Testing Web applications by modeling with FSMs

Researchers and practitioners are still trying to find effective ways to model and test Web applications. This paper proposes a system-level testing technique that combines test generation based on finite state machines with constraints. We use a hierarchical approach to model potentially large Web applications. The approach builds hierarchies of Finite State Machines (FSMs) that model subsystems of the Web applications, and then generates test requirements as subsequences of states in the FSMs. These subsequences are then combined and refined to form complete executable tests. The constraints are used to select a reduced set of inputs with the goal of reducing the state space explosion otherwise inherent in using FSMs. The paper illustrates the technique with a running example of a Web-based course student information system and introduces a prototype implementation to support the technique.     

基于Petri网的语义Web服务自动组合方法

Web服务组合使得开发人员可以快速地创建自己的应用程序.但是,随着Internet上可用的Web服务数目的增加,Web服务组合是一项高度复杂的任务.针对语义Web服务的自动组合问题,提出了一种既考虑服务输入/输出又考虑服务行为约束的自动组合方法.首先,注册服务被转化为一组Horn子句形规则,用户的输入和输出请求分别被转化为Horn子句中的事实和目标,从而将寻找满足用户输入/输出请求的合成服务问题转化为Horn子句的逻辑推理问题;然后,用Petri网来为该Horn子句集建模,T-不变量技术被用来判定是否存在满足用户输入/输出请求的合成服务;最后给出了两种算法来获取既满足用户输入/输出请求又满足用户行为约束的合成服务的Petri网模型.     

Specification and verification of data-driven Web applications

We study data-driven Web applications provided by Web sites interacting with users or applications. The Web site can access an underlying database, as well as state information updated as the interaction progresses, and receives user input. The structure and contents of Web pages, as well as the actions to be taken, are determined dynamically by querying the underlying database as well as the state and inputs. The properties to be verified concern the sequences of events (inputs, states, and actions) resulting from the interaction, and are expressed in linear or branching-time temporal logics. The results establish under what conditions automatic verification of such properties is possible and provide the complexity of verification. This brings into play a mix of techniques from logic and model checking.     

Testing input validation in Web applications through automated model recovery

Input validation is essential and critical in Web applications. It is the enforcement of constraints that any input must satisfy before it is accepted to raise external effects. We have discovered some empirical properties for characterizing input validation in Web applications. In this paper, we propose an approach for automated recovery of input validation model from program source code. The model recovered is represented in a variant of control flow graph, called validation flow graph, which shows essential input validation features implemented in programs. Based on the model, we then formulate two coverage criteria for testing input validation. The two criteria can be used to guide the structural testing of input validation in Web applications. We have evaluated the proposed approach through case studies and experiments.     

Seamless integration of interactive forms into the Web

The phenomenal interest and growth of the World Wide Web as an application server has pushed the Web model to its limits. Specifically, the Web offers limited interactivity and versatility as a platform for networked applications. One major challenge for the HCI community is to determine how to improve the human-computer interface for Web-based applications. This paper focuses on a significant Web deficiency — supporting truly interactive and dynamic form-based input. We propose a well-worked form interaction abstraction that alleviates this Web deficiency. We describe how the abstraction is seamlessly integrated into the Web framework by leveraging on the virtues of the Web and fitting within the interaction and usage model of the Web.     

基于扩展概念格的Web关系挖掘

针对Web服务因缺少有效的组织和管理机制而产生的应用瓶颈问题,引入基于概念覆盖度函数的扩展概念格,通过构建基于输入和输出参数的Web服务集的扩展概念格模型,给出了Web服务间等价、替代和流关系的离线挖掘算法以及增量和减量的在线更新算法.在真实Web服务集上的测试结果表明,扩展概念格模型是Web服务集的一种有效的组织形式,可用于Web服务关系的自动挖掘和维护,从而为Web服务的选择、优化和组合提供智能支持.     

基于状态转换的Web程序测试方法研究

基于状态转换的测试方法是探测Web程序动态行为异常的有效途径。Web程序状态的变迁由链接序列和提交数据共同构成的导航场景决定。本文用活动页面导航图(APND)来描述页面间的链接转换行为,用状态变量的组合对象状态图(COSD)来刻画由提交数据导致的系统状态变量改变,再将两者统一成一个较为全面的动态行为模型Web程序状态转换图(WSTD)。最后,采用线索k叉树并加以改造来自动生成测试用例。     

