Leveraging User Interactions for In-Depth Testing of Web Applications

Over the last years, the complexity of web applications has grown significantly, challenging desktop programs in terms of functionality and design. Along with the rising popularity of web applications, the number of exploitable bugs has also increased significantly. Web application flaws, such as cross-site scripting or SQL injection bugs, now account for more than two thirds of the reported security vulnerabilities. Black-box testing techniques are a common approach to improve software quality and detect bugs before deployment. There exist a number of vulnerability scanners, or fuzzers, that expose web applications to a barrage of malformed inputs in the hope to identify input validation errors. Unfortunately, these scanners often fail to test a substantial fraction of a web application's logic, especially when this logic is invoked from pages that can only be reached after filling out complex forms that aggressively check the correctness of the provided values. In this paper, we present an automated testing tool that can find reflected and stored cross-site scripting (XSS) vulnerabilities in web applications. The core of our system is a black-box vulnerability scanner. This scanner is enhanced by techniques that allow one to generate more comprehensive test cases and explore a larger fraction of the application. Our experiments demonstrate that our approach is able to test more thoroughly these programs and identify more bugs than a number of open-source and commercial web vulnerability scanners.

[1]  Richard Sharp,et al.  Abstracting application-level web security , 2002, WWW.

[2]  Koushik Sen,et al.  DART: directed automated random testing , 2005, PLDI '05.

[3]  Zhendong Su,et al.  The essence of command injection attacks in web applications , 2006, POPL '06.

[4]  Boris Beizer,et al.  Software System Testing and Quality Assurance , 1984 .

[5]  Alexander Aiken,et al.  Static Detection of Security Vulnerabilities in Scripting Languages , 2006, USENIX Security Symposium.

[6]  Christopher Krügel,et al.  Pixy: a static analysis tool for detecting Web application vulnerabilities , 2006, 2006 IEEE Symposium on Security and Privacy (S&P'06).

[7]  Christopher Krügel,et al.  Exploring Multiple Execution Paths for Malware Analysis , 2007, 2007 IEEE Symposium on Security and Privacy (SP '07).

[8]  Garry D. Coleman,et al.  Advancing the Standard , 1999 .

[9]  A. Jefferson Offutt,et al.  Using UML Collaboration Diagrams for Static Checking and Test Generation , 2000, UML.

[10]  A. Jefferson Offutt,et al.  Generating Tests from UML Specifications , 1999, UML.

[11]  Christopher Krügel,et al.  SecuBat: a web vulnerability scanner , 2006, WWW '06.

[12]  Sigrid Eldh Software Testing Techniques , 2007 .

[13]  Karl Moss Java Servlets , 1998 .

[14]  Shaoying Liu,et al.  Generating test data from state‐based specifications , 2003, Softw. Test. Verification Reliab..

[15]  Michael Bächle,et al.  Ruby on Rails , 2006, Softwaretechnik-Trends.

[16]  Shih-Kun Huang,et al.  Web application security assessment by fault injection and behavior monitoring , 2003, WWW '03.

[17]  Dawson R. Engler,et al.  EXE: automatically generating inputs of death , 2006, CCS '06.

[18]  David Endler,et al.  The Evolution of Cross Site Scripting Attacks , 2002 .

[19]  Christopher Krügel,et al.  Saner: Composing Static and Dynamic Analysis to Validate Sanitization in Web Applications , 2008, 2008 IEEE Symposium on Security and Privacy (sp 2008).

[20]  Boris Beizer,et al.  Software testing techniques (2. ed.) , 1990 .

[21]  Julie-Marie Foss,et al.  Web Application Security , 2005 .