WEB BASED APPLICATIONS TESTING:
ANALYTICAL APPROACH TOWARDS MODEL
BASED TESTING AND FUZZ TESTING
ABSTRACT
Web based applications
are complex in structure which
results in facing immense amount
of exploiting attacks, so testing
should be done in proactive way in
order to identify threats in the
applications. The intruder can
explore these security loopholes
and may exploit the application
which results in economical lose,
so testing the application becomes
a supreme phase of development.
The main objective of testing is to
secure the contents of applications
either through static or automatic
approach. The software houses
usually follows fuzz based testing
in which flaws can be explored by
randomly inputting invalid data
while on the other hand the
automated approach which is
defined as model based testing in
which applications are tested from
all perspectives on the basis of
abstract model of the application.
Both techniques are showing their
prominence in exploring flaws
with pros and cons. This research
work guides the web application
practitioner in selection of suitable
methodology for different testing
scenarios which save efforts
imparted on testing and develop
better and breaches free product.
1.
INTRODUCTION
1.1 LITERATURE REVIEW
Web applications are the
vital part of today’s world of
internet where customers perform
different types of activities by
remote device with ease such as
online transactions, booking tickets extensive nature of websites, the
for flights etc. and this domain of security hazards steadily
service oriented architecture are uncovered that make web
now widely utilized by every application susceptible to
organization sector such as banks numerous attacks, resulting in
for managing daily transaction, destruction of system or losses of
transport sector for issuing tickets important data credentials (Li et
etc. Such information comes with al., 2013).
difficulty to secure as all the The web application
sensible and critical operations didn’t get much trust and
have to occur within mean satisfaction from users in context
response time of the application. of safety and this put a negative
However due to unfenced identity impact on organization, providing
(nature) and enterprising the services through that
trademark of web applications, application. The simple example of
security of applications becomes that came from banking sector
the big question mark, that how to which utilizes this platform to
deal with security issues as these manage their daily basis activities
issues may cause a serious hazards such as such customers account
on services oriented architecture details, transactions etc. All these
(SOA) based applications. Web details are stored on a centralized
based application architecture is storage called database which
strongly interlinked between server linked with server of that bank.
and clients where services are Now if intruder enter into that
provided by server to client database or even cracked the
machine to all over the world, if server, then surely he will steal
Server downs or fails to responds those sensitive credentials of
the services of web applications customers and put bank and
are not available to clients. Due to customer on the edge of forfeiture.
Such uncertainty put
stakeholder and users the edge
risk. Consequently hinder security
flaws and breaches should be a
pinnacle primacy for organizations
that provide services via web
platform especially
contemplating the results
unintended behavior
applications. The root of web
based application’s susceptibilities
is resulting of inexperienced
developers that more focused on
user attraction instead of focusing
of security structure, while at the
same time deficiency of complete
and comprehensive tests
causes the problems ( Li et al.,
2013).
Web services flaws and
security breaches are actually the
defects and loopholes that existed
in source code, design and in
implementation protocols. These
loopholes in web applications are
key targets for intruders to analyze
and then inject malicious inputs to
track the application’s weaknesses
both and possibly may access the
application in unauthorized way to
damage or steal the sensitive
credentials of organization that
provides services through that
platform. In general web
when application are excellent safe and
of composed till someone discover
of flaws and exploited the whole
application and make application
security as a question mark for
security experts.
The developers and
stakeholders are not very much
interested in testing and eliminates
this phase from development life
also
cycle of application and when
someone exploit their application
they just get through it by beta
testing to uncover security flaws or
perform testing by their own. Such
ways of testing are so much bizarre
and therefore those tools which
were originally developed to test
the applications functionality are
now utilized by hackers to exploit
the security loopholes in quick
sessions.
1.2 RESEARCH wanted to include industrial
ETHODOLOGY practices in our research. In order
to calculate the test coverage, time
The initiated research i and cost we had to use experiments
conducted by studying the instead of SLR. Those two parts
literature relevant to our subject, are explained in detail below:
which is analytical approach
towards model-based testing and 1.2.1. SURVEY
fuzz testing in terms of web
applications. During over through The objective of survey’s

the literature enough information is is to get knowledge about the

declared about model-based testing strengths weaknesses and practice

and fuzz testing of web associated to both model based

applications. This followed testing and fuzz testing at

information can be used base to industrial level. The data will help

endure or draw more related us to answer relevant research

information and conclude that it is questions such as what strengths

conceivable to test the web and weaknesses are there in using

applications with both approaches MBT in industry and what

that is model based testing and strengths and weaknesses are there

fuzz testing. in using fuzz testing in industry.

