Title :
MUTEC: Mutation-based testing of Cross Site Scripting
Author :
Shahriar, Hossain ; Zulkernine, Mohammad
Author_Institution :
Sch. of Comput., Queen´´s Univ., Kingston, ON
Abstract :
Cross Site Scripting (XSS) is one of the worst vulnerabilities that allow malicious attacks such as cookie thefts and Web page defacements. Testing an implementation against XSS vulnerabilities (XSSVs) can avoid these consequences. Obtaining an adequate test data set is essential for testing of XSSVs. An adequate test data set contains effective test cases that can reveal XSSVs. Unfortunately, traditional testing techniques for XSSVs do not address the issue of adequate testing. In this work, we apply the idea of mutation-based testing technique to generate adequate test data sets for testing XSSVs. Our work addresses XSSVs related to Web-applications that use PHP and JavaScript code to generate dynamic HTML contents. We propose 11 mutation operators to force the generation of adequate test data set. A prototype mutation-based testing tool named MUTEC is developed to generate mutants automatically. The proposed operators are validated by using five open source applications having XSSVs. The results indicate that the proposed operators are effective for testing XSSVs.
Keywords :
Internet; Java; hypermedia markup languages; program testing; security of data; JavaScript code; PHP; Web-application; XSS vulnerability; cross site scripting; dynamic HTML content; malicious attack; mutation-based testing technique; Automatic testing; Genetic mutations; HTML; Java; Markup languages; Monitoring; Performance evaluation; Prototypes; Security; Web pages;
Conference_Titel :
Software Engineering for Secure Systems, 2009. SESS '09. ICSE Workshop on
Conference_Location :
Vancouver, BC
Print_ISBN :
978-1-4244-3725-2
DOI :
10.1109/IWSESS.2009.5068458
