An Industrial Case Study of Bypass Testing on Web Applications

Web applications are interactive programs that are deployed on the world wide Web. Their execution is usually controlled very heavily by user choices and user data. This makes them vulnerable to abnormal behavior from invalid inputs as well as security attacks. Thus, Web applications invest heavily in validating user inputs according to defined constraints on the values. This work focuses on validation done on the client, which uses two types of technologies; restrictions in HTML form fields and scripts that check values. Unfortunately users have the ability to subvert or skip client-side validation. Bypass testing has been developed to test the behavior of Web applications when client-side validation is skipped. This paper presents results from an industry case study of bypass testing applied to a project from Avaya Research Labs, NPP. The paper presents a process for designing, implementing, automating and developing bypass tests. The theory of bypass testing had to be adapted to the unique characteristics of NPP software, which represented a significant engineering challenge. The 184 tests that were generated resulted in 63 unique failures, providing significant experience and numerous lessons learned. The case study also revealed several difficult problems that need to be addressed in future research.