The survey contains multiple based
While, our research will choice queries and they were
divide into two sections that is designed to keep the discussion
survey and experiment, through focused to relevant subject only.
which we will answer all of our This procedure is essential because
research questions. Our motivation we needed few additional data in
for choosing these two the form of experiences and then
methodologies is because we relate those with the experimental
outcome to verify and validate
each and everything.
1.2.2 SELECTION OF
SUBJECTS
In order to make the research
study authentic and reliable, it is
very vital to select the right
subjects for the surveys. The
selected organizations are currently
working with software testing (or
proceeding their operations via
software’s) especially in context of
model based testing and Fuzz
testing. The assortment process
was established on two major
criteria that is, work experiences in
IT field and their knowledge on
either MBT or Fuzz testing
techniques. The survey session
with such professionals provided
us broader understanding about the
strengths and weaknesses that are
faced by the companies during the
execution and implementation of
model based testing and fuzz
testing approaches.
1.2.3 SURVEY STRUCTURE
The reason for doing survey was
that; through survey research, we
got to know the opinions of the
industrial professionals in software
testing field. The responses from
them were analyzed, and key
points were separated from these
survey questions. To validate our
findings at this stage, we setup a
statistical tool minitab and SPSS to
analyze these findings the survey
method was based on seven points
as presented:
2. RESEARCH
QUESTIONS
Research Question#1: What
strengths and weaknesses is there
in model based testing technique
while testing web applications?
Research Question#2: What
strengths and weaknesses is there
Fuzz testing while testing web
applications?
Research Question#3: Which
testing approach (that is model
based testing or fuzz testing) is
superior in context of web testing. Following are the results of
application for providing better Fuzz testing and model based
and quality test cases? testing perceived from surveys
data analysis. The elements were
3. RESULT ANALYSIS & positioned between two extremes
DISCUSSION of the scales:

The survey was mandatory

part of research and data is
collected by conducting survey
which generates data that used for
further analyzed by the help of 3.2 Test Coverage
statistical tools. The analysis of the
The test coverage can be seen
data was done by descriptive
as strength of Fuzz testing and
statistics i.e. graphs were made in
model based testing. The coverage
order to statistically analyze the
usually based on the tester’s
experiment results. After that,
experience that creates the test.
hypothesis testing is also done in
They also mentioned that in
order to check that whether H0-
companies the test cases are
qual can be rejected and
usually written by the experienced
conclusion can be drawn from it.
testers, if not, the test cases are
There are following questions in
approved by experienced testers.
this survey.
Also, in model based testing, the
test coverage is always higher than
3.1. Ratings for Fuzz
Testing and MBT Fuzz testing because the test cases
are generated by considering the
In this section, we have used test coverage
Scale to show the average rating of
Fuzz testing and model based
 The above scale
generated on the basis of average
score of Fuzz testing and MBT
while considering the
coverage. It shows that Fuzz
testing has fairly high
coverage that is branch, path and
statement coverage, but model
based testing has more coverage
because of its zero - tolerance
towards the test coverage.
3.3 Requirement
Traceability
Requirement traceability is
one of strengths of model based
testing. According to the survey
data, the there are several ways to
make the requirements traceable
through the test cases. However in
MBT, the traceability is done in a
different way. According to the
respondents the requirement
traceability is a challenge in MBT
and companies usually find it
difficult to track the results back to
the system requirements in the
MBT approach. Recently, some
was major studies have been done in
order to find out a better way to
make requirements traceable in
test MBT process. According to the
survey data analysis, following
test chart shows the requirement
traceability in Fuzz testing and
MBT.
3.4 Quality of Test cases
According to the
respondents, the understandability
of the test cases depends on the
experience of the tester who is
writing the test cases. It is one of
the challenges of Fuzz testing
because every tester writes the test
cases according to his own
knowledge of the system and
business. It was also identified
that, the more detail test cases have
more understandability. In MBT,
the automated test cases are not
fully understandable by human
beings. For example, Conformiq
Qtronic and Microsoft’s Spec
Explorer adds reasonable details
on the test cases. So that, a human
engineer can understand what will
be the details and what to be
tested. The following scale shows
the rating of MBT and Fuzz testing
between two extremes of
understandability construct. The
scale was rated on the basis of
analysis of survey data.

