Automating Bypass Testing for Web Applications Automating Bypass Testing for Web Applications List of Tables List of Figures Abstract Automating Bypass Testing for Web Applications Chapter 1: Introduction Chapter 2: Types of Client Input Validation 2.1 Html Validation

iii Dedication I dedicate this thesis to my wife Mimi and my son Konstantinos for their patience and support. iv Acknowledgments First, I would like to express my appreciation for the valuable advice and support from Dr. Offutt, who has been an outstanding advisor and professor throughout the course of this thesis and the MSSWE program. for providing me with an excellent employment environment that promotes research and professional development, which had a great impact in the completion of this project. I thank Wuzhi Xu, who's input in the early stages played a significant role in the foundation of this project. By introducing new quality standards, the World Wide Web has a great impact on how software is being developed and deployed. Web software is mainly accessed through browsers and dynamically created user interfaces. HTML source and scripts are available to the user and can be modified and resubmitted due to the stateless nature of HTTP; thus, arbitrary requests from clients are permitted and web applications become vulnerable to input manipulation. Previous work on bypass testing is extended to develop an automated approach. An open source testing tool, HttpUnit, is used to build a prototype application, AutoBypass, which parses HMTL pages, identifies forms and their fields, and automatically creates bypass test cases that violate the user interface's constraints. AutoBypass performs testing on the external system level, eliminating the need for accessing the application source or server. The bypass method's effectiveness is empirically evaluated with web applications developed by professionals. The results show that applications generated numerous faults when bypass test cases were submitted. It is concluded that bypass testing can improve the quality of web applications by revealing potential vulnerabilities while providing an efficient method to reduce the development cost. The World Wide Web has a great impact on how software is being developed and deployed. Web applications introduced new priorities for developers, driving the industry to value reliability, usability, and security instead of " time to market " which is more typical in the case of traditional software [13]. This shift on the criteria of software quality poses a new need in developing new methods to design, implement, and test software that is characterized by a distributed environment, implemented on a diverse collection of hardware and software platforms, and often requires interaction of heterogeneous components. Web applications are extremely loosely coupled and heavily user interactive in a dynamic manner, …