CN119415440A

CN119415440A - Application program testing method and device

Info

Publication number: CN119415440A
Application number: CN202510020049.1A
Authority: CN
Inventors: 郑兆华; 王炜喆; 许光全; 叶晓虎; 吴铁军; 方雪琴; 赵亮
Original assignee: Southern Power Grid Digital Grid Group Hainan Co ltd; Tianjin University; Hainan University
Current assignee: Southern Power Grid Digital Grid Group Hainan Co ltd; Tianjin University; Hainan University
Priority date: 2025-01-07
Filing date: 2025-01-07
Publication date: 2025-02-11
Anticipated expiration: 2045-01-07
Also published as: CN119415440B

Abstract

The present invention provides an application testing method and device, which can be applied to the field of computer technology. The method includes: determining at least one entry point information in the program source code based on the program source code of the current application page of the application to be tested; analyzing the at least one entry point information using a large language model to determine the operation response result of at least one operable item corresponding to each of the at least one entry point information; determining a target operable item from at least one operable item based on the at least one operation response result; simulating triggering the target operable item to run the entry point information corresponding to the target operable item, so that the state of the application to be tested changes; repeatedly performing the above operations until jumping to the last application page, determining a test path based on multiple target operable items and jump relationships; and testing the application to be tested based on the test path to determine the test result of the application to be tested.

Description

Application program testing method and device

Technical Field

The present invention relates to the field of computer technologies, and in particular, to a method and apparatus for testing an application program.

Background

In the current internet environment, web applications have become an important network service, and their wide application in various industries has a profound effect on social development. However, web applications raise more and more security problems while expanding the application scope. Particularly, with the popularization of cross-platform frameworks, the security risk of Web applications is not limited to the use scenario in the traditional browser, but also relates to various application environments such as desktop, mobile devices and the like, and may form a threat to software, application programs, even other application platforms and the like. The complexity and variety of development languages and frameworks of Web applications present significant challenges to existing security detection methods. Among them, cross script attack (Cross SITE SCRIPTING, XSS) is a common security vulnerability with serious harm in Web applications, and in related technology, in order to cope with XSS attack, a black box vulnerability detection method is generally adopted to detect applications.

In the implementation process of the invention, the prior art is found to have at least the following problems, because the black box test lacks specific knowledge of Web application, the Web application is usually modeled by a crawler technology, the potential attack surface in the application is found by detecting input fields such as URL, form and the like in a Web page, the existing black box test method is often insufficient when covering complex Web application, and especially, the internal functions of the Web application are difficult to deeply detect by mainly used strategies such as random navigation, breadth first and the like, so that the test coverage rate is low and the test effect is poor.

Disclosure of Invention

In view of the above problems, the present invention provides an application program testing method and apparatus.

According to a first aspect of the invention, an application program testing method is provided, which comprises the steps of determining at least one entry point information in program source codes based on program source codes of a current application page of an application program to be tested, wherein the entry point information represents a program segment for executing operation corresponding to an operable item on the current application page, analyzing the at least one entry point information by using a large language model, determining operation response results of the at least one operable item corresponding to the at least one entry point information, wherein the operation response results represent influences on the current application page when the operation is executed by the response operable item, determining a target operable item from the at least one operable item based on the at least one operation response results, simulating and triggering the target operable item to run the entry point information corresponding to the target operable item, enabling the state of the application program to be tested to change, repeatedly executing the operation until the last application page is jumped, determining a testing path based on the plurality of target operable items and a jumped relation, testing the application program to be tested, and determining the testing result of the application program to be tested based on the testing path.

According to the embodiment of the invention, the large language model is utilized to analyze at least one entry point information and determine operation response results of at least one operable item corresponding to the at least one entry point information, and the method comprises the steps of analyzing each entry point information by the large language model, determining the page state of a current application page after the entry point information is operated, and determining the operation response results of the operable item based on the page state and the page state before the operation is performed on the operable item.

According to the embodiment of the invention, the simulation triggering of the target operable item to run the entry point information corresponding to the target operable item so that the state of the application to be tested changes comprises the steps of carrying out parameter configuration on the entry point information to obtain target entry point information under the condition that the entry point information is determined to have parameters to be configured, and running the target entry point information so that the state of the application to be tested changes.

According to the embodiment of the invention, the application program to be tested is tested based on a test path, and a test result of the application program to be tested is determined, wherein the test result comprises the steps of determining one or more attacked injection points in entry point information corresponding to target operable items by utilizing a large language model for each target operable item, carrying out script injection on the one or more attacked injection points by utilizing an attack script to obtain entry point information into which the attack script is injected, running the entry point information into which the attack script is injected, determining an operation result corresponding to the target operable items, and determining the test result based on at least one operation result.

According to the embodiment of the invention, the test result is determined based on at least one operation result, wherein the test result is determined under the condition that the operation results are all normal in operation, and the test result is determined under the condition that the operation result representing abnormal operation is present, based on the entry point information of the attack script which is used for obtaining the operation result.

According to the embodiment of the invention, in the case of the operation result representing the operation abnormality, the test result is determined based on the entry point information which is used for obtaining the operation result and is injected with the attack script, and the test result is determined based on the entry point information which is injected with the attack script and is associated with the operation result.

According to the embodiment of the invention, at least one entry point information in program source codes is determined based on the program source codes of the current application page of the application program to be tested, and the method comprises the steps of obtaining the program source codes of the current application page, running the program source codes in a virtual environment to obtain a simulation page, performing simulation operation on operation items on the simulation page, and determining the entry point information of the operation items.

