nach oben

Empirical Software Engineering

Erschienen in:

Open Access 13.04.2019

Search-based multi-vulnerability testing of XML injections in web applications

verfasst von: Sadeeq Jan, Annibale Panichella, Andrea Arcuri, Lionel Briand

Erschienen in: Empirical Software Engineering | Ausgabe 6/2019

Einloggen

Aktivieren Sie unsere intelligente Suche, um passende Fachinhalte oder Patente zu finden.

search-config

KI-gestützte Suche

Aus

Abstract

Modern web applications often interact with internal web services, which are not directly accessible to users. However, malicious user inputs can be used to exploit security vulnerabilities in web services through the application front-ends. Therefore, testing techniques have been proposed to reveal security flaws in the interactions with back-end web services, e.g., XML Injections (XMLi). Given a potentially malicious message between a web application and web services, search-based techniques have been used to find input data to mislead the web application into sending such a message, possibly compromising the target web service. However, state-of-the-art techniques focus on (search for) one single malicious message at a time.

Since, in practice, there can be many different kinds of malicious messages, with only a few of them which can possibly be generated by a given front-end, searching for one single message at a time is ineffective and may not scale. To overcome these limitations, we propose a novel co-evolutionary algorithm (COMIX) that is tailored to our problem and uncover multiple vulnerabilities at the same time. Our experiments show that COMIX outperforms a single-target search approach for XMLi and other multi-target search algorithms originally defined for white-box unit testing.

Vorheriger Artikel Mining non-functional requirements from App store reviews

Nächster Artikel Correction to: Search-based multi-vulnerability testing of XML injections in web applications

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

The name of the company cannot be revealed due to a non-disclosure agreement

https://github.com/SpiderLabs/MCIR

7 app. versions × 4 algorithms × 30 minutes × 30 repetitions = 25200 minutesor 420 hours

Afzal W, Torkar R, Feldt R (2009) A systematic review of search-based testing for non-functional system properties. Inf Softw Technol 51(6):957–976. https://doi.org/10.1016/j.infsof.2008.12.005 CrossRef

Allen FE, Cocke J (1976) A program data flow analysis procedure. Commun ACM 19(3):137–. https://doi.org/10.1145/360018.360025 MATHCrossRef

Alshraideh M, Bottaci L (2006) Search-based software test data generation for string data using program-specific search operators: Research articles. Softw Test Verif Reliab 16(3):175–203. https://doi.org/10.1002/stvr.v16:3 CrossRef

Appelt D, Nguyen C, Briand CL, Alshahwan N (2014) Automated testing for sql injection vulnerabilities: An input mutation approach. In: 2014 international symposium on software testing and analysis, ISSTA 2014 - Proceedings

Appelt D, Nguyen CD, Briand L (2015) Behind an application firewall, are we safe from SQL injection attacks?. In: 2015 IEEE 8th international conference on software testing, verification and validation (ICST), pp 1–10. https://doi.org/10.1109/ICST.2015.7102581

Arcuri A (2017) Many independent objective (MIO) algorithm for test suite generation. In: International symposium on search based software engineering (SSBSE)

Arcuri A, Fraser G (2013) Parameter tuning or default values? an empirical investigation in search-based software engineering. Empir Softw Eng 18(3):594–623CrossRef

Arcuri A, Iqbal MZZ, Briand L (2012) Random testing: Theoretical results and practical implications. IEEE Trans Software Eng 38(2):258–277. https://doi.org/10.1109/TSE.2011.121 CrossRef

Avancini A, Ceccato M (2010) Towards security testing with taint analysis and genetic algorithms. In: Proceedings of the 2010 ICSE workshop on software engineering for secure systems, SESS ’10, pp. 65–71. https://doi.org/10.1145/1809100.1809110. ACM, New York

Avancini A, Ceccato M (2011) Security testing of web applications: A search-based approach for cross-site scripting vulnerabilities. In: 2011 11th IEEE international working conference on source code analysis and manipulation (SCAM), pp 85–94. https://doi.org/10.1109/SCAM.2011.7

Bali K K, Chandra R (2015) Multi-island competitive cooperative coevolution for real parameter global optimization. In: Arik S., Huang T., Lai W. K., Liu Q. (eds) Neural information processing. Springer International Publishing, Cham, pp 127–136CrossRef

Bau J, Bursztein E, Gupta D, Mitchell J (2010) State of the art: Automated black-box web application vulnerability testing. In: 2010 IEEE symposium on security and privacy, pp 332–345. https://doi.org/10.1109/SP.2010.27

Briand L, Labiche Y, Shousha M (2006) Using genetic algorithms for early schedulability analysis and stress testing in real-time systems. Genet Program Evolvable Mach 7(2):145–170. https://doi.org/10.1007/s10710-006-9003-9 CrossRef

