The invention relates to computer software testing in general and, more particularly, to optimizing test data payload selection for testing computer software applications that employ data sanitizers and data validators.
Dynamic analysis tools are often used by computer software developers to test computer software applications, typically by first exploring a computer software application to discover its interfaces, including those by which data may be provided to the application, and then by interacting with the application's interfaces and monitoring the application's responses to such interactions. In one type of dynamic analysis a computer software application is tested for security vulnerabilities by providing test data designed to exploit a security vulnerability as input to the application, and then observing the behavior of the application. For example, dynamic analysis may be used to test a web application that is accessed over a computer network, such as the Internet, by employing a “black-box tester” running on one computer that sends HTTP requests via a computer network as input to the web application that is hosted by another computer. The HTTP requests are configured with test data payloads drawn from a library of test data payloads designed to test for security vulnerabilities such as SQL injection, cross-site scripting, and command injection.
Computer software developers often employ measures to defend against such attacks by incorporating data sanitizers, which transform input, and/or data validators, which test whether input is legal, into their applications where such inputs are processed. However, their choice of sanitizers and validators might not be sufficient to prevent all kinds of attacks. While a black-box tester could send all possible test data payloads to a computer software application to test for all possible security vulnerabilities, the cost of sending many HTTP requests via a computer network is high in terms of time and bandwidth, and therefore commercial black-box testers that test web applications via computer networks typically send only a few dozen test payloads per HTTP parameter being tested in order to keep such costs down. Unfortunately, this often means that some security vulnerabilities go undetected.