According to the embodiment of the invention, the target operable item is determined from at least one operable item based on a plurality of operation response results, wherein the method comprises the steps of determining whether the state change of an application program to be tested occurs after the operation is performed on the operable item based on the operation response results, and determining the operable item as the target operable item in the condition that the state change occurs after the operation is performed.

According to the embodiment of the invention, when the state change occurs after the operation is executed, the operable items are determined to be target operable items, wherein the operation response result is determined to represent the executed operation, an application interface after the state change occurs is determined, at least one operable item is determined from the current application interface, when the number of the operable items is larger than 1, the similarity among the plurality of the operable items is determined based on entry point information corresponding to the plurality of the operable items, the plurality of the operable items with the similarity higher than a preset threshold value are divided into the same operable item group, and one operable item is selected from the operable item groups as the target operable item for each operable item group.

The second aspect of the invention provides an application program testing device, which comprises an information determining module, an information analyzing module, an operation response result determining module and a page jumping module, wherein the information determining module is used for determining at least one entry point information in program source codes based on program source codes of a current application page of an application program to be tested, the entry point information represents a program segment used for executing operation corresponding to the target operable item on the current application page, the information analyzing module is used for analyzing the at least one entry point information by using a large language model, the operation response result of each at least one operable item corresponding to the at least one entry point information is determined, the operation response result represents the influence on the current application page when the operation is executed by the response operable item, the operation item determining module is used for determining a target operable item from the at least one operable item based on the operation response result, the page jumping module is used for simulating to trigger the target operable item to run the entry point information corresponding to the target operable item so that the application program to be tested is changed in appearance state, the path determining module is used for repeatedly executing the operation until the operation is jumped to the last application page, the application program to be tested is determined based on a plurality of target operable items and a jumping relation, and the application program to be tested is determined based on the test result.

A third aspect of the invention provides an electronic device comprising one or more processors and a memory for storing one or more computer programs, wherein the one or more processors execute the one or more computer programs to implement the steps of the method.

A fourth aspect of the invention also provides a computer readable storage medium having stored thereon a computer program or instructions which when executed by a processor performs the steps of the above method.

The fifth aspect of the invention also provides a computer program product comprising a computer program or instructions which, when executed by a processor, carries out the steps of the method described above.

According to the embodiment of the invention, the entry point information is determined for the current application page of the application program to be tested, the entry point information is analyzed by utilizing a large language model, the operation response result after the operation is performed on the operable item corresponding to the entry point information is determined, and the target operable item is determined from at least one operable item based on the operation response result, so that the state of the application program to be tested can be changed after the operation is performed on the target operable item, the depth of the test path determined according to the target operable item is larger, and the depth coverage rate and the accuracy of the application program test are improved.

Drawings

The foregoing and other objects, features and advantages of the invention will be apparent from the following description of embodiments of the invention with reference to the accompanying drawings, in which:

fig. 1 shows an application scenario diagram of an application program testing method and apparatus according to an embodiment of the present invention.

FIG. 2 illustrates a flow chart of an application testing method according to an embodiment of the invention.

FIG. 3 shows a schematic diagram of determining an associated test path according to an embodiment of the invention.

Fig. 4 shows a block diagram of an application testing apparatus according to an embodiment of the present invention.

Fig. 5 shows a block diagram of an electronic device adapted to implement the application testing method according to an embodiment of the invention.

Detailed Description

Hereinafter, embodiments of the present invention will be described with reference to the accompanying drawings. It should be understood that the description is only illustrative and is not intended to limit the scope of the invention. In the following detailed description, for purposes of explanation, numerous specific details are set forth in order to provide a thorough understanding of the embodiments of the invention. It may be evident, however, that one or more embodiments may be practiced without these specific details. In addition, in the following description, descriptions of well-known structures and techniques are omitted so as not to unnecessarily obscure the present invention.

The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the invention. The terms "comprises," "comprising," and/or the like, as used herein, specify the presence of stated features, steps, operations, and/or components, but do not preclude the presence or addition of one or more other features, steps, operations, or components.

All terms (including technical and scientific terms) used herein have the same meaning as commonly understood by one of ordinary skill in the art unless otherwise defined. It should be noted that the terms used herein should be construed to have meanings consistent with the context of the present specification and should not be construed in an idealized or overly formal manner.

Where a convention analogous to "at least one of A, B and C, etc." is used, in general such a convention should be interpreted in accordance with the meaning of one of skill in the art having generally understood the convention (e.g., "a system having at least one of A, B and C" would include, but not be limited to, systems having a alone, B alone, C alone, a and B together, a and C together, B and C together, and/or A, B, C together, etc.).

In the technical scheme of the invention, related user information (including but not limited to user personal information, user image information, user equipment information, such as position information and the like) and data (including but not limited to data for analysis, stored data, displayed data and the like) are information and data authorized by a user or fully authorized by all parties, and the related data are collected, stored, used, processed, transmitted, provided, invented, applied and the like, all processed according to related laws and regulations and standards, necessary security measures are adopted, no prejudice to the public order is provided, and corresponding operation entries are provided for the user to select authorization or rejection.

