Using TTCN-3 as a modeling language for web penetration testing

Penetration testing is widely used for vulnerability assessment of web applications. Usually, it is performed by specialized security experts after development is completed and the application deployed into production, but recent research has proposed a model based penetration test framework for web applications which provides a repeatable, systematic and cost-efficient approach fully integrated into a security-oriented software development life cycle. In this context, we evaluate the test specification language TTCN-3 as a modeling language for web penetration testing and show how its inherent abstraction features make the process of generating web penetration test campaigns easier. In particular, we demonstrate the advantages of combining separate models for the relevant web vulnerabilities and web application functionalities, with a generic web abstraction model and a TTCN-3 test framework model.

[1]  Herbert H. Thompson,et al.  The Software Vulnerability Guide , 2007 .

[2]  R. K. Shyamasundar,et al.  cmUML - A UML based Framework for Formal Specification of Concurrent, Reactive Systems , 2008, J. Object Technol..

[3]  Gary McGraw,et al.  Software Penetration Testing , 2005, IEEE Secur. Priv..

[4]  Daniel Amyot,et al.  Goal-Driven Development of a Patient Surveillance Application for Improving Patient Safety , 2009, MCETECH.

[5]  Liam Peyton,et al.  A model-driven penetration test framework for Web applications , 2010, 2010 Eighth International Conference on Privacy, Security and Trust.

[6]  Liam Peyton,et al.  Model-Based Engineering of a Managed Process Application Framework , 2011, MCETECH.

[7]  Liam Peyton,et al.  Framework testing of web applications using TTCN-3 , 2008, International Journal on Software Tools for Technology Transfer.

[8]  Steven Palmer Web Application Vulnerabilities: Detect, Exploit, Prevent , 2007 .

[9]  Jonathan Jacky,et al.  Model-Based Software Testing and Analysis with C# , 2007 .

[10]  Bruno Legeard,et al.  A taxonomy of model-based testing , 2006 .

[11]  Matt Bishop,et al.  About Penetration Testing , 2007, IEEE Security & Privacy.

[12]  Jonathan Jacky,et al.  Model-Based Testing of Web Applications Using NModel , 2009, TestCom/FATES.

[13]  Steve W. Manzuik,et al.  Network Security Assessment: From Vulnerability to Patch , 2006 .

[14]  Liam Peyton,et al.  A Systematic Approach to Web Application Penetration Testing Using TTCN-3 , 2011, MCETECH.

[15]  Steve Splaine Testing Web Security: Assessing the Security of Web Sites and Applications , 2002 .