4. EXPERIMENT

The goal of this phase is to

dynamically validate the findings
of survey results. This part is
documented just to ensure that,
important factors are properly
documented and defined before
going to the actual execution.

4. 1 Test Coverage

In test coverage; branch,

statement and path coverage was
calculated for each team for both
approaches model based testing
and Fuzz testing. Following table
contains the results for test
coverage.
 Table 1: TEST results of the test cases generated
COVERAGE IN MBT from both approaches (MBT and
AND FUZZ TESTING Fuzz testing). The test cases

MBT Model Test written by Fuzz

Fuzz Fuzz
Grou Based Coverage Based testing Team – 1,
p Testing
Testing Group showed that
3 Coverage 4 there are two
Group of Paths Group
1 2 Coverage 2 test cases
of
1
required to test
Statement
s all conditions
3 Coverage 2 which are sorted
of
Branches out during the
4 Coverage 3 analysis and
Group of Paths Group
2 2 Coverage 1 design phase, it
of
2
is also
Statement
s mentioned that
3 Coverage 3 only two test
of
Branches cases are
3 Coverage 4 required to
Group of Paths Group
3 2 Coverage cover all the
1 3
of statements
Statement (statement
s
coverage) and
3 Coverage 3 total of four test
of
cases were
Branches
actually required
to test all possible paths (path
The above table shows
coverage). Similarly, from Fuzz
the comparison of test coverage
Team – 2 test data, the branch,
path and statement coverage was 3, AJAX and PHP which combine
3 and 1 respectively. From test together to execute users
data gathered from Fuzz Team – 3, operations. So, by keeping such
branch, path and statement concepts in mind, we must agree
coverage was 3, 4 and 1 upon the fact that web applications
respectively. The test data from the should have a complex and tight
three MBT teams resulted in security mechanism for securing
branch, path and statement users secrete credentials. But
coverage of (3, 3, 2), (3, 4, 2) and unfortunately the fact is against
(3, 3, 2) respectively. this concept, as security of
websites are not still up to that
5. CONCLUSION mark where users feels that its
credentials are saved on a secure
The world of today’s is totally
place. The reasons behind these
shifted on internet, where tasks and
issues is that we still don’t give
operations are performed within
value to testing and consider it as a
couple of minutes via remote
last segment of development life
access such as internet banking,
cycle and follow the traditional
seat reservation, or even online
and manual ways to test the
trading and shopping can be done
application by neglecting the fact
via internet. The platform which is
that how precious would be to test
used for such activities are actually
the applications at that time before
web based application which
they launched online for
provide services to end users via
performing operations. The
remote devices by entering their
researchers and experts try to
secret credentials to login. The
overcome these security issues by
web application are actually a
introducing advance techniques
mixture of multiple programming
which executes automatically in
languages such as JavaScript,
order to test the application with in
little time and cost.
Model based testing is
best consider to be an craftsman art
where we have to focus on three
import aspects such
understanding the
application , ability to establish
accurate and precise models from
raw information and ability to use
the tools. Model based testing is
best defined by Margaret Rouse
as technique that demands
developer to take part at initial
stage to construct lightweight
visual implementation
application called models. These
models comprises business logics
in few lines of code which are
follow up by another driver that
direct these models
information to target application
called system under test and then
compare the outcome
predicted outcome, if results varies
then failures needs to be examined
further. This technique is good for
discovering potential conflicts that
causes the application to crash as
this technique is automated that
submits tests as input and executed
