WEB BASED APPLICATIONS TESTING:

ANALYTICAL APPROACH TOWARDS MODEL

BASED TESTING AND FUZZ TESTING

ABSTRACT defined as model based testing in

which applications are tested from
Web based applications all perspectives on the basis of
are complex in structure which abstract model of the application.
results in facing immense amount Both techniques are showing their
of exploiting attacks, so testing prominence in exploring flaws
should be done in proactive way in with pros and cons. This research
order to identify threats in the work guides the web application
applications. The intruder can practitioner in selection of suitable
explore these security loopholes methodology for different testing
and may exploit the application scenarios which save efforts
which results in economical lose, imparted on testing and develop
so testing the application becomes better and breaches free product.
a supreme phase of development.
The main objective of testing is to 1.
secure the contents of applications INTRODUCTION
either through static or automatic
approach. The software houses 1.1 LITERATURE REVIEW
usually follows fuzz based testing Web applications are the
in which flaws can be explored by vital part of today’s world of
randomly inputting invalid data internet where customers perform
while on the other hand the different types of activities by
automated approach which is remote device with ease such as
online transactions, booking tickets extensive nature of websites, the
for flights etc. and this domain of security hazards steadily
service oriented architecture are uncovered that make web
now widely utilized by every application susceptible to
organization sector such as banks numerous attacks, resulting in
for managing daily transaction, destruction of system or losses of
transport sector for issuing tickets important data credentials (Li et
etc. Such information comes with al., 2013).
difficulty to secure as all the The web application
sensible and critical operations didn’t get much trust and
have to occur within mean satisfaction from users in context
response time of the application. of safety and this put a negative
However due to unfenced identity impact on organization, providing
(nature) and enterprising the services through that
trademark of web applications, application. The simple example of
security of applications becomes that came from banking sector
the big question mark, that how to which utilizes this platform to
deal with security issues as these manage their daily basis activities
issues may cause a serious hazards such as such customers account
on services oriented architecture details, transactions etc. All these
(SOA) based applications. Web details are stored on a centralized
based application architecture is storage called database which
strongly interlinked between server linked with server of that bank.
and clients where services are Now if intruder enter into that
provided by server to client database or even cracked the
machine to all over the world, if server, then surely he will steal
Server downs or fails to responds those sensitive credentials of
the services of web applications customers and put bank and
are not available to clients. Due to customer on the edge of forfeiture.
Such uncertainty put both and possibly may access the
stakeholder and users the edge application in unauthorized way to
risk. Consequently hinder security damage or steal the sensitive
flaws and breaches should be a credentials of organization that
pinnacle primacy for organizations provides services through that
that provide services via web platform. In general web
platform especially when application are excellent safe and
contemplating the results of composed till someone discover
unintended behavior of flaws and exploited the whole
applications. The root of web application and make application
based application’s susceptibilities security as a question mark for
is resulting of inexperienced security experts.
developers that more focused on
The developers and
user attraction instead of focusing
stakeholders are not very much
of security structure, while at the
interested in testing and eliminates
same time deficiency of complete
this phase from development life
and comprehensive tests also
cycle of application and when
causes the problems ( Li et al.,
someone exploit their application
2013).
they just get through it by beta
Web services flaws and testing to uncover security flaws or
security breaches are actually the perform testing by their own. Such
defects and loopholes that existed ways of testing are so much bizarre
in source code, design and in and therefore those tools which
implementation protocols. These were originally developed to test
loopholes in web applications are the applications functionality are
key targets for intruders to analyze now utilized by hackers to exploit
and then inject malicious inputs to the security loopholes in quick
track the application’s weaknesses sessions.
1.2 RESEARCH wanted to include industrial
ETHODOLOGY practices in our research. In order
to calculate the test coverage, time
The initiated research i and cost we had to use experiments
conducted by studying the instead of SLR. Those two parts
literature relevant to our subject, are explained in detail below:
which is analytical approach
towards model-based testing and 1.2.1. SURVEY
fuzz testing in terms of web
applications. During over through The objective of survey’s

the literature enough information is is to get knowledge about the

declared about model-based testing strengths weaknesses and practice

and fuzz testing of web associated to both model based

applications. This followed testing and fuzz testing at

information can be used base to industrial level. The data will help

endure or draw more related us to answer relevant research

information and conclude that it is questions such as what strengths

conceivable to test the web and weaknesses are there in using

applications with both approaches MBT in industry and what

that is model based testing and strengths and weaknesses are there

fuzz testing. in using fuzz testing in industry.

