SWaTEval: An Evaluation Framework for Stateful Web Application

Testing

Anne Borcherding

1,3 a

, Nikolay Penkov

1 b

, Mark Giraud

1 c

and J

Fraunhofer Institute of Optronics, System Technologies and Image Exploitation IOSB, Karlsruhe, Germany

to be examined for vulnerabilities. Modern web applications usually behave in a stateful manner and hence

have an underlying state machine that determines their behavior based on the current state. To thoroughly test

a web application, it is necessary to consider all aspects of a web application, including its internal states. In

a blackbox setting, which we presuppose for this work, however, the internal state machine must be inferred

before it can be used for testing. For state machine inference it is necessary to choose a similarity measure

for web pages. Some approaches for automated blackbox stateful testing for web applications have already

been proposed. It is, however, unclear how these approaches perform in comparison. We therefore present

our evaluation framework for stateful web application testing, SWaTEval. In our evaluation, we show that

SWaTEval is able to reproduce evaluation results from literature, demonstrating that SWaTEval is suitable for

conducting meaningful evaluations. Further, we use SWaTEval to evaluate various approaches to similarity

With the widespread use of Web Applications (WAs),

it is necessary to expose and eliminate as many vul-

nerabilities in WAs as possible to ensure a minimal at-

tack surface. This applies to WAs such as web shops

as well as WAs provided by industrial devices for

monitoring and configuration purposes. Especially

for these industrial settings, a thorough test for vul-

nerabilities is necessary, since a successful attack on

the WA can lead to a production stop or even physi-

cal harm (Pfrang et al., 2019). Stateful blackbox WA

b

https://orcid.org/0000-0002-5421-4253

c

https://orcid.org/0000-0002-2972-2758

poseful way (Doup

´

e et al., 2012). As previously men-

tioned, however, a blackbox setting does not provide

explicit information about the internal state machine

of the WA. As a consequence, identifying the under-

lying state machine of the WA by different means is

2012) propose a method for a WA-specific state in-

ference. In general, the state machine of a WA is

learned by looking for changes in the behavior of the

WA when it is provided with different inputs. To iden-

tify changes in the behavior of the WA, we measure

the similarity between the web pages presented by a

WA with the help of a similarity measure. With this,

we can determine whether the internal state of the WA

has changed and what caused the state transition.

The aforementioned challenges can be solved with

a set of different approaches. To evaluate the ap-

proaches in an individual or a combined manner, a

modular framework is necessary. Moreover, an easily

understandable Evaluation Target is needed to deter-

mine the performance and impact of the approaches.

The contribution of our work to the domain of

Stateful Web Application Testing (SWAT) can be

the help of various similarity measures and evalu-

ate them using SWaTEval

Our evaluation is twofold. On the one hand, we

perform a qualitative and quantitative evaluation of

SWaTEval itself. This includes reproducing of re-

sults presented by a large study in literature (Yandra-

pally et al., 2020). We show that the results produced

with SWaTEval are coherent with the results from this

study, suggesting that SWaTEval produces meaning-

to the best results.

2 BACKGROUND

State-awareness is generally needed to maximize test

coverage of a WA (Doup

quirement to perform state-aware testing lies the fol-

lowing intuition: If a testing tool is unaware of the ex-

isting states, it might skip some of them while testing

and fail to reveal vulnerabilities in the missed states.

This is true for different meanings of the word state

ent pages to the user does not correspond to different

internal states. In the following, we will always refer

to the internal state of the WA when using state.

Additionally, we use the following terminology.

The target that should be testend and is used for our

evaluation is a WA in its full form and functionality.

We refer to it as Evaluation Target or simply target.

A WA consists of various web pages like a login page,

or a register page. Endpoints expose functionality

and allow communication with a WA. Generally, they

point to web pages of a WA.

Since a blackbox WA does not reveal information

about its internals directly, we need to infer the under-

lying state machine by communicating with the WA.

in a blackbox setting (e.g. (Raffelt et al., 2005; Doup

et al., 2012)). Most of them are based on the assump-

tion that a state transition is present if a request on

have to be clustered properly and omitted. For this,

a method for clustering of similar Endpoints is nec-

essary. Lastly, the inferred state machine has to be

pruned by detecting similar states and merging them.

Summarized, the process of automatically learn-

ing the state machine of a WA in a blackbox setting

consists of the following challenges: (I) cluster sim-

ilar Endpoints, (II) detect a state change, and (III)

cluster similar states (Doup

yet been compared to other approaches that include

the underlying state. Since then, various approaches

for stateful WA testing and crawling have been pro-

posed, for which Hassanshahi et al. provide a recent

overview (Hassanshahi et al., 2022). Moreover, a re-

cent work proposes a framework for SWAT (Drakon-

akis et al., 2020), but it only focuses on a single part

of SWAT, namely authentication and authorization.

aims to provide a modular framework to evaluate dif-

ferent aspects of the SWAT process.

