Automated Test Generation from Vulnerability Signatures

Web applications need to validate and sanitize user inputs in order to avoid attacks such as Cross Site Scripting (XSS) and SQL Injection. Writing string manipulation code for input validation and sanitization is an error-prone process leading to many vulnerabilities in real-world web applications. Automata-based static string analysis techniques can be used to automatically compute vulnerability signatures (represented as automata) that characterize all the inputs that can exploit a vulnerability. However, there are several factors that limit the applicability of static string analysis techniques in general: 1) undesirability of static string analysis requires the use of approximations leading to false positives, 2) static string analysis tools do not handle all string operations, 3) dynamic nature of the scripting languages makes static analysis difficult. In this paper, we show that vulnerability signatures computed for deliberately insecure web applications (developed for demonstrating different types of vulnerabilities) can be used to generate test cases for other applications. Given a vulnerability signature represented as an automaton, we present algorithms for test case generation based on state, transition, and path coverage. These automatically generated test cases can be used to test applications that are not analyzable statically, and to discover attack strings that demonstrate how the vulnerabilities can be exploited.

[1]  Eleonor Ciurea,et al.  Sequential and parallel algorithms for minimum flows , 2004 .

[2]  Fang Yu,et al.  Stranger: An Automata-Based String Analysis Tool for PHP , 2010, TACAS.

[3]  Zhendong Su,et al.  Sound and precise analysis of web applications for injection vulnerabilities , 2007, PLDI '07.

[4]  Omer Tripp,et al.  Finding your way in the testing jungle: a learning approach to web security testing , 2013, ISSTA.

[5]  Kyung-Goo Doh,et al.  A Practical String Analyzer by the Widening Approach , 2006, APLAS.

[6]  Steve Hanna,et al.  A Symbolic Execution Framework for JavaScript , 2010, 2010 IEEE Symposium on Security and Privacy.

[7]  Tevfik Bultan,et al.  Widening Arithmetic Automata , 2004, CAV.

[8]  Robert E. Tarjan,et al.  Depth-First Search and Linear Graph Algorithms , 1972, SIAM J. Comput..

[9]  Benjamin Livshits,et al.  Fast and Precise Sanitizer Analysis with BEK , 2011, USENIX Security Symposium.

[10]  Michael D. Ernst,et al.  HAMPI: a solver for string constraints , 2009, ISSTA.

[11]  Fang Yu,et al.  Generating Vulnerability Signatures for String Manipulating Programs Using Automata-Based Forward and Backward Symbolic Analyses , 2009, 2009 IEEE/ACM International Conference on Automated Software Engineering.

[12]  S. Louis Hakimi,et al.  On Path Cover Problems in Digraphs and Applications to Program Testing , 1979, IEEE Transactions on Software Engineering.

[13]  Marco Brandizi,et al.  graph2tab, a library to convert experimental workflow graphs into tabular formats , 2012, Bioinform..

[14]  D. R. Fulkerson,et al.  Maximal Flow Through a Network , 1956 .

[15]  Yasuhiko Minamide,et al.  Static approximation of dynamically generated Web pages , 2005, WWW '05.

[16]  A. Jefferson Offutt,et al.  Generating Tests from UML Specifications , 1999, UML.

[17]  Hiroshi Inamura,et al.  Dynamic test input generation for web applications , 2008, ISSTA '08.

[18]  Christopher Krügel,et al.  SecuBat: a web vulnerability scanner , 2006, WWW '06.

[19]  Alan Hartman,et al.  Projected state machine coverage for software testing , 2002, ISSTA '02.

[20]  Aske Simon Christensen,et al.  Precise Analysis of String Expressions , 2003, SAS.

[21]  Oscar H. Ibarra,et al.  Symbolic String Verification: An Automata-Based Approach , 2008, SPIN.

[22]  Zhendong Su,et al.  Static detection of cross-site scripting vulnerabilities , 2008, 2008 ACM/IEEE 30th International Conference on Software Engineering.