In the scene of using personal information to make automatic decision, the method, the device and the system provided by the embodiment of the invention provide corresponding operation inlets for users to choose to agree or reject the automatic decision result, and enter an expert decision flow if the users choose to reject. The expression "automated decision" here refers to an activity of automatically analyzing, assessing the behavioral habits, hobbies or economic, health, credit status of an individual, etc. by means of a computer program, and making a decision. The expression "expert decision" here refers to an activity of making a decision by a person who is specializing in a certain field of work, has specialized experience, knowledge and skills and reaches a certain level of expertise.

The embodiment of the invention provides an application program testing method, which comprises the steps of determining at least one entry point information in program source codes based on program source codes of a current application page of an application program to be tested, wherein the entry point information represents a program segment for executing operation corresponding to an operable item on the current application page, analyzing the at least one entry point information by using a large language model, determining operation response results of the at least one operable item corresponding to the at least one entry point information, wherein the operation response results represent influences on the current application page when the operation is executed by responding to the operable item, determining a target operable item from the at least one operable item based on the at least one operation response result, simulating and triggering the target operable item to run the entry point information corresponding to the target operable item, jumping to a next application page, repeatedly executing the operation until jumping to the last application page, determining a testing path based on the plurality of target operable items and the jumping relation, testing the application program to be tested, and determining the testing result of the application program to be tested based on the testing path.

As shown in fig. 1, an application scenario 100 according to this embodiment may include a first terminal device 101, a second terminal device 102, a third terminal device 103, a network 104, and a server 105. The network 104 is a medium used to provide a communication link between the first terminal device 101, the second terminal device 102, the third terminal device 103, and the server 105. The network 104 may include various connection types, such as wired, wireless communication links, or fiber optic cables, among others.

The user may interact with the server 105 via the network 104 using the first terminal device 101, the second terminal device 102, the third terminal device 103, to receive or send messages etc. Various communication client applications, such as a shopping class application, a web browser application, a search class application, an instant messaging tool, a mailbox client, social platform software, etc. (by way of example only) may be installed on the first terminal device 101, the second terminal device 102, and the third terminal device 103.

The first terminal device 101, the second terminal device 102, the third terminal device 103 may be various electronic devices having a display screen and supporting web browsing, including but not limited to smartphones, tablets, laptop and desktop computers, and the like.

The server 105 may be a server providing various services, such as a background management server (by way of example only) providing support for websites browsed by the user using the first terminal device 101, the second terminal device 102, and the third terminal device 103. The background management server may analyze and process the received data such as the user request, and feed back the processing result (e.g., the web page, information, or data obtained or generated according to the user request) to the terminal device.

It should be noted that the application program testing method provided by the embodiment of the present invention may be generally executed by the server 105. Accordingly, the application testing apparatus provided in the embodiments of the present invention may be generally disposed in the server 105. The application testing method provided by the embodiment of the present invention may also be performed by a server or a server cluster that is different from the server 105 and is capable of communicating with the first terminal device 101, the second terminal device 102, the third terminal device 103 and/or the server 105. Accordingly, the application testing apparatus provided in the embodiment of the present invention may be provided in a server or a server cluster that is different from the server 105 and is capable of communicating with the first terminal device 101, the second terminal device 102, the third terminal device 103, and/or the server 105.

It should be understood that the number of terminal devices, networks and servers in fig. 1 is merely illustrative. There may be any number of terminal devices, networks, and servers, as desired for implementation.

The application program testing method according to the embodiment of the present invention will be described in detail below with reference to fig. 2 to 3 based on the scenario described in fig. 1.

As shown in FIG. 2, the application program testing method of the embodiment includes operations S210-S260.

In operation S210, at least one entry point information in program source code is determined based on the program source code of the current application page of the application program to be tested.

According to embodiments of the present invention, the application to be tested may be a website made up of a plurality of Web pages, a mobile application (Application, APP), a Cross-Platform application (Cross-Platform Apps), or the like.

According to the embodiment of the invention, the application program to be tested can comprise a plurality of application pages, an application interface currently displayed by the application program to be tested, program source codes of the current application interface are determined, the current application interface is operated by utilizing an automatic test framework, at least one entry point information in the program source codes is determined, and the entry point information characterizes a program segment for executing operation corresponding to an operable item on the current application page.

In operation S220, at least one entry point information is analyzed using the large language model, and operation response results of each of at least one operable item corresponding to each of the at least one entry point information are determined.

According to the embodiment of the invention, the entry point information is input into the large language model, and the large language model outputs the operation response result of the operable item corresponding to the entry point information through the prompt word, wherein the operation response result represents the influence on the current application page when the operation is performed by the response operable item.

In operation S230, a target operable item is determined from the at least one operable item based on the at least one operation response result.

According to an embodiment of the present invention, in the case where only one operable item is included in the current application interface, the operable item is determined as the target operable item. In the case where a plurality of operable items are included in the current application interface, an operation response result enabling a longer test path is selected from among operation response results of the respective plurality of operable items, and the operable item is determined as a target operable item.

According to the embodiment of the invention, when the operation response result corresponding to the operable item indicates that the operation of the operable item can affect the continuous operation of other operable items, the operable item cannot be operated as the target operable item. For example, in the case where the operable item is "reset", and the current application interface further includes a "submitted" operable item, if an operation is performed on the reset operable item, the contents of the form filled in the current application interface are emptied, and the submitted operable item cannot be submitted, and thus cannot be regarded as the target operable item.

In operation S240, the simulation triggers the target operable item to run the entry point information corresponding to the target operable item such that the state change of the application to be tested occurs.

In operation S250, the above operations are repeatedly performed until the last application page is jumped, and a test path is determined based on the plurality of target operable items and the jumped relation.

According to the embodiment of the invention, after the target operable item is determined, the target operable item is simulated by using a simulation script, so that the entry point information is operated, the state of the application program to be tested is changed, and the target operable item is continuously determined on the next application page. And under the condition that a next application page does not exist after the target operable items are triggered, determining a plurality of target operable items and jump relations determined in the operation process, and determining the sequence relation among the plurality of target operable items based on the jump relations, so as to determine a test path.

In operation S260, the application to be tested is tested based on the test path, and the test result of the application to be tested is determined.

According to the embodiment of the invention, the test result can be used for representing whether the application program to be tested has XSS loopholes or not.

According to embodiments of the invention, the page state may include values of form elements in the current application page, jumps that occur in the current application page, and so forth. According to the page state after the operation of the entry point information and the page state before the operation of the entry point information, the change condition of the page state before and after the operation of the operable item can be determined, so that the operation response result after the operation of the operable item is determined.

According to the embodiment of the invention, the operation response result after the operation item is executed can be determined by determining the page states of the current application page before and after the operation entry point information and comparing the page states before and after the operation, so that the degree of automation of the test is improved.

According to the embodiment of the invention, whether the parameters to be configured exist in the entry point information is determined by analyzing the entry point information, wherein the current application page can comprise a plurality of configuration parameters, each configuration parameter corresponds to one operable element in the current application page, and the operable elements comprise a form, a button, a hyperlink and the like. In the case that the configuration parameters corresponding to the form that must be filled in before the operation is performed on the target operable item exist in the current page, it may be determined that the entry point information has parameters to be configured.

According to the embodiment of the invention, the data type and the format requirement of the parameter to be configured can be determined according to the entry point information, and the filling data meeting the data type and the format requirement can be randomly generated. The filling data can be filled in a form of the current application page, and the entry point information can also be directly changed, so that the filling data is configured in the entry point information to obtain target entry point information. And running the target entry point information, thereby triggering the target operable item so that the application to be tested has state change.

According to the embodiment of the invention, the execution conditions of the target operable items can be met by carrying out parameter configuration on the entry point information, so that the target operable items can be smoothly executed, the state of the application program to be tested is changed, the feasibility of the test is improved, and the degree of automation of the test is further improved.

According to the embodiment of the invention, the large language model is utilized to process the entry point information, and the attacked injection points in the entry point information are determined, wherein the attacked injection points represent the positions possibly attacked by XSS. After one or more attacked injection points are determined, an attack script is written, and script injection is carried out on the one or more attacked injection points respectively.

According to the embodiment of the invention, the initial entry point information is replaced by the entry point information injected with the attack script, the target operable item is triggered, the entry point information injected with the attack script is operated, and the operation result corresponding to the target operable item is determined. Based on the respective operation results of at least one target operable item on the test path, a test result for the application to be tested is determined.

According to the embodiment of the invention, the potential XSS attack can be simulated by determining the attackeable injection point in the entry point information, injecting the attack script into the attackeable injection point and then running the entry point information injected with the attack script, so that whether the application program to be tested has the XSS vulnerability or not is determined, and the application program test is more accurate and effective.

According to embodiments of the present invention, a plurality of different test paths may be determined for the same application to be tested.

According to the embodiment of the invention, under the condition that the operation results on the plurality of test paths are all normal in operation, the failure of XSS attack of the plurality of target operable items of the application program to be tested on the plurality of test paths can be determined, namely, the application program to be tested does not have XSS loopholes on the plurality of test paths and passes the test.

According to the embodiment of the invention, under the condition that the operation result representing the operation abnormality exists, the entry point information which is injected with the attack script and causes the operation result of the operation abnormality is determined from a plurality of entry point information which is injected with the attack script, so that the XSS attack on the entry point information of the target operable item is determined to be successful, and therefore, the existence of the XSS vulnerability of the application program to be tested can be determined, and the vulnerability position is the entry point information which is injected with the attack script.

According to the embodiment of the invention, based on the operation result of each target operable item in the plurality of test paths, the test result is determined, and whether the application program to be tested has XSS loopholes in the plurality of test paths can be comprehensively and accurately determined.

According to the embodiment of the invention, aiming at the operation result representing the operation abnormality, analyzing a plurality of pieces of entry point information injected with the attack script, and determining a test path where the entry point information injected with the attack script, which leads to the operation result, is located as an associated test path. And determining a target operation item corresponding to the entry point information injected with the attack script on the associated test path, and determining a test result based on the entry point information of the target operation item.

According to the embodiment of the invention, since the operation result represents the operation abnormality and may not be caused by the XSS vulnerability on the test path where the operable item corresponding to the operation is located, based on the entry point information of the attack script injected in the plurality of test paths, the associated test path corresponding to the operation result representing the operation abnormality can be determined, and the test result is further determined, so that the existing XSS vulnerability can be accurately positioned, thereby improving the accuracy of application program test.

As shown in fig. 3, the application to be tested may be, for example, an application of a shopping platform, including a first test path 301 and a second test path 302, where an attackeable injection point exists in the first test path 301, and a script injection is performed on the attackeable injection point by using an attack script.

The multiple target operable items on the first test path 301 are sequentially operated, clicking operation can be performed from the first page of the application program to be tested, the operation jumps to the registration page, registration information is filled and submitted to be registered on the registration page, the operation jumps to the login page, the information submitted during registration is used for logging in, the operation jumps to the commodity management page, clicking operation is performed on the commodity management page, the operation jumps to the commodity adding page, and the commodity information to be added is filled and submitted to be added on the commodity adding page, so that an operation result of successfully adding the commodity is obtained. Thus, the plurality of operational results on the first test path 301 all characterize normal operation.

Operating the target operable item on the second test path 302 can perform clicking operation from the first page of the application program to be tested, jump to the displayed commodity page, and based on the display result, it can be determined that the commodity added when the first test path 301 is executed is not added to the commodity library but is replaced by other abnormal commodity, so that it can be determined that the operation is abnormal.

Based on the added commodity page in the first test path 301, determining that the operation performed on the page affects the operation of subsequent showing of the commodity page, namely, the associated test path associated with the displayed commodity page is the first test path 301, backtracking is performed based on a plurality of target operable items on the first test path 301, determining the target operable item causing the operation result of the displayed commodity page to represent the operation abnormality, and determining the test result based on the entry point information of the target operable item.

According to the embodiment of the invention, since the application program to be tested may be an operating application program, and each entry point information in the program source code needs to be modified in the testing process, directly testing the application program to be tested may cause errors of the operating application program, and data security and normal operation of the application program are affected. The application program to be tested can be simulated in the virtual environment and simulated to avoid the influence of the test on the application program.

According to the embodiment of the invention, the program source code of the current page is operated in the virtual environment to obtain the simulation page, wherein the virtual environment can be constructed according to the operation environment of the application environment to be tested. And performing simulation operation on the operation items on the simulation page to determine a plurality of pieces of entry point information on the simulation page, wherein the simulation operation can be initiated through a Selenium framework to simulate the actual operation condition of the application environment to be tested.

According to the embodiment of the invention, the simulation page is obtained in the virtual environment in a simulation mode, the simulation operation is carried out on the simulation page, and the subsequent test is carried out, so that the application program test can not influence the running application program to be tested, and the data security and the normal running of the application program are ensured.

According to an embodiment of the present invention, based on a plurality of operation response results, in the case where there is at least one operable item for which a state change occurs after an execution operation, a target operable item is determined based on the operable item.

According to the embodiment of the invention, in the case that the plurality of operation response results are determined to be all characterized to respond to the operable items to execute the operation, and the state change cannot occur, the target operable item is determined based on the plurality of operable items on the current application page.

According to the embodiment of the invention, in the case that all the operable items of the current application page cannot cause the state change, the current test performed on the application program is characterized to enter the deepest layer of the current test path, and the target operable item can be determined from a plurality of operable items. Under the condition that an operable item capable of enabling the state of the application program to be tested to be changed exists in the current application interface, determining a target operable item based on the operable item, and jumping to the next application interface after executing the target operable item, so that the length of a test path is increased, and the depth of application testing is increased.

According to the embodiment of the invention, after the operation is executed, the operable items are determined to be target operable items under the condition that the state change occurs, wherein the method comprises the steps of determining that an operation response result represents the executed operation, determining at least one operable item from a current application interface after the state change occurs, determining similarity among the plurality of operable items based on entry point information corresponding to the plurality of operable items under the condition that the number of the operable items is larger than 1, dividing the plurality of operable items with the similarity higher than a preset threshold value into the same operable item group, and selecting one operable item from the operable item group as the target operable item for each operable item group.

According to the embodiment of the invention, under the condition that a plurality of operable items exist in a current application page, the similarity between each operable item and other operable items is calculated respectively, wherein the similarity between the two operable items can be determined through entry point information corresponding to the two operable items respectively, web key elements such as hypertext markup language (HyperText Markup Language, HTML), document object model (Document Object Model, DOM), page style (style or CASCADING STYLE SHEETS, CSS) and the like in the two entry point information are determined respectively, and the similarity between the two entry point information is determined through calculating the similarity between the key elements, so that the similarity between the two operable items is determined.

According to the embodiment of the invention, after the similarity between every two of the plurality of operable items is determined, the plurality of operable items with the similarity higher than the preset threshold value are divided into the same operable item group, and one operable item is selected from each operable item group as a target operable item.

According to the embodiment of the invention, in the case that a plurality of operable items exist, the plurality of operable items are grouped, and one operable item is selected from each operable item group as a target operable item, so that the number of target operable items can be reduced, the complexity of the test can be reduced, and the comprehensiveness of the test is ensured because one target operable item is determined for each operable item group.

Table 1 shows test paths used for testing an application test method and other test methods according to an embodiment of the present invention.

TABLE 1

As shown in table 1, five other test methods were selected for comparison with the test methods provided by the present invention. The application to be tested may use a Web application for network security teaching and detection of presence security vulnerabilities.

According to the test path ratio situation shown in table 1, it can be found that the application program test method provided by the embodiment of the invention can analyze and understand the application program to be tested, guide the request and the test direction, concentrate most of the request attention on the application core function, and realize deep exploration and test on the Web application.

Based on the application program testing method, the invention further provides an application program testing device. The device will be described in detail below in connection with fig. 4.

As shown in fig. 4, the application testing apparatus 400 of this embodiment includes an information determining module 410, an information analyzing module 420, an operation item determining module 430, a state changing module 440, a path determining module 450, and an application testing module 460.

The information determining module 410 is configured to determine, based on program source codes of a current application page of an application program to be tested, at least one entry point information in the program source codes, where the entry point information characterizes a program segment for executing an operation corresponding to an operable item on the current application page. In an embodiment, the information determining module 410 may be configured to perform the operation S210 described above, which is not described herein.

The information analysis module 420 is configured to analyze the at least one entry point information by using a large language model, and determine operation response results of at least one operable item corresponding to the at least one entry point information, where the operation response results characterize an effect of the operation performed by the response operable item on the current application page. In an embodiment, the information analysis module 420 may be configured to perform the operation S220 described above, which is not described herein.

The operation item determination module 430 is configured to determine a target operable item from the at least one operable item based on the at least one operation response result. In an embodiment, the operation item determining module 430 may be configured to perform the operation S230 described above, which is not described herein.

The state change module 440 is configured to simulate triggering the target operable item to run the entry point information corresponding to the target operable item such that the application to be tested is subjected to a state change. In an embodiment, the state change module 440 may be used to perform the operation S240 described above, which is not described herein.

The path determining module 450 is configured to repeatedly perform the above operations until the last application page is skipped, and determine a test path based on the plurality of target operable items and the skip relationship. In an embodiment, the path determining module 450 may be configured to perform the operation S250 described above, which is not described herein.

The application test module 460 is configured to test an application to be tested based on the test path, and determine a test result of the application to be tested. In an embodiment, the application test module 460 may be used to perform the operation S260 described above, which is not described herein.

According to an embodiment of the invention, the information analysis module 420 includes a status determination sub-module and a response result determination sub-module.

And the state determination submodule is used for analyzing each entry point information by utilizing the large language model, and determining the page state of the current application page after the entry point information is operated.

And the response result determination submodule is used for determining the operation response result of the operable item based on the page state and the page state before the operation is performed on the operable item.

According to an embodiment of the invention, the state change module 440 includes a parameter configuration sub-module and a state change sub-module.

And the parameter configuration sub-module is used for carrying out parameter configuration on the entry point information under the condition that the entry point information is determined to have parameters to be configured, so as to obtain target entry point information.

And the state change sub-module is used for running the target entry point information so that the state change of the application program to be tested occurs.

According to an embodiment of the present invention, the application test module 460 includes an injection point determination sub-module, a script injection sub-module, an entry point operation sub-module, and a test result determination sub-module.

An injection point determination sub-module for determining, for each target operable item, one or more aggressor injection points present in the entry point information corresponding to the target operable item using a large language model.

And the script injection submodule is used for injecting the script to one or more attacked injection points by utilizing the attack script to obtain the information of the entry point into which the attack script is injected.

And the entry point operation submodule is used for operating the entry point information injected with the attack script and determining an operation result corresponding to the target operable item.

And the test result determining submodule is used for determining a test result based on at least one operation result.

According to an embodiment of the present invention, the test result determination submodule includes a first test result determination unit and a second test result determination unit.

The first test result determining unit is used for determining a test result representing that the application program to be tested passes the test under the condition that the operation results are all representing that the operation is normal.

And a second test result determining unit for determining a test result based on the entry point information into which the attack script is injected for obtaining the operation result in the case that the operation result representing the operation abnormality exists.

According to an embodiment of the present invention, the second test result determining unit includes an associated path determining sub-unit and a test result determining unit.

And the association path determining subunit is used for determining an association test path associated with the operation result based on the entry point information injected with the attack script.

And the test result determining unit is used for determining a test result based on the entry point information of the target operable item on the associated test path.

According to an embodiment of the present invention, the information determination module 410 includes a source code determination sub-module, a source code running sub-module, and a simulation operation sub-module.

The source code determination submodule is used for acquiring the program source code of the current application page.

And the source code running sub-module is used for running the program source codes in the virtual environment to obtain the simulation page.

And the simulation operation sub-module is used for performing simulation operation on the operation items on the simulation page and determining the entry point information of the operation items.

According to an embodiment of the invention, the operation item determination module 430 includes a change determination sub-module and an operation item determination sub-module.

And the change determination submodule is used for determining whether the state change of the application program to be tested occurs after the operation is performed on the operable item based on the operation response result.

An operation item determination submodule for determining the operable item as a target operable item in the case that a state change occurs after the operation is performed.

According to an embodiment of the present invention, the operation item determination submodule includes an operation item determination unit, a similarity determination unit, an operation item grouping unit, and a target operation item determination unit.

The page determining unit is used for determining that the operation response results represent the execution operation and the current application interface after the state change occurs.

And the operation item determining unit is used for determining at least one operable item from the current application interface.

And a similarity determination unit configured to determine, in a case where the number of the operable items is greater than 1, a similarity between the plurality of operable items based on entry point information corresponding to each of the plurality of operable items.

And the operation item grouping unit is used for dividing a plurality of operation items with similarity higher than a preset threshold value into the same operation item group.

A target operation item determination unit operable to select, for each operable item group, one from the operable item groups as a target operable item.

