Dual Security Testing Model for Web Applications

In recent years, web applications have evolved from small websites into large multi-tiered applications. The quality of web applications depends on the richness of contents, well structured navigation and most importantly its security. Web application testing is a new field of research so as to ensure the consistency and quality of web applications. In the last ten years there have been different approaches. Models have been developed for testing web applications but only a few focused on content testing, a few on navigation testing and a very few on security testing of web applications. There is a need to test content, navigation and security of an application in one go. The objective of this paper is to propose Dual Security Testing Model to test the security of web applications using UML modeling technique which includes web socket interface. In this research paper we have described how our security testing model is implemented using activity diagram, activity graph and based on this how test cases are generated. Keywords—Web application testing; Security testing; UML modeling; Web socket programming


INTRODUCTION
In recent times web based applications are frequently used by all.There is no need to install these applications on each system, but they are installed on the web server.A web server is an internet information service on which web application is implemented.With a growing concern about the quality of web applications web application testing is again an area of research to explore.An effective modeling technique is required to know particular challenges of web applications for testing [1].In the normal daily routine types of web applications the security feature is implemented to verify the e-mail ID, cell phone number, landline number and other government approved identification with social identifications like e-mail and Face book account etc.After the formality of registration along with the collection of the general information about a customer or user, registration ID and password are provided to access the whole activity of website excluding the web server admin authority.At this stage it is not possible to identify whether the site is being accessed by the 100% authentic user whose records have been recorded.This is one of the critical types of task which identifies the authentication of use of ID and password.And in this situation, loosing rights in favor of user are sometimes critically harmful to the company.In order to provide a solution and to overcome this kind of situation there is a need of a self managing web application which handles the control itself ,as per need of the user , essential for security purpose.The proposed model gives a way to generate test cases and helps in web application testing.In this study, Unified Modeling Language (UML) approach has been used.UML based approach for modeling web applications was used earlier by different researchers for testing contents, to navigate the model.This research extends to model based testing to test security of web applications along with content and navigation.Specific Testing Process Model (STPM) gives composite view of content, navigation and security model to test web applications.In this paper researcher has elaborated Specific Testing Process Model and has implemented Dual security testing model of the STPM, which is one of the aspect of STPM.

III. LITERATURE REVIEW
The motivation of present research is to work on three different perspectives of a web application by using a composite model called Specific Testing Process Model (STPM).This study proposes a secondary stage of testing navigation and security of web application by busing UML modeling techniques.Various models have already been proposed for testing web applications.According to the unique characteristics and challenges of web applications, these models have a different origin and test goals.Different methods using partial rewriting based specification language for both syntactic and semantic checking were developed [2] [3] for the static applications.Researchers focus on the content of web sites by correcting and reforming the syntax and semantic [4] [5].In this study, UML diagrams have been used for content testing of web application.Based on these diagrams test cases are generated.Test cases can be generated efficiently for content testing by using UML modeling.For testing navigation of the applications, there are UML based models [6] [7] [8], graph based models [9] [10], state charts based models [11] [12].Also, researcher proposed a novel approach to generate test cases from UML activity diagrams [13].In this approach, navigation testing covers contextual and noncontextual hyperlinks of web application, Security aspects of the web application should be analyzed and modeled during entire development cycle to identify security requirement in the early stage of the development progress.There can be various security constraints like access control, availability, authentication, integrity, secrecy, etc. which should be taken care of.Numerous researchers have explored the use of the UML language for modeling, security aspects of web applications.Different security models [1] [14] [15] [16] used UML approach to understand security requirements.Web socket protocol can be used to develop web application [17].Using HTML5 based web browser, web socket based applications can be executed.The creation of a real time application and live content facility can be done using web socket protocol.It gives more interaction between browser and application [18].This study cover access control, security aspect of web application.It also provides the user with an interface by using web socket programming in order to have suggestions regarding the product purchase while using online shopping web application.

IV. TESTING MODEL
Different modeling methods are available to test the web applications at different levels, i.e., content, navigation and security, but no model has yet been developed which can test all three levels of modeling in integration as discussed in the literature above.Here Fig. 1 shows a Specific Testing Process Model to test web applications.Researcher has used three submodels which are as follows:

A. Content Testing Model
Information displayed on the web application and its presentation plays a vital role as we say first impression is the last impression.If a user finds inaccurate information and an unstructured layout of an application its quality and users will be affected.Researcher extends the content model [7], this model tests the completeness and the correctness of web application information displayed in the form of web pages i.e., its outlay.The content testing model is important because it describes where the objects (text, button, Audio, Image, Form, Video, Frameset, Frame) are placed.

