CS 595C - Dependable Web Applications via String Analysis - Spring 2009


Most web applications contain bugs and vulnerabilities that are due to incorrect manipulation of strings. In this seminar we will discuss techniques for analyzing Web applications to find bugs and vulnerabilities related to strings. Each student will be asked to present a paper and read the papers that are presented.

Instructor: Tevfik Bultan
Meeting time: Tuesdays 4:00pm-5:00pm
Location: Computer Science Meeting Room (HFH 1152)
Enrollement Code: 75929



  1. Fang Yu, Tevfik Bultan, Marco Cova, Oscar H. Ibarra: Symbolic String Verification: An Automata-Based Approach. SPIN 2008: 306-324
  2. Fang Yu, Tevfik Bultan, Oscar H. Ibarra: Symbolic String Verification: Combining String Analysis and Size Analysis. TACAS 2009: 322-336
  3. Nikolaj Bjørner, Nikolai Tillmann, Andrei Voronkov: Path Feasibility Analysis for String-Manipulating Programs. TACAS 2009: 307-321
  4. Adam Kiezun, Vijay Ganesh, Philip Guo, Pieter Hooimeijer, Michael D. Ernst: HAMPI: A solver for string constraints. MIT technical report.
  5. Michael Emmi, Rupak Majumdar, Koushik Sen: Dynamic test input generation for database applications. ISSTA 2007: 151-162
  6. Gary Wassermann, Dachuan Yu, Ajay Chander, Dinakar Dhurjati, Hiroshi Inamura, Zhendong Su: Dynamic test input generation for web applications. ISSTA 2008: 249-260
  7. Gary Wassermann, Zhendong Su: Static detection of cross-site scripting vulnerabilities. ICSE 2008: 171-180
  8. William G. J. Halfond, Alessandro Orso: Improving test case generation for web applications using automated interface discovery. ESEC/SIGSOFT FSE 2007: 145-154
  9. William G. J. Halfond, Alessandro Orso: Automated identification of parameter mismatches in web applications. SIGSOFT FSE 2008: 181-191
  10. W. Halfond, S. Anand, and A. Orso: Precise Interface Identification to Improve Testing and Analysis of Web Applications International Symposium on Testing and Analysis (ISSTA 2009) - To Appear.
  11. S. Artzi, A. Kieżun, J. Dolby, F. Tip, D. Dig, A. Paradkar, and M. D. Ernst: Finding bugs in dynamic web applications In ISSTA 2008, Proceedings of the 2008 International Symposium on Software Testing and Analysis, (Seattle, WA, USA), July 22-24, 2008, pp. 261-272.
  12. A. Kieżun, P. J. Guo, K. Jayaraman, and M. D. Ernst: Automatic creation of SQL injection and cross-site scripting attacks In ICSE'09, Proceedings of the 30th International Conference on Software Engineering, (Vancouver, BC, Canada), May 20-22, 2009.