Chen J, Li Q, Mao C, Towey D, Zhan Y, Wang H (2014) A web services vulnerability testing approach based on combinatorial mutation and soap message mutation. Service Oriented Computing and Applications 8:1–13. https://doi.org/10.1007/s11761-013-0139-1. http://link.springer.com/article/10.1007/s11761-013-0139-1 CrossRef

Chen Q, Liu B, Zhang Q, Liang J, Suganthan P, Qu B (2014) Problem definition and evaluation criteria for cec 2015 special session and competition on bound constrained single-objective computationally expensive numerical optimization. Tech rep

Chess B, West J (2007) Secure programming with static analysis, first edn Addison-Wesley Professional

Chunlei W, Li L, Qiang L (2014) Automatic fuzz testing of web service vulnerability. In: 2014 international conference on information and communications technologies (ICT 2014), pp. 1–6. https://doi.org/10.1049/cp.2014.0589

Clause J, Orso A (2009) Penumbra: Automatically identifying failure-relevant inputs using dynamic tainting. In: Proceedings of the 18th international symposium on software testing and analysis, ISSTA ’09. https://doi.org/10.1145/1572272.1572301. ACM, New York, pp 249–260

Curbera F, Duftler M, Khalaf R, Nagy W, Mukhi N, Weerawarana S (2002) Unraveling the web services web: an introduction to soap, wsdl, and uddi. IEEE Internet Comput 6(2):86–93CrossRef

Davis P J, Rabinowitz P (2007) Methods of numerical integration. Courier Corporation

De Jong KA (1975) An analysis of the behavior of a class of genetic adaptive systems, Ph.D. thesis, Ann Arbor. AAI7609381

Deb K, Deb D (2014) Analysing mutation schemes for real-parameter genetic algorithms. Int J Artif Intelligence Soft Comput 4(1):1–28MathSciNetCrossRef

Deb K, Pratap A, Agarwal S, Meyarivan T (2002) A fast and elitist multiobjective genetic algorithm: Nsga-ii. IEEE Trans Evol Comput 6(2):182–197. https://doi.org/10.1109/4235.996017 CrossRef

Del Grosso C, Antoniol G, Merlo E, Galinier P (2008) Detecting buffer overflow via automatic test input data generation. Comput Oper Res 35(10):3125–3143. https://doi.org/10.1016/j.cor.2007.01.013 CrossRef

Felderer M, Büchler M, Johns M, Brucker AD, Breu R, Pretschner A (2016) Chapter one-security testing: a survey. Adv Comput 101:1–51CrossRef

Fielding R T (2000) Architectural styles and the design of network-based software architectures. Ph.D. thesis. University of California, Irvine

Fraser G, Arcuri A (2014) A large-scale evaluation of automated unit test generation using EvoSuite. ACM Trans Softw Eng Methodol (TOSEM) 24(2):8CrossRef

Gallagher T (2008) Automated detection of cross site scripting vulnerabilities. https://www.google.com/patents/US7343626. US Patent 7,343,626

García S, Molina D, Lozano M, Herrera F (2008) A study on the use of non-parametric tests for analyzing the evolutionary algorithms’ behaviour: a case study on the cec’2005 special session on real parameter optimization. J Heuristics 15(6):617. https://doi.org/10.1007/s10732-008-9080-4 MATHCrossRef

Goh CK, Tan KC (2009) A competitive-cooperative coevolutionary paradigm for dynamic multiobjective optimization. IEEE Trans Evol Comput 13(1):103–127. https://doi.org/10.1109/TEVC.2008.920671 CrossRef

Grefenstette J (1986) Optimization of control parameters for genetic algorithms. IEEE Trans Syst Man Cybern Syst 16(1):122–128. https://doi.org/10.1109/TSMC.1986.289288 CrossRef

Halfond W, Orso A, Manolios P (2008) Wasp: Protecting web applications using positive tainting and syntax-aware evaluation. IEEE Trans Softw Eng 34(1):65–81. https://doi.org/10.1109/TSE.2007.70748 CrossRef

Halfond WGJ, Orso A, Manolios P (2006) Using positive tainting and syntax-aware evaluation to counter sql injection attacks. In: Proceedings of the 14th ACM SIGSOFT international symposium on foundations of software engineering, SIGSOFT ’06/FSE-14. https://doi.org/10.1145/1181775.1181797. ACM, New York, pp 175–185

Harman M (2007) The current state and future of search based software engineering. In: 2007 future of software engineering, FOSE ’07. https://doi.org/10.1109/FOSE.2007.29. IEEE Computer Society, Washington, pp 342–357

Harman M, McMinn P (2010) A theoretical and empirical study of search-based testing: Local, global, and hybrid search. IEEE Trans Softw Eng 36(2):226–247. https://doi.org/10.1109/TSE.2009.71 CrossRef

