DocumentCode
2089874
Title
SPaCiTE -- Web Application Testing Engine
Author
Büchler, Matthias ; Oudinet, Johan ; Pretschner, Alexander
Author_Institution
Karlsruhe Inst. of Technol., Karlsruhe, Germany
fYear
2012
fDate
17-21 April 2012
Firstpage
858
Lastpage
859
Abstract
Web applications and web services enjoy an ever-increasing popularity. Such applications have to face a variety of sophisticated and subtle attacks. The difficulty of identifying respective vulnerabilities steadily increases with the complexity of applications. Moreover, the art of penetration testing predominantly depends on the skills of highly trained test experts. The difficulty to test web applications hence represents a daunting challenge to their developers. As a step towards improving security analyses, model checking has, at the model level, been found capable of identifying complex attacks and thus moving security analyses towards a push-button technology. In order to bridge the gap with actual systems, we present Spa Cite. This tool relies on a dedicated model-checker for security analyses that generates potential attacks with regard to common vulnerabilities in web applications. Then, it semi-automatically runs those attacks on the System Under Validation (SUV) and reports which vulnerabilities were successfully exploited. We applied Spa Cite to Role-Based-Access-Control (RBAC) and Cross-Site Scripting (XSS) lessons of Web Goat, an insecure web application maintained by OWASP. The tool successfully reproduced RBAC and XSS attacks.
Keywords
Web services; authorisation; program testing; program verification; OWASP; RBAC attacks; SPaCiTE; SUV; Web Goat; Web application testing engine; Web services; XSS attacks; cross-site scripting lessons; model checking; penetration testing; potential attack generation; push-button technology; role-based-access-control; security analyses; system under validation; Access control; Analytical models; Browsers; Engines; Protocols; Testing; WebGoat; bridging abstraction gaps; fault-injection; model-checking; mutation testing; security testing; web application;
fLanguage
English
Publisher
ieee
Conference_Titel
Software Testing, Verification and Validation (ICST), 2012 IEEE Fifth International Conference on
Conference_Location
Montreal, QC
Print_ISBN
978-1-4577-1906-6
Type
conf
DOI
10.1109/ICST.2012.187
Filename
6200199
Link To Document