXakis .............................................................................................................................................................23 3.4.4 G∀ST ....................................................................................................................................................................23 3.5 CHOICE OF MODELLING LANGUAGE AND MODEL-BASED TESTING TOOL ............................................... 25 4 TEST ARCHITECTURE ......................................................................................................................... 27 4.1 OVERVIEW OF THE CURRENT SITUATION .................................................................................................... 27 4.2 OVERVIEW OF THE TEST ARCHITECTURE .................................................................................................... 28 4.3 CONTENT MANAGEMENT SYSTEM ............................................................................................................... 30 4.4 THE SYSTEM UNDER TEST ............................................................................................................................ 30 4.4.1 Routing Engine ...............................................................................................................................................30 4.4.2 Application models .......................................................................................................................................32 4.4.3 Views ....................................................................................................................................................................33 4.4.4 Controllers ........................................................................................................................................................33
Load more

Recommended publications
  • Chrome Devtools Protocol (CDP)
    e e c r i è t t s s u i n J i a M l e d Headless Chr me Automation with THE CRRRI PACKAGE Romain Lesur Deputy Head of the Statistical Service Retrouvez-nous sur justice.gouv.fr Web browser A web browser is like a shadow puppet theater Suyash Dwivedi CC BY-SA 4.0 via Wikimedia Commons Ministère crrri package — Headless Automation with p. 2 de la Justice Behind the scenes The puppet masters Mr.Niwat Tantayanusorn, Ph.D. CC BY-SA 4.0 via Wikimedia Commons Ministère crrri package — Headless Automation with p. 3 de la Justice What is a headless browser? Turn off the light: no visual interface Be the stage director… in the dark! Kent Wang from London, United Kingdom CC BY-SA 2.0 via Wikimedia Commons Ministère crrri package — Headless Automation with p. 4 de la Justice Some use cases Responsible web scraping (with JavaScript generated content) Webpages screenshots PDF generation Testing websites (or Shiny apps) Ministère crrri package — Headless Automation with p. 5 de la Justice Related packages {RSelenium} client for Selenium WebDriver, requires a Selenium server Headless browser is an old (Java). topic {webshot}, {webdriver} relies on the abandoned PhantomJS library. {hrbrmstr/htmlunit} uses the HtmlUnit Java library. {hrbrmstr/splashr} uses the Splash python library. {hrbrmstr/decapitated} uses headless Chrome command-line instructions or the Node.js gepetto module (built-on top of the puppeteer Node.js module) Ministère crrri package — Headless Automation with p. 6 de la Justice Headless Chr me Basic tasks can be executed using command-line
    [Show full text]
  • Automated Testing of Your Corporate Website from Multiple Countries with Selenium Contents
    presents Automated Testing of Your Corporate Website from Multiple Countries with Selenium Contents 1. Summary 2. Introduction 3. The Challenges 4. Components of a Solution 5. Steps 6. Working Demo 7. Conclusion 8. Questions & Answers Summary Because of the complexities involved in testing large corporate websites and ecommerce stores from multiple countries, test automation is a must for every web and ecommerce team. Selenium is the most popular, straightforward, and reliable test automation framework with the largest developer community on the market. This white paper details how Selenium can be integrated with a worldwide proxy network to verify website availability, performance, and correctness on a continuous basis. Introduction Modern enterprise web development teams face a number of challenges when they must support access to their website from multiple countries. These challenges include verifying availability, verifying performance, and verifying content correctness on a daily basis. Website content is presented in different languages, website visitors use different browsers and operating systems, and ecommerce carts must comprehend different products and currencies. Because of these complexities involved, instituting automated tests via a test automation framework is the only feasible method of verifying all of these aspects in a repeatable and regular fashion. Why automate tests? Every company tests its products before releasing them to their customers. This process usually involves hiring quality assurance engineers and assigning them to test the product manually before any release. Manual testing is a long process that requires time, attention, and resources in order to validate the products’ quality. The more complex the product is, the more important, complex, and time- consuming the quality assurance process is, and therefore the higher the demand for significant resources.