The survey contains multiple based
While, our research will choice queries and they were
divide into two sections that is designed to keep the discussion
survey and experiment, through focused to relevant subject only.
which we will answer all of our This procedure is essential because
research questions. Our motivation we needed few additional data in
for choosing these two the form of experiences and then
methodologies is because we relate those with the experimental
outcome to verify and validate The reason for doing survey was
each and everything. that; through survey research, we
got to know the opinions of the
1.2.2 SELECTION OF industrial professionals in software
SUBJECTS
testing field. The responses from
In order to make the research them were analyzed, and key
study authentic and reliable, it is points were separated from these
very vital to select the right survey questions. To validate our
subjects for the surveys. The findings at this stage, we setup a
selected organizations are currently statistical tool minitab and SPSS to
working with software testing (or analyze these findings the survey
proceeding their operations via method was based on seven points
software’s) especially in context of as presented:
model based testing and Fuzz
2. RESEARCH
testing. The assortment process
was established on two major QUESTIONS
criteria that is, work experiences in
Research Question#1: What
IT field and their knowledge on
strengths and weaknesses is there
either MBT or Fuzz testing
in model based testing technique
techniques. The survey session
while testing web applications?
with such professionals provided
us broader understanding about the Research Question#2: What
strengths and weaknesses that are strengths and weaknesses is there
faced by the companies during the Fuzz testing while testing web
execution and implementation of applications?
model based testing and fuzz
testing approaches. Research Question#3: Which
testing approach (that is model
1.2.3 SURVEY STRUCTURE based testing or fuzz testing) is
superior in context of web testing. Following are the results of
application for providing better Fuzz testing and model based
and quality test cases? testing perceived from surveys
data analysis. The elements were
3. RESULT ANALYSIS & positioned between two extremes
DISCUSSION of the scales:

The survey was mandatory

part of research and data is
collected by conducting survey
which generates data that used for
further analyzed by the help of 3.2 Test Coverage
statistical tools. The analysis of the
The test coverage can be seen
data was done by descriptive
as strength of Fuzz testing and
statistics i.e. graphs were made in
model based testing. The coverage
order to statistically analyze the
usually based on the tester’s
experiment results. After that,
experience that creates the test.
hypothesis testing is also done in
They also mentioned that in
order to check that whether H0-
companies the test cases are
qual can be rejected and
usually written by the experienced
conclusion can be drawn from it.
testers, if not, the test cases are
There are following questions in
approved by experienced testers.
this survey.
Also, in model based testing, the
test coverage is always higher than
3.1. Ratings for Fuzz
Testing and MBT Fuzz testing because the test cases
are generated by considering the
In this section, we have used test coverage
Scale to show the average rating of
Fuzz testing and model based
 The above scale was major studies have been done in
generated on the basis of average order to find out a better way to
score of Fuzz testing and MBT make requirements traceable in
while considering the test MBT process. According to the
coverage. It shows that Fuzz survey data analysis, following
testing has fairly high test chart shows the requirement
coverage that is branch, path and traceability in Fuzz testing and
statement coverage, but model MBT.
based testing has more coverage
because of its zero - tolerance 3.4 Quality of Test cases
towards the test coverage.
According to the
respondents, the understandability
3.3 Requirement
of the test cases depends on the
Traceability experience of the tester who is
writing the test cases. It is one of
Requirement traceability is
the challenges of Fuzz testing
one of strengths of model based
because every tester writes the test
testing. According to the survey
cases according to his own
data, the there are several ways to
knowledge of the system and
make the requirements traceable
business. It was also identified
through the test cases. However in
that, the more detail test cases have
MBT, the traceability is done in a
more understandability. In MBT,
different way. According to the
the automated test cases are not
respondents the requirement
fully understandable by human
traceability is a challenge in MBT
beings. For example, Conformiq
and companies usually find it
Qtronic and Microsoft’s Spec
difficult to track the results back to
Explorer adds reasonable details
the system requirements in the
on the test cases. So that, a human
MBT approach. Recently, some
engineer can understand what will
be the details and what to be
tested. The following scale shows
the rating of MBT and Fuzz testing
between two extremes of
understandability construct. The
scale was rated on the basis of
analysis of survey data.