Any of the information determination module 410, the information analysis module 420, the operation item determination module 430, the state change module 440, the path determination module 450, and the application test module 460 may be combined in one module or any of the modules may be split into a plurality of modules according to an embodiment of the present invention. Or at least some of the functionality of one or more of the modules may be combined with, and implemented in, at least some of the functionality of other modules. According to embodiments of the invention, at least one of the information determination module 410, the information analysis module 420, the operation item determination module 430, the state change module 440, the path determination module 450, and the application test module 460 may be implemented at least in part as hardware circuitry, such as a Field Programmable Gate Array (FPGA), a Programmable Logic Array (PLA), a system on a chip, a system on a substrate, a system on a package, an Application Specific Integrated Circuit (ASIC), or in hardware or firmware in any other reasonable manner of integrating or packaging the circuitry, or in any one of or a suitable combination of three of software, hardware, and firmware. Or at least one of the information determination module 410, the information analysis module 420, the operation item determination module 430, the state change module 440, the path determination module 450, and the application test module 460 may be at least partially implemented as a computer program module, which when executed, may perform the corresponding functions.

As shown in fig. 5, an electronic device 500 according to an embodiment of the present invention includes a processor 501 that can perform various appropriate actions and processes according to a program stored in a Read Only Memory (ROM) 502 or a program loaded from a storage section 508 into a Random Access Memory (RAM) 503. The processor 501 may include, for example, a general purpose microprocessor (e.g., a CPU), an instruction set processor and/or an associated chipset and/or a special purpose microprocessor (e.g., an Application Specific Integrated Circuit (ASIC)), or the like. The processor 501 may also include on-board memory for caching purposes. The processor 501 may comprise a single processing unit or a plurality of processing units for performing different actions of the method flow according to an embodiment of the invention.

In the RAM 503, various programs and data required for the operation of the electronic apparatus 500 are stored. The processor 501, ROM 502, and RAM 503 are connected to each other by a bus 504. The processor 501 performs various operations of the method flow according to an embodiment of the present invention by executing programs in the ROM 502 and/or the RAM 503. Note that the program may be stored in one or more memories other than the ROM 502 and the RAM 503. The processor 501 may also perform various operations of the method flow according to embodiments of the present invention by executing programs stored in the one or more memories.

According to an embodiment of the invention, the electronic device 500 may further comprise an input/output (I/O) interface 505, the input/output (I/O) interface 505 also being connected to the bus 504. The electronic device 500 may also include one or more of an input portion 506 including a keyboard, a mouse, etc., an output portion 507 including a Cathode Ray Tube (CRT), a Liquid Crystal Display (LCD), etc., and a speaker, etc., a storage portion 508 including a hard disk, etc., and a communication portion 509 including a network interface card such as a LAN card, a modem, etc., connected to an input/output (I/O) interface 505. The communication section 509 performs communication processing via a network such as the internet. The drive 510 is also connected to an input/output (I/O) interface 505 as needed. A removable medium 511 such as a magnetic disk, an optical disk, a magneto-optical disk, a semiconductor memory, or the like is mounted on the drive 510 as needed so that a computer program read therefrom is mounted into the storage section 508 as needed.

The present invention also provides a computer-readable storage medium that may be included in the apparatus/device/system described in the above embodiments, or may exist alone without being assembled into the apparatus/device/system. The computer-readable storage medium carries one or more programs which, when executed, implement methods in accordance with embodiments of the present invention.

According to embodiments of the invention, the computer-readable storage medium may be a non-volatile computer-readable storage medium, which may include, for example, but is not limited to, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the context of this document, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. For example, according to embodiments of the invention, the computer-readable storage medium may include ROM 502 and/or RAM 503 and/or one or more memories other than ROM 502 and RAM 503 described above.

Embodiments of the present invention also include a computer program product comprising a computer program containing program code for performing the method shown in the flowcharts. The program code means for causing a computer system to carry out the methods provided by embodiments of the present invention when the computer program product is run on the computer system.

The above-described functions defined in the system/apparatus of the embodiment of the present invention are performed when the computer program is executed by the processor 501. The systems, apparatus, modules, units, etc. described above may be implemented by computer program modules according to embodiments of the invention.

In one embodiment, the computer program may be based on a tangible storage medium such as an optical storage device, a magnetic storage device, or the like. In another embodiment, the computer program may also be transmitted, distributed, and downloaded and installed in the form of a signal on a network medium, and/or installed from a removable medium 511 via the communication portion 509. The computer program may comprise program code that is transmitted using any appropriate network medium, including but not limited to wireless, wireline, etc., or any suitable combination of the preceding.

In such an embodiment, the computer program may be downloaded and installed from a network via the communication portion 509, and/or installed from the removable media 511. The above-described functions defined in the system of the embodiment of the present invention are performed when the computer program is executed by the processor 501. The systems, devices, apparatus, modules, units, etc. described above may be implemented by computer program modules according to embodiments of the invention.

According to embodiments of the present invention, program code for carrying out computer programs provided by embodiments of the present invention may be written in any combination of one or more programming languages, and in particular, such computer programs may be implemented in high-level procedural and/or object-oriented programming languages, and/or in assembly/machine languages. Programming languages include, but are not limited to, such as Java, c++, python, "C" or similar programming languages. The program code may execute entirely on the user's computing device, partly on the user's device, partly on a remote computing device, or entirely on the remote computing device or server. In the case of remote computing devices, the remote computing device may be connected to the user computing device through any kind of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or may be connected to an external computing device (e.g., connected via the Internet using an Internet service provider).

The flowcharts and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present invention. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams or flowchart illustration, and combinations of blocks in the block diagrams or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.

