Title :
Grammar based oracle for security testing of web applications
Author :
Avancini, Andrea ; Ceccato, Mariano
Author_Institution :
Fondazione Bruno Kessler, Trento, Italy
Abstract :
The goal of security testing is to detect those defects that could be exploited to conduct attacks. Existing works, however, address security testing mostly from the point of view of automatic generation of test cases. Less attention is paid to the problem of developing and integrating with a security oracle. In this paper we address the problem of the security oracle, in particular for Cross-Site Scripting vulnerabilities. We rely on existing test cases to collect HTML pages in safe conditions, i.e. when no attack is run. Pages are then used to construct the safe model of the application under analysis, a model that describes the structure of an application response page for safe input values. The oracle eventually detects a successful attack when a test makes the application display a web page that is not compliant with the safe model.
Keywords :
Internet; grammars; hypermedia markup languages; program testing; security of data; HTML pages; Web applications; Web page; application response page; automatic generation; cross-site scripting vulnerabilities; grammar based oracle; security testing; Analytical models; Computational modeling; Genetic algorithms; HTML; Security; Testing; Web pages; cross site scripting; security testing; test oracle;
Conference_Titel :
Automation of Software Test (AST), 2012 7th International Workshop on
Conference_Location :
Zurich
Print_ISBN :
978-1-4673-1821-1
DOI :
10.1109/IWAST.2012.6228984
