Penetration Testing with Improved Input Vector Identification

Penetration testing is widely used to help ensure the security of web applications. It discovers vulnerabilities by simulating attacks from malicious users on a target application. Identifying the input vectors of a web application and checking the results of an attack are important parts of penetration testing, as they indicate where an attack could be introduced and whether an attempted attack was successful. Current techniques for identifying input vectors and checking attack results are typically ad-hoc and incomplete, which can cause parts of an application to be untested and leave vulnerabilities undiscovered. In this paper, we propose a new approach to penetration testing that addresses these limitations by leveraging two recently-developed analysis techniques. The first is used to identify a web application's possible input vectors, and the second is used to automatically check whether an attack resulted in an injection. To empirically evaluate our approach, we compare it against a state-of-the-art, alternative technique. Our results show that our approach performs a more thorough penetration testing and leads to the discovery of more vulnerabilities.

[1]  Gregg Rothermel,et al.  Web application characterization through directed requests , 2006, WODA '06.

[2]  Alessandro Orso,et al.  Using positive tainting and syntax-aware evaluation to counter SQL injection attacks , 2006, SIGSOFT '06/FSE-14.

[3]  Barton P. Miller,et al.  An empirical study of the reliability of UNIX utilities , 1990, Commun. ACM.

[4]  Pedram Amini,et al.  Fuzzing: Brute Force Vulnerability Discovery , 2007 .

[5]  A. Jefferson Offutt,et al.  Testing Web applications by modeling with FSMs , 2005, Software & Systems Modeling.

[6]  Alessandro Orso,et al.  Improving test case generation for web applications using automated interface discovery , 2007, ESEC-FSE '07.

[7]  Lloyd G. Greenwald,et al.  An exploration of statistical models for automated test case generation , 2005, ACM SIGSOFT Softw. Eng. Notes.

[8]  Gary McGraw,et al.  Software Penetration Testing , 2005, IEEE Secur. Priv..

[9]  Gregg Rothermel,et al.  Leveraging user-session data to support Web application testing , 2005, IEEE Transactions on Software Engineering.

[10]  Paolo Tonella,et al.  Analysis and testing of Web applications , 2001, Proceedings of the 23rd International Conference on Software Engineering. ICSE 2001.

[11]  Premkumar T. Devanbu,et al.  Static checking of dynamically generated queries in database applications , 2004, Proceedings. 26th International Conference on Software Engineering.

[12]  Alessandro Orso,et al.  WASP: Protecting Web Applications Using Positive Tainting and Syntax-Aware Evaluation , 2008, IEEE Transactions on Software Engineering.

[13]  Matt Bishop,et al.  About Penetration Testing , 2007, IEEE Security & Privacy.

[14]  Alessandro Orso,et al.  A Classification of SQL Injection Attacks and Countermeasures , 2006, ISSSE.

[15]  Xiaoping Jia,et al.  Rigorous and Automatic Testing of Web Applications , 2002 .

[16]  Jiong Wang,et al.  Testing web database applications , 2004, SOEN.

[17]  Jeff Tian,et al.  Measuring and Modeling Usage and Reliability for Statistical Web Testing , 2001, IEEE Trans. Software Eng..

[18]  Herbert H. Thompson Application Penetration Testing , 2005, IEEE Secur. Priv..

[19]  Daniel Geer,et al.  Penetration testing: a duet , 2002, 18th Annual Computer Security Applications Conference, 2002. Proceedings..

[20]  Gregg Rothermel,et al.  Improving web application testing with user session data , 2003, 25th International Conference on Software Engineering, 2003. Proceedings..