B. Navigation testing model
Navigation of web application gives freedom to a user to move from one page to another within the same or different pages of an application, click on links, images etc.In other words navigation in context of a web application is the sequence of web pages that a user can browse to achieve a desired page or function.Here in this research, navigation testing model is a sub-model of Specific Testing Process Model, which allows a tester to test whether a user is able to reach information and navigate according to content testing model.The basic elements to test in the navigational testing model are contextual and non-contextual hyperlinks described in [19].As shown in Fig. 3.
Contextual Hyperlinks: Link between objects is called contextual, as it carries information from its source to destination object.The contextual link can be the links provided within the web application having its source or a destination with in the application.
Non-Contextual Hyperlinks: The non-contextual link is the link which does not carry information within the application.The content of the required page does not depend on the content of its source page.www.ijacsa.thesai.org

C. Security Testing Model
Model-driven security is an approach proposed by [16] and is used to simplify system design and generate artifacts.Security testing aims at verifying the effectiveness of the overall web applications defenses against undesired access by unauthorized users, its capability to prevent system resources from improper use and granting authorized users access to authorized services and resources.There has been only little work on the UML based security model.The focus of the security testing model is on Role Based Access Control (RBAC) [20].It is an approach to restrict system access only to authorized user as shown in Fig4., One Time Password (OTP) [21] and Completely Automated Public Turing test to tell Computer and Human Apart (CAPTCHA) [22].
Researcher has elaborated dual security testing model which is one of the aspects of STPM.It provides a feedback on the users of online web application as shown in Fig. 5. Using the feedback facility current user can collect the views of previous users about the product they want to purchase.The feedback providers are already registered users of that application so the user can authenticate the validity of the product and also organizations can develop business intelligence.This process is accountable under the dual verification.Here, a registered user goes for dual verification so that organization is sure about the validity of the user and it can provide feedback details to the registered user.As soon as he/she logs in a One Time Password (OTP) SMS is sent to the registered mobile number or user registered mail account.Then the user fills an interface provided to him/her with the information about registration id ,OTP and CAPTCHA which are then verified in the database.Otherwise the user is asked to get registered first.After verification, if the user is found registered he/she can take the feedback information regarding the product and can also avail help of Customer Care Service (CCS).In CCS the browser control is given to the admin so that while using an interface he can help the user in buying the product by providing suggestions like product comparison.
In dual security testing model, the user"s browser is controlled by admin of the web application when the user wants Customer Care Service (CCS) by using web socket programming.Using this dual security testing model, at the time of purchasing any product if user needs suggestions regarding the product price range, comparison with other similar product, then as he click on Customer Care Service (CCS), at this time the browser gets controlled by admin remotely using web socket programming interface, admin also sees the user browser activity.
As the user selects the product a suggestion message about the price range of the product with other similar product on the same online shopping application is displayed.By this model the customer is able to compare the price of the product on the visited online shopping site itself, he or she need not move on to another web site for a comparison of different range of the product.The dual security testing model helps in knowing the pattern of purchase for product line which includes ranges of products customer selects most, which is useful in data collection for companies.

C. Generating Test Cases
Generating test cases from the activity graph.
The test case generation is basically an approach to cover all the coverage or the criterion of coverage of all the activities.The present approach of generating test cases from an activity graph is following the given test coverage criterion.iii.Each node of the activity graph has been described in Table I.

c) The model has been implemented through different test cases generated from activity graph (Table II.)
d) The testing approach provide an easy way to find errors in web applications.

VII. CONCLUSION
Researcher has developed a model (Dual Security Tesing Model) to test the security of web application by using UML modeling techniques including web socket interface.The model has been implemented through test cases.The test cases are generated and system conformance can be checked with the system model.It is suitable with automated admin controlled customer care service system which is beneficial for the cutomers using web applications.The model helps in data collection for the organization which sales their product online.This helps in knowing the buyers pattern, so that the product range can be enhanced.The Future task would be validation of the model through automation and web engineering applications.

Fig. 3 .
Fig. 3. Navigation model of contextual and non-contextual links

Fig. 7 .
Fig. 7. Activity Graph a) Basic Path Coverage Criterion: At this, firstly define the basic path in activity graph.A basic path is sequence of activities where an activity in that path occurs exaclty once.b) Simple Path Coverage Criterion: A Simple path is considered for activity diagrams that contain concurrent activities.It is representative path from a set of basic path whwre each basic path has the same set of activities, and activities of each basic path satisfy an identical set of partial order relations among them.c) Activity Path Covergae: The aim of this covergare os to cover both loop testing and concurrency among the activities of activity diagrams.www.ijacsa.thesai.org