Those skilled in the art will appreciate that the features recited in the various embodiments of the invention can be combined and/or combined in a variety of ways, even if such combinations or combinations are not explicitly recited in the present invention. In particular, the features recited in the various embodiments of the invention can be combined and/or combined in various ways without departing from the spirit and teachings of the invention. All such combinations and/or combinations fall within the scope of the invention.

The embodiments of the present invention are described above. These examples are for illustrative purposes only and are not intended to limit the scope of the present invention. Although the embodiments are described above separately, this does not mean that the measures in the embodiments cannot be used advantageously in combination. Various alternatives and modifications can be made by those skilled in the art without departing from the scope of the invention, and such alternatives and modifications are intended to fall within the scope of the invention.

Claims

1. An application testing method, the method comprising:

Determining at least one entry point information in program source codes based on the program source codes of a current application page of an application program to be tested, wherein the entry point information characterizes a program segment for executing an operation corresponding to an operable item on the current application page;

Analyzing the at least one entry point information by using a large language model, and determining operation response results of at least one operable item corresponding to the at least one entry point information, wherein the operation response results represent influences on the current application page when the operation is performed in response to the operable item;

Determining a target operable item from at least one of the operable items based on at least one of the operation response results;

Simulating and triggering the target operable item to run the entry point information corresponding to the target operable item, so that the application program to be tested is subjected to state change;

Repeatedly executing the above operation until the last application page is jumped to, determining a test path based on the multiple target operable items and the jump relationship, and

And testing the application program to be tested based on the test path, and determining a test result of the application program to be tested.

2. The method of claim 1, wherein analyzing the at least one entry point information using the large language model to determine operational response results for each of at least one operational item corresponding to each of the at least one entry point information comprises:

Analyzing each of the entry point information by using the large language model, determining a page status of the current application page after running the entry point information, and

And determining an operation response result of the operable item based on the page state and the page state before the operation is performed on the operable item.

3. The method of claim 1, wherein the simulating triggers the target actionable item to run entry point information corresponding to the target actionable item such that the application under test exhibits a state change, comprising:

Under the condition that the parameters to be configured exist in the entry point information, carrying out parameter configuration on the entry point information to obtain target entry point information, and

And running the target entry point information so that the application program to be tested has state change.

4. The method of claim 1, wherein the testing the application under test based on the test path, determining the test result of the application under test, comprises:

For each of the target actionable items,

Determining, using the large language model, one or more aggressor injection points present in the entry point information corresponding to the target operational item;

performing script injection on the one or more attacked injection points by using an attack script to obtain entry point information into which the attack script is injected;

running the entry point information injected with the attack script, determining the operation result corresponding to the target operable item, and

Determining the test result based on at least one operation result.

5. The method of claim 4, wherein the determining the test result based on at least one of the operation results comprises:

Under the condition that the operation results are all characterized as normal in operation, determining the test result which is characterized as that the application program to be tested passes the test;

and in the case that the operation result representing the operation abnormality exists, determining the test result based on the entry point information into which the attack script is injected for obtaining the operation result.

6. The method of claim 5, wherein the determining the test result based on the entry point information injected with the attack script for obtaining the operation result in the presence of the operation result characterizing the operation abnormality comprises:

determining an associated test path associated with the operation result based on the entry point information into which the attack script is injected, and

And determining the test result based on the entry point information of the target operable item on the associated test path.

7. The method of claim 1, wherein the determining at least one entry point information in program source code based on the program source code of a current application page of an application to be tested comprises:

acquiring the program source code of the current application page;

running the program source code in a virtual environment to obtain a simulation page, and

And performing simulation operation on the operation items on the simulation page, and determining the entry point information of the operation items.

8. The method of claim 1, wherein determining a target actionable item from the at least one actionable item based on a plurality of the action response results comprises:

determining whether or not a state change occurs to the application to be tested in response to the operation performed on the operable item based on the operation response result, and

After performing an operation, in the event of a state change, the actionable item is determined to be the target actionable item.

9. The method of claim 8, wherein the determining the actionable item as the target actionable item in the event of a state change after performing an operation comprises:

Determining the operation response result to represent the execution operation, and generating a current application interface after state change;

Determining at least one of the actionable items from the current application interface;

Determining, in a case where the number of the operable items is greater than 1, a similarity between a plurality of the operable items based on entry point information corresponding to each of the plurality of the operable items;

Dividing the plurality of the operable items with the similarity higher than a preset threshold into the same operable item group, and

For each of the groupings of actionable items, selecting one of the groupings of actionable items as the target actionable item.

10. An application testing apparatus, the apparatus comprising:

The information determining module is used for determining at least one entry point information in program source codes based on the program source codes of a current application page of an application program to be tested, wherein the entry point information represents a program segment for executing an operation corresponding to an operable item on the current application page;

The information analysis module is used for analyzing the at least one entry point information by utilizing a large language model and determining operation response results of at least one operable item corresponding to the at least one entry point information, wherein the operation response results represent influences on the current application page when the operation is performed in response to the operable item;

An operation item determining module for determining a target operable item from at least one operable item based on at least one of the operation response results;

The state change module is used for simulating and triggering the target operable item to run the entry point information corresponding to the target operable item so that the application program to be tested is subjected to state change;

A path determining module for repeatedly executing the above operations until the last application page is jumped, determining a test path based on the multiple target operable items and the jump relationship, and

And the application test module is used for testing the application program to be tested based on the test path and determining the test result of the application program to be tested.