Several intentionally vulnerable WAs and bench-

discovery rate of these vulnerabilities can be used as

an overall performance metric, a more specific evalu-

ation target is necessary to understand the impact of

stateful testing methods on the test performance. For

this, it is particularly important that the state machine

of the target is known and manageable in size.

4

similarity) between two web pages when performing

SWAT. Since we focus our evaluation on similarity

measures, we give a short overview of related work

in this paragraph. Lin et al. propose a similarity

measure based on the similarity of links on the web

pages (Lin et al., 2006). Other works apply the Lev-

enshtein distance to calculate the distance between

two web pages (Popescu and Nicolae, 2014; Mesbah

metric based on a prefix tree (Doup

e et al., 2012).

More recent works propose to measure the similar-

ity between web pages by using their content, such

Yandrapally et al. is different compared to ours. We

consider the internal state of the WA, similar to Doup

et al. (see Section 2). In contrast, Yandrapally et al.

consider the dynamic webpage of the WA as the state.

Nevertheless, the concepts of web page similarity de-

scribed by Yandrapally et al. can be directly trans-

larity measures and thus also verify the usefulness of

SWaTEval regarding its evaluation capabilities. We

formulate the following two research questions.

ilar (but not equivalent) web pages that should

be treated as the same web page.

Figure 1: Overview of SWaTEval showing a modular ap-

proach regarding the Modules and the execution logic. The

Modules are run in the order given by the numbers.

able and manageable by humans.

5 APPROACH

In this section, we present the approach and the

technical details for SWaTEval. First, we give an

overview of the framework and the used Modules. We

then present the various Modules of SWaTEval in fur-

ther detail. This includes a description of the new

similarity measure we present in this work. At last,

we describe the features and details of the Evaluation

Target.

attack evaluation, and (III) Detectors, which are used

for pattern detection and information inference. All

Modules have access to a centralized database where

they can read and write data. This facilitates the inter-

action of the Modules and the sharing of information

between them. Especially, this allows the Crawlers

Table 1: Implemented Modules of the different categories.

and Fuzzers to interact with one another as suggested

the Modules can be dynamically spawned and run in

a distributed way, allowing SWaTEval to scale to for

bigger workloads.

In the following, we present the Modules we de-

signed and implemented. This includes approaches

from literature as well as our own approaches. Ta-

ble 1 shows an overview of the Modules as well as

their source.

The Crawlers’ goal is to walk through the WA and

approach for crawling. It navigates the WA to the first

available state that is not marked as explored, and vis-

its all available Endpoints in this state. To ensure

that the WA is always in the selected state, we re-

set the WA and navigate to the selected state before

each crawl iteration. While crawling, the Crawler

saves all generated data in the database. In the case

of the BasicCrawler, we assume that the WA can be

crawled thoroughly and assume convergence when all

detected states and Endpoints are visited, and no fur-

lar to the Crawlers, the data generated by the Fuzzers

is also saved in the database. To differentiate between

the data generated by the Fuzzers and the Crawlers,

we flag the data in the database accordingly.

plemented a dummy Fuzzers for the Evaluation Target

we used in our evaluation. They mock the functional-

ity of a real Fuzzer by detecting the current state of the

WA and executing requests that are known to cause

state transitions. In addition, they also send non-fuzzy

requests that will not trigger a state transition, mim-

icking the behavior of a real Fuzzer.

by Borcherding et al.(Borcherding et al., 2020). To

interact with the external Fuzzer, we implement a

Fuzzer-specific strategy that starts the external Fuzzer

and intercepts its traffic using the MITM proxy

allows us to inject state data in the requests of the ex-

ternal fuzzer such as cookies and headers, and simul-

taneously retrieve the responses of the WA.

The Detectors compare the output of similar requests

low is based on this assumption and uses it to infer

the state machine.

proach is based on clustering. The clustering algo-

rithm uses Endpoints, Interactions, and States as in-

put, which we will denote as content in the following.

For this Detector type, the content is represented by

a locality sensitive hash. To measure the similarity

of two content entries, a distance score between their

respective hashes is calculated. The clustering algo-

5

6

7

is described in further detail in the next section (Sec-

tion 5.2).

This section provides deeper insight into the inner

workings of our clustering based Detectors. Our ap-

proach aims to achieve the same goals as the approach

presented by Doup

´

e et al.. Doup

´

e et al. represent a

based methods, we aim to achieve a more adaptive

analysis that adjusts the clustering results to the newly

available data. We represent content generated in our

framework with the help of the locality sensitive hash

called TLSH (see Section 3). To be more specific, we

apply this hash to different parts of the available con-

tent as shown in the following.

To represent the content of the WA and make use of it

during SWAT, we define three data types: Endpoint,

As stated earlier, we assume that a state change

has occurred when the same Request results in a dif-

ferent Response than in previous Interactions. To de-

cide whether a Response is different from the ones

seen before, we apply our clustering approach again.

We calculate clusters using data from all Interactions

that have been carried out on the same Endpoint. If

the Interactions on the same Endpoint have more than

pened. Based on this observation, we infer the state

machine as proposed by Doup

e et al. (Doup

2012), and a new state is created. As soon as the

correct state.

plicate states accordingly.