Haupt R L, Haupt S E (2004) Practical genetic algorithms. Wiley, New YorkMATH

Holm S (1979) A simple sequentially rejective multiple test procedure. Scandinavian journal of statistics, pp 65–70

Huang YW, Tsai CH, Lin TP, Huang SK, Lee D, Kuo SY (2005) A testing framework for web application security assessment. Comput Netw 48 (5):739–761. https://doi.org/10.1016/j.comnet.2005.01.003. http://www.sciencedirect.com/science/article/pii/S1389128605000101. Web SecurityCrossRef

Huang YW, Yu F, Hang C, Tsai CH, Lee DT, Kuo SY (2004) Securing web application code by static analysis and runtime protection. In: Proceedings of the 13th international conference on world wide web, WWW ’04. https://doi.org/10.1145/988672.988679. ACM, New York, pp 40–52

Jan S, Nguyen C D, Arcuri A, Briand L (2017a) A search-based testing approach for xml injection vulnerabilities in web applications. In: Proceedings of the 10th IEEE International Conference on Software Testing, Verification and Validation (ICST 2017)

Jan S, Nguyen C D, Briand L (2015) Known XML vulnerabilities are still a threat to popular parsers and open source systems. In: 2015 IEEE international conference on software quality, reliability and security (QRS), pp 233–241. https://doi.org/10.1109/QRS.2015.42

Jan S, Nguyen CD, Briand L (2016) Automated and effective testing of web services for XML injection attacks. In: Proceedings of the 2016 international symposium on software testing and analysis (ISSTA)

Jan S, Panichella A, Arcuri A, Briand L (2017b) Automatic generation of tests to exploit xml injection vulnerabilities in web applications. IEEE Trans Softw Eng PP(99):1–1. https://doi.org/10.1109/TSE.2017.2778711 CrossRef

Jansen T (2002) On the analysis of dynamic restart strategies for evolutionary algorithms. In: PPSN, vol 2, pp 33–43. Springer

Jovanovic N, Kruegel C, Kirda E (2006) Pixy: a static analysis tool for detecting web application vulnerabilities. In: 2006 IEEE symposium on security and privacy (S P’06), pp 6 pp–263. https://doi.org/10.1109/SP.2006.29

Jovanovic N, Kruegel C, Kirda E (2006) Pixy: A static analysis tool for detecting web application vulnerabilities (short paper). In: Proceedings of the 2006 IEEE symposium on security and privacy, SP ’06. https://doi.org/10.1109/SP.2006.29. IEEE Computer Society, Washington, pp 258–263

Junjin M (2009) An approach for sql injection vulnerability detection. In: 6th international conference on information technology: New generations, 2009. ITNG ’09, pp 1411–1414. https://doi.org/10.1109/ITNG.2009.34

Keerativuttitumrong N, Chaiyaratana N, Varavithya V (2002) Multi-objective co-operative co-evolutionary genetic algorithm. Parallel Problem Solving from Nature—PPSN VII:288–297

Kieyzun A, Guo P J, Jayaraman K, Ernst M D (2009) Automatic creation of sql injection and cross-site scripting attacks. In: 2009 IEEE 31st international conference on software engineering, pp 199–209. https://doi.org/10.1109/ICSE.2009.5070521

Kosuga Y, Kono K, Hanaoka M, Hishiyama M, Takahama Y (2007) Sania: Syntactic and semantic analysis for automated testing against sql injection. In: 23rd annual computer security applications conference (ACSAC 2007), pp 107–117

Liu H, Tan HBK (2008) Testing input validation in web applications through automated model recovery. J Syst Softw 81(2):222–233. Model-Based Software TestingCrossRef

Livshits VB, Lam MS (2005) Finding security vulnerabilities in java applications with static analysis. In: Proceedings of the 14th conference on USENIX security symposium - Volume 14, SSYM’05. http://dl.acm.org/citation.cfm?id=1251398.1251416. USENIX Association, Berkeley, pp 18–18

Magical Code Injection Rainbow (MCIR) (2016) https://github.com/SpiderLabs/MCIR/. Accessed: 2016-04-26

Mainka C, Somorovsky J, Schwenk J (2012) Penetration testing tool for web services security. In: 2012 IEEE 8th world congress on services (SERVICES), pp 163–170. https://doi.org/10.1109/SERVICES.2012.7

McMinn P (2004) Search-based software test data generation: A survey. Software Testing Verification and Reliability 14(2):105–156CrossRef

McMinn P (2004) Search-based software test data generation: A survey. Softw Test Verif Reliab 14(2):105–156. https://doi.org/10.1002/stvr.v14:2 CrossRef

Newman S (2015) Building microservices. ” O’Reilly Media Inc.”

