Attack Pattern-Based Combinatorial Testing with Constraints for Web Security Testing

Attack Pattern-Based Combinatorial Testing with Constraints for Web Security Testing

Security testing of web applications remains a major problem of software engineering. In order to reveal vulnerabilities, manual and automatic testing approaches use different strategies for detection of certain kinds of inputs that might lead to a security breach. In this paper we compared a state-...

Full description

Saved in:
Bibliographic Details
Published in:2015 IEEE International Conference on Software Quality, Reliability and Security pp. 207 - 212
Main Authors: Bozic, Josip, Garn, Bernhard, Kapsalis, Ioannis, Simos, Dimitris, Winkler, Severin, Wotawa, Franz
Format: Conference Proceeding
Language:English
Published: IEEE 01-08-2015
Subjects:
attack patterns
Combinatorial testing
Erbium
Grammar
injection attacks
Manuals
model-based testing
Payloads
Security
Testing
Unified modeling language
web security testing
Online Access:Get full text
Tags: Add Tag
No Tags, Be the first to tag this record!
Description
Summary:Security testing of web applications remains a major problem of software engineering. In order to reveal vulnerabilities, manual and automatic testing approaches use different strategies for detection of certain kinds of inputs that might lead to a security breach. In this paper we compared a state-of-the-art manual testing tool with an automated one that is based on model-based testing. The first tool requires user input from the tester whereas the second one reduces the necessary amount of manual manipulation. Both approaches depend on the corresponding test case generation technique and its produced inputs are executed against the system under test (SUT). For this case we enhance a novel technique, which combines a combinatorial testing technique for input generation and a model-based technique for test execution. In this work the input parameter modelling is improved by adding constraints to generate more comprehensive and sophisticated testing inputs. The evaluated results indicate that both techniques succeed in detecting security leaks in web applications with different results, depending on the background logic of the testing approach. Last but not least, we claim that attack pattern-based combinatorial testing with constraints can be an alternative method for web application security testing, especially when we compare our method to other test generation techniques like fuzz testing.
DOI:10.1109/QRS.2015.38