Title :
Security testing of web applications: A research plan
Author :
Avancini, Andrea
Author_Institution :
Fondazione Bruno Kessler, Trento, Italy
Abstract :
Cross-site scripting (XSS) vulnerabilities are specific flaws related to web applications, in which missing input validation can be exploited by attackers to inject malicious code into the application under attack. To guarantee high quality of web applications in terms of security, we propose a structured approach, inspired by software testing. In this paper we present our research plan and ongoing work to use security testing to address problems of potentially attackable code. Static analysis is used to reveal candidate vulnerabilities as a set of execution conditions that could lead to an attack. We then resort to automatic test case generation to obtain those input values that make the application execution satisfy such conditions. Eventually, we propose a security oracle to assess whether such test cases are instances of successful attacks.
Keywords :
Internet; program diagnostics; program testing; security of data; Web applications; XSS; automatic test case generation; candidate vulnerabilities; cross-site scripting vulnerabilities; malicious code; security oracle; security testing; software testing; static analysis; structured approach; Conferences; Genetic algorithms; HTML; Security; Software testing; USA Councils;
Conference_Titel :
Software Engineering (ICSE), 2012 34th International Conference on
Conference_Location :
Zurich
Print_ISBN :
978-1-4673-1066-6
Electronic_ISBN :
0270-5257
DOI :
10.1109/ICSE.2012.6227054
