A Systematic Approach to Web Application Penetration Testing Using TTCN-3

Penetration testing is critical for ensuring web application security. It is often implemented using traditional 3GL web test frameworks (e.g. HttpUnit, HtmlUnit). There is little awareness in the literature that a test specification language like TTCN-3 can be effectively combined with such frameworks. In this paper, we identify the essential aspects of TTCN-3 for penetration testing and how best to use them. These include separating abstract test logic from concrete data extraction logic, as well as support for templates, matching test oracles and parallel test components. The advantages of leveraging TTCN-3 together with 3GL web test frameworks for penetration testing is demonstrated and evaluated using example scenarios. The work was performed with a prototype TTCN-3 tool that extends the TTCN-3 model architecture to support the required integration with 3GL web test frameworks. A concrete proposal for modifying the TTCN-3 standard to support this refinement is described.

[1]  Andres Andreu Professional pen testing for Web applications , 2006 .

[2]  Gary McGraw,et al.  Software Penetration Testing , 2005, IEEE Secur. Priv..

[3]  Gary McGraw,et al.  Software Security Testing , 2004, IEEE Secur. Priv..

[4]  Steve Splaine Testing Web Security: Assessing the Security of Web Sites and Applications , 2002 .

[5]  Liam Peyton,et al.  Framework testing of web applications using TTCN-3 , 2008, International Journal on Software Tools for Technology Transfer.

[6]  Krzysztof M. Brzezinski,et al.  Intrusion Detection as Passive Testing: Linguistic Support with TTCN-3 (Extended Abstract) , 2007, DIMVA.

[7]  Tiziana Margaria,et al.  The Testing and Test Control Notation TTCN-3 and its Use , 2012 .

[8]  Pavel Laskov,et al.  Detection of Intrusions and Malware, and Vulnerability Assessment: 19th International Conference, DIMVA 2022, Cagliari, Italy, June 29 –July 1, 2022, Proceedings , 2022, International Conference on Detection of intrusions and malware, and vulnerability assessment.

[9]  Matt Bishop,et al.  About Penetration Testing , 2007, IEEE Security & Privacy.

[10]  Liam Peyton,et al.  Model-Based Penetration Test Framework for Web Applications Using TTCN-3 , 2009, MCETECH.

[11]  Steve W. Manzuik,et al.  Windows of Vulnerability , 2006 .

[12]  Steve W. Manzuik,et al.  Network Security Assessment: From Vulnerability to Patch , 2006 .

[13]  Herbert H. Thompson Application Penetration Testing , 2005, IEEE Secur. Priv..

[14]  Steven Palmer Web Application Vulnerabilities: Detect, Exploit, Prevent , 2007 .