动态网页分发加速技术研究

随着Web技术的迅速发展,动态和个性化网页的比重日益增加,而传统缓存一般只适用于静态内容,难以减少获取动态网页所需的流量和延时代价。为了更有效地分发动态网页,人们提出了各种动态内容加速方案。文中研究了典型的动态网页分发加速方法,并对相关的加速技术进行了分析和比较。针对ESI和CDE这两种技术的优缺点,提出基于共享片段的动态网页分发加速模型。实验结果表明,与ESI和CDE相比,该模型可以节省更多的带宽,减少更多的延时。     

The design and implementation of the Gecko NFS Web proxy

The World Wide Web uses a naming scheme (URLs), transfer protocol (HTTP), and cache algorithms that are different from traditional network file systems. This makes it impossible for unmodified Unix applications to access the Web; as a result, the Web is only accessible to special Web‐enabled applications. Gecko bridges the gap between Web‐enabled applications and conventional applications, allowing any unmodified Unix application to access the Web. We developed two prototypes of the Gecko system at the University of Arizona and incorporated the many lessons learned from the first into the second. Minimizing the amount of state was a key goal of the Gecko redesign and the second prototype uses a unique compression technique to reduce server state. Experiments performed on the prototype show that Gecko not only makes the Web accessible to unmodified applications, but does so at a performance that meets or exceeds that of HTTP. Copyright © 2001 John Wiley & Sons, Ltd.     

二阶SQL注入攻击防御模型

随着互联网技术的快速发展,Web应用程序的使用也日趋广泛,其中基于数据库的Web应用程序己经广泛用于企业的各种业务系统中。然而由于开发人员水平和经验参差不齐,使得Web应用程序存在大量安全隐患。影响Web应用程序安全的因素有很多,其中SQL注入攻击是最常见且最易于实施的攻击,且SQL注入攻击被认为是危害最广的。因此,做好SQL注入攻击的防范工作对于保证Web应用程序的安全十分关键,如何更有效地防御SQL注入攻击成为重要的研究课题。SQL注入攻击利用结构化查询语言的语法进行攻击。传统的SQL注入攻击防御模型是从用户输入过滤和SQL语句语法比较的角度进行防御,当数据库中的恶意数据被拼接到动态SQL语句时,就会导致二阶SQL注入攻击。文章在前人研究的基础上提出了一种基于改进参数化的二阶SQL注入攻击防御模型。该模型主要包括输入过滤模块、索引替换模块、语法比较模块和参数化替换模块。实验表明,该模型对于二阶SQL注入攻击具有很好的防御能力。     

专题型网页搜集系统的设计与实现

近年来人们提出了很多新的搜集思想，他们都使用了一个共同的技术——集中式搜集。集中式搜集通过分析搜索的区域，来发现与主题最相关的链接，防止访问网上不相关的区域，这可以大量地节省硬件和网络资源，使网页得到尽快的更新。为了达到这个搜索目标，本文提出了两个算法：一个是基于多层分类的网页过滤算法，试验结果表明，这种算法有较高的准确率，而且分类速度明显高于一般的分类算法；另一个是基于Web结构的URL排序算法，这个算法充分地利用了Web的结构特征和网页的分布特征。     

SQLI和XSS漏洞检测与防御技术研究

文章针对Web安全漏洞中的SQLI和XSS漏洞,介绍了针对这两种漏洞的防御技术,并提出了一种新型的入侵检测系统.该系统采用Curl类库和Web请求,通过API接口分析和检测来自Web应用程序的交互,利用IDS服务器检测应用程序检测攻击行为,存储入侵记录.该技术最大的优势是跨平台性,可应用于多种Web应用程序.     

Adaptive steering of ships—A model reference approach

This paper describes the application of model reference adaptive control (MRAS) to automatic steering of ships. The main advantages in this case are the simplified controller adjustment which yields safer operation and the decreased fuel cost. After discussion of the mathematical models of process and disturbances, criteria for optimal steering are defined. Algorithms are given for direct adaptation of the controller gains, applicable after setpoint changes, as well as for identification and adaptive state estimation, to be used when the input is constant. Solutions for applying MRAS to a certain class of nonlinear systems are dealt with. Full-scale trials at sea and tests with a scale model in a towing tank are described. It is shown that the autopilot designed indeed has the desired properties. Fuel savings up to 5% in comparison to conventional PID control are demonstrated. These savings are mainly possible because of the adaptive state estimator.     