4. EXPERIMENT

The goal of this phase is to

dynamically validate the findings
of survey results. This part is
documented just to ensure that,
important factors are properly
documented and defined before
going to the actual execution.

4. 1 Test Coverage

In test coverage; branch,

statement and path coverage was
calculated for each team for both
approaches model based testing
and Fuzz testing. Following table
contains the results for test
coverage.
 Table 1: TEST results of the test cases generated
COVERAGE IN MBT from both approaches (MBT and
AND FUZZ TESTING Fuzz testing). The test cases

MBT Model Test written by Fuzz

Fuzz Fuzz
Grou Based Coverage Based testing Team – 1,
p Testing
Testing Group showed that
3 Coverage 4 there are two
Group of Paths Group
1 2 Coverage 2 test cases
of
1
required to test
Statement
s all conditions
3 Coverage 2 which are sorted
of
Branches out during the
4 Coverage 3 analysis and
Group of Paths Group
2 2 Coverage 1 design phase, it
of
2
is also
Statement
s mentioned that
3 Coverage 3 only two test
of
Branches cases are
3 Coverage 4 required to
Group of Paths Group
3 2 Coverage cover all the
1 3
of statements
Statement (statement
s
coverage) and
3 Coverage 3 total of four test
of
cases were
Branches
actually required
to test all possible paths (path
The above table shows
coverage). Similarly, from Fuzz
the comparison of test coverage
Team – 2 test data, the branch,
path and statement coverage was 3, AJAX and PHP which combine
3 and 1 respectively. From test together to execute users
data gathered from Fuzz Team – 3, operations. So, by keeping such
branch, path and statement concepts in mind, we must agree
coverage was 3, 4 and 1 upon the fact that web applications
respectively. The test data from the should have a complex and tight
three MBT teams resulted in security mechanism for securing
branch, path and statement users secrete credentials. But
coverage of (3, 3, 2), (3, 4, 2) and unfortunately the fact is against
(3, 3, 2) respectively. this concept, as security of
websites are not still up to that
5. CONCLUSION mark where users feels that its
credentials are saved on a secure
The world of today’s is totally
place. The reasons behind these
shifted on internet, where tasks and
issues is that we still don’t give
operations are performed within
value to testing and consider it as a
couple of minutes via remote
last segment of development life
access such as internet banking,
cycle and follow the traditional
seat reservation, or even online
and manual ways to test the
trading and shopping can be done
application by neglecting the fact
via internet. The platform which is
that how precious would be to test
used for such activities are actually
the applications at that time before
web based application which
they launched online for
provide services to end users via
performing operations. The
remote devices by entering their
researchers and experts try to
secret credentials to login. The
overcome these security issues by
web application are actually a
introducing advance techniques
mixture of multiple programming
which executes automatically in
languages such as JavaScript,
order to test the application with in causes the application to crash as
little time and cost. this technique is automated that
submits tests as input and executed
Model based testing is
it for specific period of time
best consider to be an craftsman art
where we have to focus on three Where, Synopsys report
import aspects such as defined the fuzz testing as a
understanding the target valuable technology that used to
application , ability to establish uncover flaws and vulnerabilities
accurate and precise models from in application by bombarding
raw information and ability to use series of malformed inputs to a
the tools. Model based testing is target application and then observe
best defined by Margaret Rouse the spotted areas of the application
as technique that demands for results. If the target application
developer to take part at initial performs unexpected actions then
stage to construct lightweight examination of that failure is
visual implementation of required, that examination uncover
application called models. These the root causes of that failure that
models comprises business logics may exploited for illegal purposes.
in few lines of code which are Fuzzing plays a role of verification
follow up by another driver that agent during implementation and
direct these models like deployment phases where
information to target application undetected flaws may distress the
called system under test and then integrity of the application.
compare the outcome with
We approached towards
predicted outcome, if results varies
these techniques in analytical
then failures needs to be examined
prospects in order to discover their
further. This technique is good for
strengths and weakness during web
discovering potential conflicts that
applications testing. After analysis discovering coding issues more
we thought model based testing is accurately then other. But model
good in context of generating based testing have some
quality of test cases, requirement limitations too such as, if we need
traceability then fuzz testing, but to test the application of large size
cost and effort required during then we need large set of random
fuzz testing is lesser then model test cases of model based testing
based testing, as model based which requires a great deal of time
testing requires a lot of time at and infrastructure. So we proposed
initial level in order to analyze the a conceptual framework on the
raw information and to create basis of their strengths which need
application models while in fuzz further development and then
we just need to develop data sets require implementation in order to
for application and then bombard verify its outcome.
them towards application.
However it is true that model
based testing is better in
discovering vulnerabilities as
compare to fuzz technique.

