Attack pattern-based combinatorial testing

Božić, Josip; Simos, Dimitris E.; Wotawa, Franz

doi:10.1145/2593501.2593502

Cited by 20 publications

(30 citation statements)

References 15 publications

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…Furthermore, the paper includes a detailed case study for testing various SUTs against our automated testing method and a detailed evaluation and comparison of the two sets of test suites is presented. We also draw useful conclusions that indicate that combinatorial testing is an efficient approach for security testing, building on the comparison of the test results of the testing methods given in [4], [8], [5]. Most important we present an extensive analysis in terms of (total) vulnerabilities found by our generated test suites using the combinatorial coverage measurement (CCM) tool [9], where it is revealed that the indicated security leaks are mainly caused by the interaction of few parameters.…”

mentioning

confidence: 89%

“…Finally, combinatorial testing has recently been employed as a method to model XSS attack vectors in [4], [8]. In detail, in [4] a novel combinatorial testing technique for generation of XSS attack vectors was first defined while in [8] the applicability of the previous technique has been further demonstrated by relaxing constraints and modelling white spaces in the attack grammar.…”

Section: Related Workmentioning

confidence: 99%

“…In [4] a novel method was described that combines an adapted combinatorial testing approach for the generation of test inputs according to a specified XSS grammar with a technique, which uses patterns of attacks for the execution of test cases called attack pattern-based testing. Because the initial results for tested applications were quite optimistic, we improved that approach by extending the input grammar and adding constraints between the input parameter values in [5].…”

mentioning

confidence: 99%

“…Then, we derive four concrete sets of test suites as inputs for SUTs from the generated combinatorial structures, each two of them generated via the IPOG and the IPOG-F algorithm, respectively, also depending on whether they have constraints or not. The subsequent test execution is performed by the automated method first given in [4].…”

mentioning

confidence: 99%

See 3 more Smart Citations

Evaluation of the IPO-Family algorithms for test case generation in web security testing

Božić

Garn

Simos

et al. 2015

2015 IEEE Eighth International Conference on Software Testing, Verification and Validation Workshops (ICSTW)

Self Cite

View full text Add to dashboard Cite

Security testing of web applications remains a major problem of software engineering. In order to reveal vulnerabilities, testing approaches use different strategies for detection of certain kinds of inputs that might lead to a security breach. Such approaches depend on the corresponding test case generation technique that are executed against the system under test. In this work we examine how two of the most popular algorithms for combinatorial test case generation, namely the IPOG and IPOG-F algorithms, perform in web security testing. For generating comprehensive and sophisticated testing inputs we have used input parameter modelling which includes also constraints between the different parameter values. To handle the test execution, we make use of a recently introduced methodology which is based on model-based testing. Our evaluation indicates that both algorithms generate test inputs that succeed in revealing security leaks in web applications with IPOG-F giving overall slightly better results w.r.t. the test quality of the generated inputs. In addition, using constraints during the modelling of the attack grammars results in an increase on the number of test inputs that cause security breaches. Last but not least, a detailed analysis of our evaluation results confirms that combinatorial testing is an efficient test case generation method for web security testing as the security leaks are mainly due to the interaction of a few parameters. This statement is further supported by some combinatorial coverage measurement experiments on the successful test inputs.

show abstract

mentioning

confidence: 89%

Section: Related Workmentioning

confidence: 99%

mentioning

confidence: 99%

mentioning

confidence: 99%

See 2 more Smart Citations

Evaluation of the IPO-Family algorithms for test case generation in web security testing

Božić

Garn

Simos

et al. 2015

2015 IEEE Eighth International Conference on Software Testing, Verification and Validation Workshops (ICSTW)

Self Cite

View full text Add to dashboard Cite

show abstract

“…Bozic et al [28] proposed attack pattern-based combinatorial testing for detecting XSS vulnerabilities in web applications. In order to increase the coverage of our attack patterns, we applied the concept of combinatorial testing, as mentioned in Section III.…”

Section: Related Workmentioning

confidence: 99%

Attack Patterns for Black-Box Security Testing of Multi-Party Web Applications

Sudhodanan¹,

Armando²,

Carbone³

et al. 2016

Proceedings 2016 Network and Distributed System Security Symposium

View full text Add to dashboard Cite

Abstract-The advent of Software-as-a-Service (SaaS) has led to the development of multi-party web applications (MPWAs). MPWAs rely on core trusted third-party systems (e.g., payment servers, identity providers) and protocols such as Cashier-as-aService (CaaS), Single Sign-On (SSO) to deliver business services to users. Motivated by the large number of attacks discovered against MPWAs and by the lack of a single general-purpose application-agnostic technique to support their discovery, we propose an automatic technique based on attack patterns for black-box, security testing of MPWAs. Our approach stems from the observation that attacks against popular MPWAs share a number of similarities, even if the underlying protocols and services are different. In this paper, we target six different replay attacks, a login CSRF attack and a persistent XSS attack. Firstly, we propose a methodology in which security experts can create attack patterns from known attacks. Secondly, we present a security testing framework that leverages attack patterns to automatically generate test cases for testing the security of MPWAs. We implemented our ideas on top of OWASP ZAP (a popular, open-source penetration testing tool), created seven attack patterns that correspond to thirteen prominent attacks from the literature and discovered twenty one previously unknown vulnerabilities in prominent MPWAs (e.g., twitter.com, developer.linkedin.com, pinterest.com), including MPWAs that do not belong to SSO and CaaS families.

show abstract

An approach for guiding developers in the choice of security solutions and in the generation of concrete test cases

Salva

Regainia

2019

Software Qual J

View full text Add to dashboard Cite

This paper tackles the problems of choosing security solutions and writing concrete security test cases for software, which are two tasks of the software life cycle requiring time, expertise and experience. We propose in this paper a method, based upon the notion of knowledge base, for helping developers devise more secure applications from the threat modelling step up to the testing one. The first stage of the approach consists of the acquisition and integration of publicly available security data into a data-store. This one is used to assist developers in the design of Attack Defense Trees expressing the attacker possibilities to compromise an application and the defenses that may be implemented. These defenses are given under the form of security pattern combinations, a security pattern being a generic and re-usable solution to design more secure applications. In the second stage, these trees are used to guide developers in the test case generation. Test verdicts show whether an application is vulnerable to the threats modelled by an ADTree and whether the consequences of the chosen security patterns are observed from the application (a consequence leading to some observable events partly showing that a pattern is correctly implemented). We applied this approach to Web applications and evaluated it on 24 participants. The results are very encouraging in terms of the two criteria Comprehensibility and Effectiveness.

show abstract

Attack pattern-based combinatorial testing

Cited by 20 publications

References 15 publications

Evaluation of the IPO-Family algorithms for test case generation in web security testing

Evaluation of the IPO-Family algorithms for test case generation in web security testing

Attack Patterns for Black-Box Security Testing of Multi-Party Web Applications

An approach for guiding developers in the choice of security solutions and in the generation of concrete test cases

Contact Info

Product

Resources

About