For the Detectors, we apply clustering on TLSH

hashes to find patterns in the content. In the following,

we describe an issue coming from the requirements of

TLSH as well as our solution of augmenting the input

data with padding. Afterwards, we describe how we

preprocess the hashes for our clustering algorithms.

a minimum input of 50 bytes to generate a hash. To

fulfil this requirement, we use a random but fixed

padding for the inputs to the TLSH algorithm. How-

ever, augmenting the TLSH input data with random

data might dilute the information of the actual data

and make the clustering result less reliable. Also,

the concrete choice of the padding may influence the

clustering results. We acknowledge the impact of our

padding choice during our evaluation (Section 6).

entry of the vector is converted from a character to an

Integer by using its ASCII representation. With this,

we receive a numerical representation of the TLSH

hash which can be used for clustering.

rectly apply a text distance on the hashes and create

a distance matrix, which then can be used as an input

for the clustering algorithm. In this case, we use the

TLSH Score proposed by the authors of TLSH, and

algorithm for the clustering since it fits the properties

of our clustering task (Ester et al., 1996). It is not de-

pendent on the cluster shape and count, it is capable

of detecting densely positioned clusters, and robust to

noise and outliers. DBSCAN has two input parame-

ters that need to be chosen. ε defines the maximal dis-

tance between two samples in a neighbourhood, and

minPts determines the minimal number of neighbours

for a core point sample. We set the minPts parame-

we run the clustering procedure.

Complementary to SWaTEval, we created an Evalua-

tion Target, which is used to evaluate the performance

of the Modules. Similar to Doup

´

e et al. we imple-

mented a server-side rendered WA, meaning that the

DOM elements for each request are generated in the

back end and sent in the response each time (Doup

´

e

et al., 2012). Based on the requirements defined in

Section 4.3, we integrated the following use cases in

the Evaluation Target.

functionality including a normal user and an admin.

loop of links (see Section 5.2). This challenges the

EndpointDetector, which should detect the Endpoints

generated after the first visit as duplicates.

Target includes pages that can have links or content

which can be dynamically generated or constant. All

four possible combinations exist and can be used to

StateChangeDetector or a Fuzzer. The state machine

also includes a state transition that resets the state ma-

chine to the initial state. This state transition creates a

challenge for the StateChangeDetector, as the State-

ChangeDetector has to merge the new state and the

initial one. Failing to do so will replicate the state

machine indefinitely.

6 EVALUATION

Our goal in evaluating SWaTEval is to verfiy the func-

tionality of the implemented Modules and their inter-

Dividing the framework into Modules with the

same base functionality and encapsulating their indi-

vidual policy allows us to hide complexity and cre-

ate abstract workflows. By doing so, we ensure that

SWaTEval covers FR1 Modularity.

Interaction between the Modules of SWaTEval

(FR2 Interaction) is achieved by establishing the

database as a core point of information exchange. The

Modules are run in a sequential order, and they exe-

cute their logic only if the conditions specified in their

coupling and still have interoperating Modules.

FR3 Traceability aims to make the influence and

behavior of the different Modules and their interlaced

functionality visible. By separating the generated data

from the Modules, we allow for a centralized analysis

of the current state of SWaTEval. In addition, this al-

lows for manual data editing during runtime, enabling

experiments with edge cases and a deeper analysis of

the Modules’ behavior. To trace the various instances

of states, Endpoints, and Interactions, each instance is

pages (see Section 5.2.4 for details). First, it in-

cludes web pages with similar content which should

be classified as the same web page (TR1 Similar

pages). This holds, for example, for /views/const-

content/const-links/random-page. Besides, our Eval-

uation Target includes pages with different content,

such as views/dynamic-content/const-links/random-

page (TR2 Different pages). Moreover, it implements

WA by (I) a user login, and (II) the artificial state ma-

chine controlled by different keywords, as shown in

Figure 2 (TR3 Statefulness). The state machine has

The goal of our quantitative evaluation is to ana-

lyze whether SWaTEval can be used to reproduce re-

sults from literature. We compare the results regard-

ing similarity measures based on our Evaluation Tar-

get with results from Yandrapally et al. (Yandrapally

et al., 2020). Note that Yandrapally et al. use a dif-

ferent terminology for the state of a WA, as each indi-

vidual web page is considered a state. This definition

maps to our understanding of an Endpoint. As a re-

sult, the evaluation of similarity measures for states

gets given by Yandrapally et al.. Second, we apply the

same similarity measures to our Evaluation Target. As

a result, we obtain insights on the performance of dif-

ferent similarity measures for the large study of Yan-

drapally et al. as well as on our Evaluation Target.

Figure 3 shows the comparison of the accuracy of

similarity measures calculated on the targets used by

Yandrapally et al. and our Evaluation Target. The

x-axis presents the similarity measures and the data

representation they are based on. The y-axis displays