Web application bypass testing

Abstract

Input validation refers to checking user inputs to a program to ensure that they conform to expectations of the program. Input validation is used to check the format of numbers and strings, check the length of strings, and to ensure that strings do not contain invalid characters. Input validation testing (IVT) is particularly important for software that has a heavy reliance on user inputs, including Web applications. A common technique in Web applications is to perform input validation on the client by using HTML attributes and scripting languages such as JavaScript. An insidious problem with performing input validation on the client is that end users have the ability to bypass this validation. Bypass testing is a unique and novel way to create test cases that is available only because of the unusual mix of client-server, HTML GUI, and JavaScript technologies that are used in Web applications. This workshop paper presents the issues and concerns that allow bypass testing, the preliminary concepts behind the technique, and some early results on applying it. How effective and useful bypass testing can be in testing Web applications is determined through ongoing research and automation.