• DocumentCode
    2089874
  • Title

    SPaCiTE -- Web Application Testing Engine

  • Author

    Büchler, Matthias ; Oudinet, Johan ; Pretschner, Alexander

  • Author_Institution
    Karlsruhe Inst. of Technol., Karlsruhe, Germany
  • fYear
    2012
  • fDate
    17-21 April 2012
  • Firstpage
    858
  • Lastpage
    859
  • Abstract
    Web applications and web services enjoy an ever-increasing popularity. Such applications have to face a variety of sophisticated and subtle attacks. The difficulty of identifying respective vulnerabilities steadily increases with the complexity of applications. Moreover, the art of penetration testing predominantly depends on the skills of highly trained test experts. The difficulty to test web applications hence represents a daunting challenge to their developers. As a step towards improving security analyses, model checking has, at the model level, been found capable of identifying complex attacks and thus moving security analyses towards a push-button technology. In order to bridge the gap with actual systems, we present Spa Cite. This tool relies on a dedicated model-checker for security analyses that generates potential attacks with regard to common vulnerabilities in web applications. Then, it semi-automatically runs those attacks on the System Under Validation (SUV) and reports which vulnerabilities were successfully exploited. We applied Spa Cite to Role-Based-Access-Control (RBAC) and Cross-Site Scripting (XSS) lessons of Web Goat, an insecure web application maintained by OWASP. The tool successfully reproduced RBAC and XSS attacks.
  • Keywords
    Web services; authorisation; program testing; program verification; OWASP; RBAC attacks; SPaCiTE; SUV; Web Goat; Web application testing engine; Web services; XSS attacks; cross-site scripting lessons; model checking; penetration testing; potential attack generation; push-button technology; role-based-access-control; security analyses; system under validation; Access control; Analytical models; Browsers; Engines; Protocols; Testing; WebGoat; bridging abstraction gaps; fault-injection; model-checking; mutation testing; security testing; web application;
  • fLanguage
    English
  • Publisher
    ieee
  • Conference_Titel
    Software Testing, Verification and Validation (ICST), 2012 IEEE Fifth International Conference on
  • Conference_Location
    Montreal, QC
  • Print_ISBN
    978-1-4577-1906-6
  • Type

    conf

  • DOI
    10.1109/ICST.2012.187
  • Filename
    6200199