OWASP (2016) https://www.owasp.org/index.php. Accessed: 2016-04-26

Panichella A, Kifetew F, Tonella P (2017) Automated test case generation as a many-objective optimisation problem with dynamic selection of the targets. IEEE Transactions on Software Engineering. To appear

Panichella A, Kifetew F M, Tonella P (2015) Reformulating branch coverage as a many-objective optimization problem. In: 2015 IEEE 8th international conference on software testing, verification and validation (ICST), pp 1–10. IEEE

Panichella A, Molina U R (2017) Java unit testing tool competition - fifth round. In: 10th IEEE/ACM international workshop on search-based software testing (SBST), pp 32–38. https://doi.org/10.1109/SBST.2017.7

Potter M A, De Jong K A (1994) A cooperative coevolutionary approach to function optimization. In: Davidor Y, Schwefel HP, Männer R (eds) Parallel problem solving from nature — PPSN III. Springer, Berlin, pp 249–257CrossRef

Rawat S, Mounier L (2011) Offset-aware mutation based fuzzing for buffer overflow vulnerabilities: Few preliminary results. In: 2011 IEEE 4th international conference on software testing, verification and validation workshops (ICSTW), pp 531–533. https://doi.org/10.1109/ICSTW.2011.9

Rosa T, Santin A, Malucelli A (2013) Mitigating XML injection 0-day attacks through strategy-based detection systems. IEEE Secur Priv 11(4):46–53. https://doi.org/10.1109/MSP.2012.83 CrossRef

Schaffer J D, Caruana R A, Eshelman L J, Das R (1989) A study of control parameters affecting online performance of genetic algorithms for function optimization. In: Proceedings of the third international conference on Genetic algorithms, pp. 51–60. Morgan Kaufmann Publishers Inc

Sharma SRVR, Gonzalez D (2017) Microservices: Building Scalable Software. Packt Publishing. https://books.google.lu/books?id=zU8oDwAAQBAJ

Smith J E, Fogarty T C (1996) Adaptively parameterised evolutionary systems: Self adaptive recombination and mutation in a genetic algorithm. In: Parallel problem solving from nature—PPSN IV, pp 441–450. Springer

Strom RE, Yemini S (1986) Typestate: A programming language concept for enhancing software reliability. IEEE Trans Softw Eng 12(1):157–171. https://doi.org/10.1109/TSE.1986.6312929 MATHCrossRef

Tan KC, Yang YJ, Goh CK (2006) A distributed cooperative coevolutionary algorithm for multiobjective optimization. Trans Evol Comp 10(5):527–549. https://doi.org/10.1109/TEVC.2005.860762 CrossRef

Testing for XML Injection (2016) https://www.owasp.org/index.php/Testing_for_XML_Injection_(OTG-INPVAL-008). Accessed: 2016-04-26

Thomé J, Gorla A, Zeller A (2014) Search-based security testing of web applications. In: Proceedings of the 7th international workshop on search-based software testing, SBST 2014. https://doi.org/10.1145/2593833.2593835. ACM, New York, pp 5–14

Türpe S (2011) Search-Based Application Security Testing: Towards a Structured Search Space. In: 2011 IEEE 4th international conference on software testing, verification and validation workshops (ICSTW), pp 198–201. https://doi.org/10.1109/ICSTW.2011.96

Wassermann G, Su Z (2007) Sound and precise analysis of web applications for injection vulnerabilities. SIGPLAN Not 42(6):32–41. https://doi.org/10.1145/1273442.1250739 CrossRef

Williams J, Wichers D (2013) Owasp, top 10, the ten most critical web application security risks. Tech. rep., The Open Web Application Security Project

WSFuzzer Tool (2016) https://www.owasp.org/index.php/Category:OWASP_WSFuzzer_Project. Accessed: 2016-04-26

Titel: Search-based multi-vulnerability testing of XML injections in web applications
verfasst von: Sadeeq Jan
Annibale Panichella
Andrea Arcuri
Lionel Briand
Publikationsdatum: 13.04.2019
Verlag: Springer US
Erschienen in: Empirical Software Engineering / Ausgabe 6/2019
Print ISSN: 1382-3256
Elektronische ISSN: 1573-7616
DOI: https://doi.org/10.1007/s10664-019-09707-8

Springer Professional

Abstract

Bitte loggen Sie sich ein, um Zugang zu Ihrer Lizenz zu erhalten.

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft"

Springer Professional "Technik"

Springer Professional "Wirtschaft+Technik"

Weitere Artikel der Ausgabe 6/2019

Guest Editorial: Special Issue on Software Engineering for Mobile Applications

Empirical comparison of text-based mobile apps similarity measurement techniques

Towards understanding and detecting fake reviews in app stores

Practical and effective sandboxing for Linux containers

Evolutionary Fuzzing of Android OS Vendor System Services

Mining non-functional requirements from App store reviews

Premium Partner