it for specific period of time
Where, Synopsys report
as defined the fuzz testing as a
target valuable technology that used to
uncover flaws and vulnerabilities
in application by bombarding
series of malformed inputs to a
target application and then observe
the spotted areas of the application
for results. If the target application
performs unexpected actions then
examination of that failure is
of required, that examination uncover
the root causes of that failure that
may exploited for illegal purposes.
Fuzzing plays a role of verification
agent during implementation and
like deployment phases where
undetected flaws may distress the
integrity of the application.
with
We approached towards
these techniques in analytical
prospects in order to discover their
strengths and weakness during web
applications testing. After analysis
we thought model based testing is
good in context of generating
quality of test cases, requirement
traceability then fuzz testing, but
cost and effort required during
fuzz testing is lesser then model
based testing, as model based
testing requires a lot of time at
initial level in order to analyze the
raw information and to create
application models while in fuzz
we just need to develop data sets
for application and then bombard
them towards application.
However it is true that model
based testing is better in
discovering vulnerabilities as
compare to fuzz technique.
But we have to admired
that, model based testing can cover
large variety of scenarios with
moderately little effort and random
execution of models can expose
those issues which are not easy to
discover upfront such as design
and specification issues. Where,
the fuzz technique is good at
discovering coding issues more
accurately then other. But model
based testing have some
limitations too such as, if we need
to test the application of large size
then we need large set of random
test cases of model based testing
which requires a great deal of time
and infrastructure. So we proposed
a conceptual framework on the
basis of their strengths which need
further development and then
require implementation in order to
verify its outcome.
6. REFERENCES
 Amany, A. and A.
Melton. 2016. Web Service
Description Quality Function
Deployment. IEEE World
Congress on Services Computing.
978-5090.
  Alshehri, S. and L.  Fahad.M, S. Qadri, S. S.
Benedicenti. 2013. Ranking Muhammad, and M. Husnain,
Approach for the User Story "Software Quality Assurance of
Prioritization Method. Medium Scale Projects by using
Journal of Communication and DXPRUM Methodology,"
Computer.10:1465-1474. International Journal of Natural
 Bahrami, A. and Engineering Sciences
1994.Routine Design with (IJNES’14).(Turkey), vol. 8, pp.
Information-Content and Fuzzy 42-48, 2014.
Quality Function  Fuggetta, A. and E. Di
Deployment.Journal of Intelligent Nitto 2014. Software process," in
Manufacturing.203–210. Proceedings of the on Future of
 Bergquist,K.andJ.Abeyse  Software
kera,1996. Quality Function Engineering, 1-12.
Deployment (QFD)-A Means for  Ginter,R.E,J.D.Herbsleb and
Developing Usable Products D.E Perry, 1999”The geography
.International Journal of of coordination: dealing with
Industrial Ergonomics.269–275. distance in R&D works” pp.306-
 Brad, S. and E. Brade. 2015. 315.
Enhancing SWOT Analysis with  Gupta.AS, "Quality
TRIZ- based Tools to Integrate Assurance and Its Standards:
Systematic Innovation in Early Importance in Various SDLC
Task Design. Procedia Models," 2014
Engineering.131:616-625.  Hneif.M and S. II. Ovv,
 Chang, F. and S. Guan. "Review of agile methodologies in
2011. Establishment of a Quality software Development,"
Scale (QFD) for Creative Product International Journal of Research
Design Service. Journal of and Reviews in Applied Sciences,
Intelligent Manufacturing.4244- vol. I, pp. pi-8, 2009.
6581.
 Deshpande,S. ,
I.Richardsom,V.Casey and
S.Beecham 2010. "Culture in
global software development-a
weakness or strength?," in Global
Software Engineering 67-76.
 Development: A multiple case
study," in Global Software
Engineering, 2009. ICGSE 2009.
Fourth IEEE International
Conference on, 2009, pp. 195-204.