Grammar based oracle for security testing of web applications
Abstract
The goal of security testing is to detect those defects that could be exploited to conduct attacks. Existing works, however, address security testing mostly from the point of view of automatic generation of test cases. Less attention is paid to the problem of developing and integrating with a security oracle.
In this paper we address the problem of the security oracle, in particular for Cross-Site Scripting vulnerabilities. We rely on existing test cases to collect HTML pages in safe conditions, i.e. when no attack is run. Pages are then used to construct the safe model of the application under analysis, a model that describes the structure of an application response page for safe input values. The oracle eventually detects a successful attack when a test makes the application display a web page that is not compliant with the safe model.
References
[1]
A. Tappenden, P. Beatty, J. Miller, A. Geras, and M. Smith, "Agile security testing of web-based systems via httpunit," in Agile Conference, 2005. Proceedings, july 2005, pp. 29--38.
[2]
A. Kieyzun, P. Guo, K. Jayaraman, and M. Ernst, "Automatic creation of sql injection and cross-site scripting attacks," in Software Engineering, 2009. ICSE 2009. IEEE 31st International Conference on, may 2009, pp. 199--209.
[3]
S. McAllister, E. Kirda, and C. Kruegel, "Leveraging user interactions for in-depth testing of web applications," in Recent Advances in Intrusion Detection, ser. Lecture Notes in Computer Science, R. Lippmann, E. Kirda, and A. Trachtenberg, Eds. Springer Berlin/Heidelberg, 2008, vol. 5230, pp. 191--210.
[4]
Y.-W. Huang, C.-H. Tsai, D. Lee, and S.-Y. Kuo, "Non-detrimental web application security scanning," in Software Reliability Engineering, 2004. ISSRE 2004. 15th International Symposium on, nov. 2004, pp. 219--230.
[5]
W. G. J. Halfond, S. R. Choudhary, and A. Orso, "Improving penetration testing through static and dynamic analysis," Software Testing, Verification and Reliability, vol. 21, no. 3, pp. 195--214, 2011. {Online}. Available: http://dx.doi.org/10.1002/stvr.450
[6]
S. Kals, E. Kirda, C. Kruegel, and N. Jovanovic, "Secubat: a web vulnerability scanner," in Proceedings of the 15th international conference on World Wide Web, ser. WWW '06. New York, NY, USA: ACM, 2006, pp. 247--256. {Online}. Available: http://doi.acm.org/10.1145/1135777.1135817
[7]
A. Avancini and M. Ceccato, "Towards security testing with taint analysis and genetic algorithms," in Proceedings of the 2010 ICSE Workshop on Software Engineering for Secure Systems. ACM, 2010, pp. 65--71.
[8]
A. Avancini and M. Ceccato, "Security testing of web applications: A search-based approach for cross-site scripting vulnerabilities," in Source Code Analysis and Manipulation (SCAM), 2011 11th IEEE International Working Conference on. IEEE, 2011, pp. 85--94.
[9]
N. Jovanovic, C. Kruegel, and E. Kirda, "Pixy: A static analysis tool for detecting web application vulnerabilities (short paper)," in SP '06: Proceedings of the 2006 IEEE Symposium on Security and Privacy. Washington, DC, USA: IEEE Computer Society, 2006, pp. 258--263.
[10]
G. Wassermann and Z. Su, "Static detection of cross-site scripting vulnerabilities," in ICSE '08: Proceedings of the 30th international conference on Software engineering. New York, NY, USA: ACM, 2008, pp. 171--180.
[11]
M. Sharir and A. Pnueli, Program Flow Analysis: Theory and Applications. Prentice Hall, 1981, ch. Two approaches to interprocedural data flow analysis, pp. 189--233.
[12]
K. Sen, D. Marinov, and G. Agha, "Cute: a concolic unit testing engine for c," in Proceedings of the 10th European software engineering conference. New York, NY, USA: ACM, 2005, pp. 263--272.
[13]
L. Bergroth, H. Hakonen, and T. Raita, "A survey of longest common subsequence algorithms," in String Processing and Information Retrieval, 2000. SPIRE 2000. Proceedings. Seventh International Symposium on, 2000, pp. 39--48.
[14]
J. Cordy, "The TXL source transformation language," Science of Computer Programming, vol. 61, no. 3, pp. 190--210, August 2006.
[15]
N. Surribas, "Wapiti, web application vulnerability scanner/security auditor," 2006-2010. {Online}. Available: http://www.ict-romulus.eu/web/wapiti
[16]
H. Shahriar and M. Zulkernine, "Music: Mutation-based sql injection vulnerability checking," in Quality Software, 2008. QSIC '08. The Eighth International Conference on, aug. 2008, pp. 77--86.
[17]
H. Shahriar and M. Zulkernine, "Mutation-based testing of format string bugs," in High Assurance Systems Engineering Symposium, 2008. HASE 2008. 11th IEEE, dec. 2008, pp. 229--238.
[18]
H. Shahriar and M. Zulkernine, "Mutec: Mutation-based testing of cross site scripting," in Proceedings of the 2009 ICSE Workshop on Software Engineering for Secure Systems, ser. IWSESS '09. Washington, DC, USA: IEEE Computer Society, 2009, pp. 47--53. {Online}. Available: http://dx.doi.org/10.1109/IWSESS.2009.5068458
- Grammar based oracle for security testing of web applications
Recommendations
Automatic Testing of Program Security Vulnerabilities
COMPSAC '09: Proceedings of the 2009 33rd Annual IEEE International Computer Software and Applications Conference - Volume 02Vulnerabilities in applications and their widespread exploitation through successful attacks are common these days. Testing applications for preventing vulnerabilities is an important step to address this issue. In recent years, a number of security ...
Web applications testing techniques: a systematic mapping study
Due to the importance of web application testing techniques for detecting faults and assessing quality attributes, many research papers were published in this field. For this reason, it became essential to analyse, classify and summarise the research in ...
Semi-Automatic Security Testing of Web Applications from a Secure Model
SERE '12: Proceedings of the 2012 IEEE Sixth International Conference on Software Security and ReliabilityWeb applications are a major target of attackers. The increasing complexity of such applications and the subtlety of today's attacks make it very hard for developers to manually secure their web applications. Penetration testing is considered an art, ...
Comments
Please enable JavaScript to view thecomments powered by Disqus.Information & Contributors
Information
Published In
Sponsors
- SIGSOFT: ACM Special Interest Group on Software Engineering
- University of Zurich: University of Zurich
- IEEE CS
Publisher
IEEE Press
Publication History
Published: 02 June 2012
Check for updates
Author Tags
Qualifiers
- Research-article
Conference
ICSE '12
Sponsor:
- SIGSOFT
- University of Zurich
Upcoming Conference
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 139Total Downloads
- Downloads (Last 12 months)2
- Downloads (Last 6 weeks)0
Reflects downloads up to 03 Jan 2025
Other Metrics
Citations
View Options
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign in