Embed Size (px)
Citation preview
The Application of Software Testing Technology on Security in Web Application System
Hui Zhai1,a, Hui Shi1, Rui Zhai2,b
1Department of Information Engineering, Henan Polytechnic, Zhengzhou, Henan, China 450046
2South No.1 community, Yungang streets, Fengtai,Beijing, China 100074
e-mail: [email protected], [email protected]
Keywords: management information system; software test;browser / server mode; security
Abstract. Based on a hotel management information system developed by the ASP.NET
technology and browser / server mode, for example, the security of the system was checked by
software testing techniques, and the security flaws were found in the system, the improvements
algorithm was given also.
Introduction
There was a definition of the test in a classic book named 《The Art of Software Testing》 by G. J.
Myers that is "program test is a process to find errors during execution." [1]
In this paper , the security of a hotel management information system developed by the
ASP.NET technology was checked through software testing techniques ,and the security flaws were
found, then the improvements algorithm was given. ASP (Active Server Pages) is a server-side
technology to create dynamic web pages. [2]
The users working interface was achieved through the
IE browser under B/S mode (Browser/Server mode). [3]
The system was flexible while using this
mode, but security needed to be strengthened. And some errors always exist inevitably in the
development process on system . We can find out these errors through software testing techniques,
and analysis the cause of them, then find improved methods to correct these errors.
Brief Introduction about the Login Process on Hotel Management Information System
The login process of this system was shown in Fig.1. During designing the system, we made the
user (Hotel User) table in the database.
When a user wanted to login the system, if he did not input the user name or password, there
would be a red star appeared in the corresponding input box , at the same time, there would be
corresponding message to warn the user that he did not input the user name or password. When the
user name or password was not empty, the system began to check whether there was this user to
determine whether it was the legitimate user. When the user name or password was not match, there
should be corresponding error information clew. If the user name, password and the user table were
consistent, the user could enter and operate the system. It was the process of identity verification .In
this paper, the test system needed identity verification, then it can be used. Even it was legitimate
users , whether he could access to the system or not be limited also.
Fig.1. System Login Process
Applied Mechanics and Materials Vols. 556-562 (2014) pp 6159-6161Online available since 2014/May/23 at www.scientific.net© (2014) Trans Tech Publications, Switzerlanddoi:10.4028/www.scientific.net/AMM.556-562.6159
All rights reserved. No part of contents of this paper may be reproduced or transmitted in any form or by any means without the written permission of TTP,www.ttp.net. (ID: 130.194.20.173, Monash University Library, Clayton, Australia-05/12/14,22:21:02)
The Design of the Test Cases
So-called test cases refers to the use case model in the process of the test .A good test cases could
make the software test according to one test case only when testers did not participate in the
requirements analysis. [4]
Because of the limited space of this paper, only the system part of the test
cases was presented.
Table 1 Test Cases Project Name Hotel Management
Information System The number of program
version
V1.0
Test
environment
Hardware environment All kinds of terminal
Software environment Windows XP, IE browser
The network
environment
server,browser
The editor the designer of test date 2009.09
Name of
function
modules
Login system module
Function &
Features
1.A red asterisk will be displayed while the input box is empty after entering a user name or password, at the
same time , there will be a message to prompt the user to enter.
2.Only part of resources in the system can be used by ordinary users after their login.
Testing
purposes
The target of function features can be achieved by testing .
Preset
conditions
Locate a user in the back-end database to login ,the user’s password is r001.The user is an ordinary user . He
can browse information only after login the system ,but any information can not be changed by the user.
Reference
Information
Description on the "Login" in manual of requirements
the number of
Use case
Test steps Input data Expected results Test results
DL01 1.There isn’t any information
put in the user name text box
2.Enter r001 in the password
text box,
3.Click on the "Login" button
Password:r001 There will be a red
asterisk in user name text
box, and there is also a
warning “the user name
can not be empty. "
There isn’t any
message.
DL02 1.Enter user in the user name text
box.
2.Not enter any information in
the Password text box.
3.Click on the "Login" button
User name:user There will be a red
asterisk in password text
box, and there is a
warning “the password
can not be empty. "
There isn’t any
message.
DL03 1.Enter “user” in the user name
text box.
2.Entered “r001” in the password
text box.
3.Click on the "Login" button
User name:user
Password:r001
The user can browse
information after entering
the system,
The user can change
information after
entering the system.
After analysis of the implementation of the above test case, we could draw the following defect
reporting:
Table 2 Users do not enter a user name bug report Defect Number 01 Use case number DL01 Project Name Hotel Management
Information System
Module name System login The title (Summary) No message when the user name is empty
Product Version V1.0 Severity level 1 Priority 1
BUG Reason Code
Steps to Reproduce 1.Open the login screen.2.No input in the user name text box.
3.Click on the "Login" button
Defects described No error message,It is not correct.
Expected results Red asterisk appears after the user name text box, and the user is prompted
The following section is written by the one who modifies BUG
The description about modifying defects
Analysis of reason: the procedure lacks of non-empty validation code
Solution: Add a control which can ensure the system to make non-empty validation
Test persons Amend person Confirm
person
The date of
amendment
Other defect reports would no longer be given because of limited space here.
6160 Mechatronics Engineering, Computing and Information Technology
Improved Algorithm of System Security
In order to restrict privileges of some legitimate user, a permission field was designed in the user (HotelUser)
statement to specify permissions into system of different identity user.About the username or password was
empty,we could solve it well by the RequiredFieldValidator control, the control realized the user would be
prompted by displaying a red asterisk when he did not enter information. About the security of
password , the encryption operations was considered . We wrote CrptogramManger class and put
it into the business logic layer. The flowchart of Algorithm was in Fig.2. Click the "Login"
button after completing the input, algorithm flowchart about btnLogin_Click method
as shown in Fig.3.
Fig.2. The flowchart of EncryptPassword method Fig.3. The flowchart of btnLogin_Click method
There are some optimization of the system security code after the testing by the software
testing technology: By configuring web.config,set the registry path into system, default page path
and set authentication mode Form for validation.Cookie was used to maintain status between page
inside this mode, and it provided a convenient solution. [5]
In the business logic to verify the user's
identity, the user identity was added to Cookie.Then encrypted it by using SHA1. At same time
,there must be logout functionality to further ensure the security of the system.
Conclusion
It was focuses on that security flaws in Web application system was found by the software testing
technology in the article, then those key algorithm has been improved according to the defects
tested out of the system security to make up for these deficiencies ,and good results was achieved.
References:
[1] G.J.Myers.The art of software testing [M].the 2nd edition.Translated by Wang Feng.Beijing:
Mechanical Industry Press,2006:5-10
[2] Chen Ying Xue.ASP.NET In-depth programming [M]. Beijing Hope Electronic Press,2001.
[3] http://baike.baidu.com/view/292859.htm?fr=ala0_1
[4] Wang Yang. Study and analysis about the process of software testing :[Master's degree
thesis]. Beijing: Technology University of Beijing,2005
[5] Narcisio Tumushabe,TAN Guan-zheng,An overview of a authentication security features in
ASP. NET[J],Journal of Shenyang Univicity of Technology.2003,25(3):250 ~254
Applied Mechanics and Materials Vols. 556-562 6161
Mechatronics Engineering, Computing and Information Technology 10.4028/www.scientific.net/AMM.556-562 The Application of Software Testing Technology on Security in Web Application System 10.4028/www.scientific.net/AMM.556-562.6159