But we have to admired

that, model based testing can cover
large variety of scenarios with 6. REFERENCES
moderately little effort and random
execution of models can expose  Amany, A. and A.
Melton. 2016. Web Service
those issues which are not easy to
Description Quality Function
discover upfront such as design Deployment. IEEE World
Congress on Services Computing.
and specification issues. Where,
978-5090.
the fuzz technique is good at
  Alshehri, S. and L.  Fahad.M, S. Qadri, S. S.
Benedicenti. 2013. Ranking Muhammad, and M. Husnain,
Approach for the User Story "Software Quality Assurance of
Prioritization Method. Medium Scale Projects by using
Journal of Communication and DXPRUM Methodology,"
Computer.10:1465-1474. International Journal of Natural
 Bahrami, A. and Engineering Sciences
1994.Routine Design with (IJNES’14).(Turkey), vol. 8, pp.
Information-Content and Fuzzy 42-48, 2014.
Quality Function  Fuggetta, A. and E. Di
Deployment.Journal of Intelligent Nitto 2014. Software process," in
Manufacturing.203–210. Proceedings of the on Future of
 Bergquist,K.andJ.Abeyse  Software
kera,1996. Quality Function Engineering, 1-12.
Deployment (QFD)-A Means for  Ginter,R.E,J.D.Herbsleb and
Developing Usable Products D.E Perry, 1999”The geography
.International Journal of of coordination: dealing with
Industrial Ergonomics.269–275. distance in R&D works” pp.306-
 Brad, S. and E. Brade. 2015. 315.
Enhancing SWOT Analysis with  Gupta.AS, "Quality
TRIZ- based Tools to Integrate Assurance and Its Standards:
Systematic Innovation in Early Importance in Various SDLC
Task Design. Procedia Models," 2014
Engineering.131:616-625.  Hneif.M and S. II. Ovv,
 Chang, F. and S. Guan. "Review of agile methodologies in
2011. Establishment of a Quality software Development,"
Scale (QFD) for Creative Product International Journal of Research
Design Service. Journal of and Reviews in Applied Sciences,
Intelligent Manufacturing.4244- vol. I, pp. pi-8, 2009.
6581.
 Deshpande,S. ,
I.Richardsom,V.Casey and
S.Beecham 2010. "Culture in
global software development-a
weakness or strength?," in Global
Software Engineering 67-76.
 Development: A multiple case
study," in Global Software
Engineering, 2009. ICGSE 2009.
Fourth IEEE International
Conference on, 2009, pp. 195-204.