Security testing of web applications: A research plan

Cross-site scripting (XSS) vulnerabilities are specific flaws related to web applications, in which missing input validation can be exploited by attackers to inject malicious code into the application under attack. To guarantee high quality of web applications in terms of security, we propose a structured approach, inspired by software testing. In this paper we present our research plan and ongoing work to use security testing to address problems of potentially attackable code. Static analysis is used to reveal candidate vulnerabilities as a set of execution conditions that could lead to an attack. We then resort to automatic test case generation to obtain those input values that make the application execution satisfy such conditions. Eventually, we propose a security oracle to assess whether such test cases are instances of successful attacks.

[1]  Christopher Krügel,et al.  Pixy: a static analysis tool for detecting Web application vulnerabilities , 2006, 2006 IEEE Symposium on Security and Privacy (S&P'06).

[2]  Christopher Krügel,et al.  Saner: Composing Static and Dynamic Analysis to Validate Sanitization in Web Applications , 2008, 2008 IEEE Symposium on Security and Privacy (sp 2008).

[3]  Giuliano Antoniol,et al.  Detecting buffer overflow via automatic test input data generation , 2008, Comput. Oper. Res..

[4]  D. T. Lee,et al.  Securing web application code by static analysis and runtime protection , 2004, WWW '04.

[5]  Hiroshi Inamura,et al.  Dynamic test input generation for web applications , 2008, ISSTA '08.

[6]  Mariano Ceccato,et al.  Security Testing of Web Applications: A Search-Based Approach for Cross-Site Scripting Vulnerabilities , 2011, 2011 IEEE 11th International Working Conference on Source Code Analysis and Manipulation.

[7]  L. D. Moura,et al.  The YICES SMT Solver , 2006 .

[8]  Michael D. Ernst,et al.  HAMPI: a solver for string constraints , 2009, ISSTA.

[9]  Mariano Ceccato,et al.  Towards security testing with taint analysis and genetic algorithms , 2010, SESS '10.

[10]  Qiang Zhang,et al.  Automated Detection of Code Vulnerabilities Based on Program Analysis and Model Checking , 2008, 2008 Eighth IEEE International Working Conference on Source Code Analysis and Manipulation.