面向对象的Web工程

分析了Web应用的特点和目前所面临的一些问题，基于面向对象的概念，提出了多层次、多视图的Web应用开发模型，以对象作为建模的基本实体．提供了Web应用的高层描述，支持Web服务的任意粒度的抽象、封装、重用以及Web导航特性的分析，提出了基于XML的面向对象Web建模语言OOWML并实现了编译工具，能够自动生成Web应用的目标语言，与已有的方法相比．本文提出的模型为Web应用的工程化开发提供了更有效的支持。     

基于ORD和FSM的Web应用的建模与测试

Web测试是保证高质量Web应用的一种有效技术.然而,由于其特殊性和复杂性,很难直接将传统的测试理论与方法学运用到Web应用的测试当中来.对Web应用进行了分析与建模,并对其进行测试,提出了一种可行的Web测试模型.首先得到页面流图(PFD,Page Flow Diagram),进而产生对象关系图(ORD,Object Relation Diagram),然后根据提出的算法将ORD转化为形式化的有限状态机(FSM,Finite State Machine)模型.基于FSM模型,提出了一种有效的测试路径自动生成方法,这些测试路径可以转化为XML语法的测试规格说明.测试引擎将测试规格说明作为输入最终产生测试报告.全文以所开发的一个小型的Web应用SWLS(Simple Web Login System)为例进行阐述.     

Analysis and modeling of the semantically associated network on the Web

The semantically associated network on the Web is a Semantic Link Network built by mining the associated relation between Web pages. The associated link from page A to page B indicates that users who have browsed page A is likely to also browse page B. This paper explores the statistical properties of the associated network on the Web. Web pages of a specific domain are automatically downloaded by a Web crawler to build an associated network. We analyze the associated network at different domain thresholds and classify the topology into three states, that is, the original state, the kernel state and the final state. A mathematical model is built to study the in‐degree distribution, the out‐degree distribution and the total‐degree distribution for both the kernel state and the final state. By tuning the model parameters to reasonable values, we obtain the distinct power‐law forms for the three degree distributions with exponents that agree well with the statistical data. The proposed model can not only describe the evolving processes of the associated network on the Web, but also provides theory basis for complex applications such as semantic community discovery, intelligent browsing and recommendation. Copyright © 2009 John Wiley & Sons, Ltd.     

Ajax引擎的设计和应用

Web应用在界面易操作性方面的弱点是制约其应用面的重要因素，Ajax技术是为了克服这些缺点而提出的。采用它实现的页面在易操作性上可以做到与桌面应用相同的效果，因此，其应用也逐渐多起来。文章介绍了Ajax的基本原理并通过在一个考试系统中的具体实践给出了Ajax引擎的实现方法，对于一般的Web应用开发具有一定的参考价值。     

An Overview of Standards and Related Technology in Web Services

The Internet is revolutionizing business by providing an affordable and efficient way to link companies with their partners as well as customers. Nevertheless, there are problems that degrade the profitability of the Internet: closed markets that cannot use each other's services; incompatible applications and frameworks that cannot interoperate or built upon each other; difficulties in exchanging business data. Web Services is a new paradigm for e-business that is expected to change the way business applications are developed and interoperate. A Web Service is a self-describing, self-contained, modular application accessible over the web. It exposes an XML interface, it is registered and can be located through a Web Service registry. Finally, it communicates with other services using XML messages over standard Web protocols. This paper presents the Web Service model and gives an overview of existing standards. It then sketches the Web Service life-cycle, discusses related technical challenges and how they are addressed by current standards, commercial products and research efforts. Finally it gives some concluding remarks regarding the state of the art of Web Services.     

基于Stacking融合模型的Web攻击检测方法

随着计算机技术与互联网技术的飞速发展,Web应用在人们的生产与生活中扮演着越来越重要的角色。但是在人们的日常生活与工作中带来了更多便捷的同时,却也带来了严重的安全隐患。在开发Web应用的过程中,大量不规范的新技术应用引入了很多的网站漏洞。攻击者可以利用Web应用开发过程中的漏洞发起攻击,当Web应用受到攻击时会造成严重的数据泄露和财产损失等安全问题,因此Web安全问题一直受到学术界和工业界的关注。超文本传输协议(HTTP)是一种在Web应用中广泛使用的应用层协议。随着HTTP协议的大量使用,在HTTP请求数据中包含了大量的实际入侵,针对HTTP请求数据进行Web攻击检测的研究也开始逐渐被研究人员所重视。本文提出了一种基于Stacking融合模型的Web攻击检测方法,针对每一条文本格式的HTTP请求数据,首先进行格式化处理得到既定的格式,结合使用Word2Vec方法和TextCNN模型将其转换成向量化表示形式;然后利用Stacking模型融合方法,将不同的子模型(使用配置不同尺寸过滤器的Text-CNN模型搭配不同的检测算法)进行融合搭建出Web攻击检测模型,与融合之前单独的子模型相比在准确率、召回率、F1值上都有所提升。本文所提出的Web攻击检测模型在公开数据集和真实环境数据上都取得了更加稳定的检测性能。