A testing framework for Web application security assessment

The rapid development phases and extremely short turnaround time of Web applications make it difficult to eliminate their vulnerabilities. Here we study how software testing techniques such as fault injection and runtime monitoring can be applied to Web applications. We implemented our proposed mechanisms in the Web Application Vulnerability and Error Scanner (WAVES)--a black-box testing framework for automated Web application security assessment. Real-world situations are used to test WAVES and to compare it with other tools. Our results show that WAVES is a feasible platform for assessing Web application security.

[1]  R. Sekar,et al.  Synthesizing Fast Intrusion Prevention/Detection Systems from High-Level Specifications , 1999, USENIX Security Symposium.

[2]  David Chenho Kung,et al.  Structural testing of Web applications , 2000, Proceedings 11th International Symposium on Software Reliability Engineering. ISSRE 2000.

[3]  Richard Sharp,et al.  Abstracting application-level web security , 2002, WWW.

[4]  Luis Gravano,et al.  Distributed Search over the Hidden Web: Hierarchical Database Sampling and Selection , 2002, VLDB.

[5]  David A. Wagner,et al.  This copyright notice must be included in the reproduced paper. USENIX acknowledges all trademarks herein. Detecting Format String Vulnerabilities with Type Qualifiers , 2001 .

[6]  Julia Crawford,et al.  Independent Inventor Resources Web Site , 2001 .

[7]  Giuliano Antoniol,et al.  An approach for reverse engineering of web-based applications , 2001, Proceedings Eighth Working Conference on Reverse Engineering.

[8]  Calvin Ko,et al.  Detecting and countering system intrusions using software wrappers , 2003, Foundations of Intrusion Tolerant Systems, 2003 [Organically Assured and Survivable Information Systems].

[9]  Michael Benedikt,et al.  VeriWeb: Automatically Testing Dynamic Web Sites , 2002 .

[10]  David W. Embley,et al.  Extracting Data behind Web Forms , 2002, ER.

[11]  Paolo Tonella,et al.  Web application transformations based on rewrite rules , 2002, Inf. Softw. Technol..

[12]  Wei-Ying Ma,et al.  Learning block importance models for web pages , 2004, WWW '04.

[13]  David Chenho Kung,et al.  Object-based data flow testing of web applications , 2000, Proceedings First Asia-Pacific Conference on Quality Software.

[14]  Paolo Tonella,et al.  Web application slicing , 2001, Proceedings IEEE International Conference on Software Maintenance. ICSM 2001.

[15]  Richard Sharp,et al.  Developing Secure Web Applications , 2002, IEEE Internet Comput..

[16]  Shihong Huang,et al.  Evaluating the reverse engineering capabilities of Web tools for understanding site content and structure: a case study , 2001, Proceedings of the 23rd International Conference on Software Engineering. ICSE 2001.

[17]  B. Huberman,et al.  The Deep Web : Surfacing Hidden Value , 2000 .

[18]  Galen C. Hunt,et al.  Detours: binary interception of Win32 functions , 1999 .

[19]  D. T. Lee,et al.  Securing web application code by static analysis and runtime protection , 2004, WWW '04.

[20]  Krishna Bharat,et al.  SPHINX: A Framework for Creating Personal, Site-Specific Web Crawlers , 1998, Comput. Networks.

[21]  Peter G. Neumann Risks to the Public in Computers and Related Systems , 1995, SOEN.

[22]  Peter B. Danzig,et al.  Harvest: A Scalable, Customizable Discovery and Access System , 1994 .

[23]  Chris Anley,et al.  Advanced SQL Injection In SQL Server Applications , 2002 .

[24]  Sriram Raghavan,et al.  Crawling the Hidden Web , 2001, VLDB.

[25]  Walid G. Aref,et al.  Security models for web-based applications , 2001, CACM.

[26]  D. T. Lee,et al.  Verifying Web applications using bounded model checking , 2004, International Conference on Dependable Systems and Networks, 2004.

[27]  Shih-Kun Huang,et al.  Web application security assessment by fault injection and behavior monitoring , 2003, WWW '03.

[28]  R. Sekar,et al.  On Preventing Intrusions by Process Behavior Monitoring , 1999, Workshop on Intrusion Detection and Network Monitoring.

[29]  R. Balzer Assuring the safety of opening email attachments , 2001, Proceedings DARPA Information Survivability Conference and Exposition II. DISCEX'01.

[30]  Hector Garcia-Molina,et al.  Parallel crawlers , 2002, WWW.

[31]  Paolo Tonella,et al.  Understanding and Restructuring Web Sites with ReWeb , 2001, IEEE Multim..

[32]  Paolo Tonella,et al.  Analysis and testing of Web applications , 2001, Proceedings of the 23rd International Conference on Software Engineering. ICSE 2001.

[33]  Giuseppe A. Di Lucca,et al.  WARE: a tool for the reverse engineering of Web applications , 2002, Proceedings of the Sixth European Conference on Software Maintenance and Reengineering.

[34]  Udi Manber,et al.  WebGlimpse: combining browsing and searching , 1997 .

[35]  R. Sekar,et al.  Experiences with Specification-Based Intrusion Detection , 2001, Recent Advances in Intrusion Detection.

[36]  H. Kaiya,et al.  Specifying runtime environments and functionalities of downloadable components under the sandbox model , 2000, Proceedings International Symposium on Principles of Software Evolution.

[37]  Paolo Tonella,et al.  Restructuring Web applications via transformation rules , 2001, Proceedings First IEEE International Workshop on Source Code Analysis and Manipulation.

[38]  Gary McGraw,et al.  Software fault injection: inoculating programs against errors , 1997 .

[39]  Elaine J. Weyuker,et al.  Selecting Software Test Data Using Data Flow Information , 1985, IEEE Transactions on Software Engineering.

[40]  Torsten Suel,et al.  Design and implementation of a high-performance distributed Web crawler , 2002, Proceedings 18th International Conference on Data Engineering.

[41]  Kazuhito Ohmaki Open source software research activities in AIST towards secure open systems , 2002, 7th IEEE International Symposium on High Assurance Systems Engineering, 2002. Proceedings..

[42]  Paolo Tonella,et al.  Web site analysis: structure and evolution , 2000, Proceedings 2000 International Conference on Software Maintenance.

[43]  A. Jefferson Offutt,et al.  Quality Attributes of Web Software Applications , 2002, IEEE Softw..

[44]  Claus Brabrand,et al.  The < bigwig > Project , 2022 .

[45]  Salvatore J. Stolfo,et al.  Detecting Malicious Software by Monitoring Anomalous Windows Registry Accesses , 2002, RAID.

[46]  Lauri Auronen Tool-Based Approach to Assessing Web Application Security , 2002 .

[47]  Massimo Bernaschi,et al.  Operating system enhancements to prevent the misuse of system calls , 2000, CCS.