    [Show full text]
  • Client-Side Diversification for Defending Against
    Everyone is Different: Client-side Diversification for Defending Against Extension Fingerprinting Erik Trickel, Arizona State University; Oleksii Starov, Stony Brook University; Alexandros Kapravelos, North Carolina State University; Nick Nikiforakis, Stony Brook University; Adam Doupé, Arizona State University https://www.usenix.org/conference/usenixsecurity19/presentation/trickel This paper is included in the Proceedings of the 28th USENIX Security Symposium. August 14–16, 2019 • Santa Clara, CA, USA 978-1-939133-06-9 Open access to the Proceedings of the 28th USENIX Security Symposium is sponsored by USENIX. Everyone is Different: Client-side Diversification for Defending Against Extension Fingerprinting Erik Trickel?, Oleksii Starov†, Alexandros Kapravelos‡, Nick Nikiforakis†, and Adam Doupé? ?Arizona State University †Stony Brook University {etrickel, doupe}@asu.edu {ostarov, nick}@cs.stonybrook.edu ‡North Carolina State University [email protected] Abstract by users, as they see fit, by installing browser extensions. Namely, Google Chrome and Mozilla Firefox, the browsers Browser fingerprinting refers to the extraction of attributes with the largest market share, offer dedicated browser exten- from a user’s browser which can be combined into a near- sion stores that house tens of thousands of extensions. In turn, unique fingerprint. These fingerprints can be used to re- these extensions advertise a wide range of additional features, identify users without requiring the use of cookies or other such as enabling the browser to store passwords with online stateful identifiers. Browser extensions enhance the client- password managers, blocking ads, and saving articles for later side browser experience; however, prior work has shown that reading. their website modifications are fingerprintable and can be From a security perspective, the ability to load third-party used to infer sensitive information about users.
    [Show full text]
  • Interstitial Content Detection Arxiv:1708.04879V1 [Cs.CY] 13 Aug
    Interstitial Content Detection Elizabeth Lucas, Mozilla Research August 2017 Abstract Interstitial content is online content which grays out, or otherwise obscures the main page content. In this technical report, we discuss exploratory research into detecting the presence of interstitial content in web pages. We discuss the use of computer vision techniques to detect interstitials, and the potential use of these techniques to provide a labelled dataset for machine learning. 1. Introduction The structure and underlying nature of content in the web is fundamentally different than most rigorously structured data, and often requires deviating from the traditional approaches of recognizing patterns in more heavily structured data. Within the types of content on the web, interstitials are of interest due to their interrupting of the user's web experience. This report represents the preliminary research necessary to explore the structure of interstitial content, and the beginnings of a machine learning application to assist with our understanding of web content and interstitials. The scripts used for data collection and evaluation are available [1]. 1.1. Definitions For the purpose of this research project, `interstitials', or `interstitial content', are defined as online content, often advertisements or other promotional content, which grays out or otherwise obscures the main page content. These interstitials often require the user to interact in order to return to the main content, interrupting the user's experience. `Servo' refers to the Servo browser engine, sponsored by Mozilla Research [6]. Written in the Rust programming language, this modern parallel browser engine aims to improve performance, security, modularity, and parallelization. Future work will involve eventually bringing interstitial ad detection into the Servo browser engine itself.
    [Show full text]
  • Python Selenium Download Pdf Chrome Driver How to Download Dynamically Loaded Content Using Python
    python selenium download pdf chrome driver How to download dynamically loaded content using python. When you surf online, you occasionally visit websites that show content like videos or audio files which are dynamically loaded. This is basically done using AJAX calls or sessions where the URLs for these files are generated in some way for which you can not save them by normal means. A scenario would be like, for example, you visited a web page and a video is loaded through a video player like jwplayer after 1 or 2 secs. You want to save this but unfortunately you couldn’t do so by right-clicking on it and saving it as the player doesn’t show that option. Even if you use command line tool like wget or youtube-dl, it might be possible but for some reason it just doesn’t work. Another problem is that, there are still some javascript functions that need to be executed and until then, the video url does not get generated in the site. Now the question is, how would you download such files to your computer? Well, there are different ways to download them. One way is to use a plugin or extension for the browser like Grab Any Media or FlashGot which can handle such requests and might allow you to download it. Now the thing is, lets say you want to download an entire set of videos that are loaded using different AJAX calls. In this case, the plugins or extensions, might work but it takes a long time to manually download each file.
    [Show full text]
  • Creating the World's Largest Real-Time Camera Network
    Creating the World’s Largest Real-Time Camera Network Ryan Dailey, Ahmed S. Kaseb, Chandler Brown, Sam Jenkins, Sam Yellin, Fengjian Pan, Yung-Hsiang Lu; Purdue University; West Lafayette, Indiana, USA Abstract so on. This contextual information is called metadata and can be Millions of cameras are openly connected to the Internet for helpful for data analytics. Metadata can be useful for identify- a variety of purposes. This paper takes advantage of this resource ing the cameras for specific purposes, for example, traffic cam- to gather visual data. This camera data could be used for a myr- eras for studying urban transportation. The second problem is iad of purposes by solving two problems. (i) The network camera the wide range of protocols used to retrieve data from network image data needs context to solve real world problems. (ii) While cameras. Different brands of network cameras need different re- contextual data is available, it is not centrally aggregated. The trieval methods (for example, different paths for HTTP GET com- goal is to make it easy to leverage the vast amount of network mands). Many organizations (such as departments of transporta- cameras. tion in different cities) aggregate the data streams from multiple The database allows users to aggregate camera data from cameras. There is no standard as to how the information is ag- over 119,000 network camera sources all across the globe in real gregated and thus, there is no standard method for retrieving data time. This paper explains how to collect publicly available infor- from different sources. mation from network cameras.
    [Show full text]
  • System for Detection of Websites with Phishing and Other Malicious Content
    Masaryk University Faculty of Informatics System for detection of websites with phishing and other malicious content BachelorŠs Thesis Tomáš Ševčovič Brno, Fall 2017 Declaration Hereby I declare that this paper is my original authorial work, which I have worked out on my own. All sources, references, and literature used or excerpted during elaboration of this work are properly cited and listed in complete reference to the due source. Tomáš Ševčovič Advisor: prof. RNDr. Václav Matyáš, M.Sc., Ph.D. i Acknowledgement I would like to thank prof. RNDr. Václav Matyáš, M.Sc., Ph.D. for the management of the bachelor thesis, valuable advice and comments. I would also like to thank the consultant from CYAN Research & Development s.r.o., Ing. Dominik Malčík, for useful advice, dedicated time and patience in consultations and application development. Also, I would like to thank my family and friends for their support throughout my studies and work on this thesis. ii Abstract The main goal of this bachelor thesis is to create a system for detection of websites with phishing and other malicious content with respect to Javascript interpretation. The program should be able to download and process thousands of domains and get positive results. The Ąrst step involves examining an overview of automated web testing tools to Ąnd an optimal tool which will be used in the main implementation. The thesis contains overview of technologies for website testing, their comparison, overview of malware methods on websites, implementation and evaluation of the system. iii Keywords Chrome, Javascript, link manipulation, malware, phishing, URL redi- rects, XSS, Yara iv Contents 1 Introduction 1 2 Overview of approaches to website testing 3 2.1 Manual testing .......................
    [Show full text]
  • Identifying Javascript Skimmers on High-Value Websites
    Imperial College of Science, Technology and Medicine Department of Computing CO401 - Individual Project MEng Identifying JavaScript Skimmers on High-Value Websites Author: Supervisor: Thomas Bower Dr. Sergio Maffeis Second marker: Dr. Soteris Demetriou June 17, 2019 Identifying JavaScript Skimmers on High-Value Websites Thomas Bower Abstract JavaScript Skimmers are a new type of malware which operate by adding a small piece of code onto a legitimate website in order to exfiltrate private information such as credit card numbers to an attackers server, while also submitting the details to the legitimate site. They are impossible to detect just by looking at the web page since they operate entirely in the background of the normal page operation and display no obvious indicators to their presence. Skimmers entered the public eye in 2018 after a series of high-profile attacks on major retailers including British Airways, Newegg, and Ticketmaster, claiming the credit card details of hundreds of thousands of victims between them. To date, there has been little-to-no work towards preventing websites becoming infected with skimmers, and even less so for protecting consumers. In this document, we propose a novel and effective solution for protecting users from skimming attacks by blocking attempts to contact an attackers server with sensitive information, in the form of a Google Chrome web extension. Our extension takes a two-pronged approach, analysing both the dynamic behaviour of the script such as outgoing requests, as well as static analysis by way of a number of heuristic techniques on scripts loaded onto the page which may be indicative of a skimmer.
    [Show full text]
  • Enhancing the Security and Privacy of the Web Browser Platform Via Improved Web Measurement Methodology
    ABSTRACT JUECKSTOCK, JORDAN PHILIP. Enhancing the Security and Privacy of the Web Browser Platform via Improved Web Measurement Methodology. (Under the direction of Alexandros Kapravelos.) The web browser platform today serves as a dominant vehicle for commerce, communication, and content consumption, rendering the assessment and improvement of that platform’s user security and privacy important research priorities. Accurate web measurement via simulated user browsing across popular real-world web sites is essential to the process of assessing and improving web browser platform security and privacy, particularly when developing improved policies that can be deployed in production to millions of real-world users. However, the state of the art in web browser platform measurement instrumentation and methodology leaves much to be desired in terms of robust instrumentation, reproducible experiments, and realistic design parameters. We propose that enhancing web browser policies to improve privacy while retaining compatibility with legacy content requires robust and realistic web measurement methodologies leveraging deep browser instrumentation. This document comprises research results supporting the above-stated thesis. We demonstrate the limitations of shallow, in-band JavaScript (JS) instrumentation in web browsers, then describe and demonstrate an open source out-of-band instrumentation tool, VisibleV8 (VV8), embedded in the V8 JS engine. We show that VV8 consistently outperforms equivalent in-band instrumentation, provides coverage unavailable to in-band techniques, yet has proved readily maintainable across numerous updates to Chromium and the V8 JS engine. Next, we test the assumption, implicit in typical web measurement studies, that automated crawls generalize to the experience of typical web users with a robustly controlled parallel web measurement experiment comparing observations from multiple network vantage points (VP) and via naive or realistic browser configurations (BC).
    [Show full text]
  • Automated Web Application Testing Using Selenium
    WORCESTER POLYTECHNIC INSTITUTE MAJOR QUALIFYING PROJECT Automated Web Application Testing Using Selenium Author: Supervisor: Benjamin CHANEY Prof. Micha HOFRI A thesis submitted in fulfillment of the requirements for the degree of Bachelors of Science in the WPI Department of Computer Science March 7, 2017 i Contents Abstract iii Acknowledgements iv 1 Introduction 1 2 Background 2 2.1 About Source Defense . .2 2.2 Automated Web Testing . .2 2.3 Design Goals . .2 2.4 State of the Art . .4 3 Methodology 6 3.1 Choice of Testing Framework . .6 3.2 Design . .7 4 Results 9 4.1 Worker . .9 4.2 Master . 11 4.3 Tests . 14 5 Conclusion 16 ii Glossary API application programing interface CSS Cascading Style Sheets GUI graphical user interface HTML HyperText Markup Language HTTP HyperText Transfer Protocol JSON JavaScript Object Notation OS operating system iii Abstract Source Defense, a web security startup, needs a powerful and efficient testing frame- work to ensure the correctness of their platform. In this project, we begin by dis- cussing existing work in web application testing. We then design and implement a solution built on Selenium, an existing software testing framework. Our solution is tailored to Source Defense’s unique needs. This includes the ability to constantly monitor the proper operation of their product, and alert them in the event of er- roneous behavior or an outage. Finally, we utilize our solution to demonstrate its effectiveness at ensuring the proper functionality of their product. iv Acknowledgements I would like to thank the sponsors at Source Defense for hosting my project.
    [Show full text]
  • Preview Phantomjs Tutorial (PDF Version)
    PhantomJS About the Tutorial PhantomJS is a lightweight headless browser built on WebKit. It is called headless because the execution does not happen on the browser, but on the terminal. This tutorial covers most of the topics required for a basic understanding of PhantomJS. Additionally, this tutorial also explains how to deal with its various components and to get a feel of how it works. Audience This tutorial is designed for those programmers who want to learn the basics of PhantomJS and its programming concepts. It will give you enough understanding on various functionalities of PhantomJS with suitable examples. Prerequisites Before proceeding with this tutorial, you should have a basic understanding of HTML, CSS, JavaScript, and Document Object Model (DOM). Copyright and Disclaimer Copyright 2017 by Tutorials Point (I) Pvt. Ltd. All the content and graphics published in this e-book are the property of Tutorials Point (I) Pvt. Ltd. The user of this e-book is prohibited to reuse, retain, copy, distribute or republish any contents or a part of contents of this e-book in any manner without written consent of the publisher. We strive to update the contents of our website and tutorials as timely and as precisely as possible, however, the contents may contain inaccuracies or errors. Tutorials Point (I) Pvt. Ltd. provides no guarantee regarding the accuracy, timeliness or completeness of our website or its contents including this tutorial. If you discover any errors on our website or in this tutorial, please notify us at [email protected] i PhantomJS Table of Contents About the Tutorial ...........................................................................................................................................
    [Show full text]
  • Headless Chr Me Automation with About the Crrri Package
    Headless Chr me Automation with About the crrri package Romain Lesur & Christophe Dervieux useR! 2019 - 2019/07/12 Toulouse - France A web browser is like a shadow puppet theater With behind the scene the puppet master 2 / 15 Using a headless browser Be the stage director... ... and fully decide what should be done... ... but in the dark ! No visual interface to see the result of your actions 3 / 15 Chrome Headless mode and the Devtools protocol Full control of Chrome using Node.js modules like puppeteer, chrome-remote-interface https://chromedevtools.github.io/devtools-protocol/ Interact with the protocol using json messages exchange through websockets. 4 / 15 You may already know other R related work RSelenium (@ropensci) client for Selenium WebDriver, requires a Selenium server (Java). webshot (@wch), webdriver (@rstudio) relies on the abandoned PhantomJS library. htmlunit (@hrbrmstr) uses the HtmlUnit Java library. splashr (@hrbrmstr) works with the Splash JavaScript Rendering Service decapitated (@hrbrmstr) uses headless Chrome command-line instructions or the Node.js gepetto module (built-on top of the puppeteer Node.js module) chradle (@MilesMcBain), first tests for driving Chromium/Chrome from R using a websocket connection. An inspiration for crrri 5 / 15 What is dierent with the crrri package ? https://github.com/RLesur/crrri/ Have the full control of from without Java, NodeJS or any server Low-level API inspired by the chrome-remote-interface JS module gives access to 500+ functions to control Chrome Dedicated to advanced
    [Show full text]