JCOMIX: a search-based tool to detect XML injection vulnerabilities in web applications

Abstract: Input sanitization and validation of user inputs are well-established protection mechanisms for microservice architectures against XML injection attacks (XMLi). The effectiveness of the protection mechanisms strongly depends on the quality of the sanitization and validation rule sets (e.g., regular expressions) and, therefore, security analysts have to test them thoroughly. In this demo, we introduce JCOMIX, a penetration testing tool that generates XMLi attacks (test cases) exposing XML vulnerabilities in fro… Show more

“…Firmaster [76], Gail-PT [79], HILTI [82], IoTFuzzer [83], JCOMIX [84], LAID [85], Link [86], Lore [87], Mace [89], MaliceScript [92], Masat [93], Mirage [94], Mitch [95], MoScan [96], NAUTILUS [97], NAVEX [98], No Name (CSRF) [101], No Name (TTCN-3) [102], NodeXP [104], OSV [107], ObjectMap [105], Owfuzz [108], PJCT [115], PURITY [117], PentestGPT [113], PhpSAFE [114], Project Achilles [116], Pyciuti [118], RAT [119], ROSploit [123], RT-RCT [124], Revealer [120], RiscyROP [121], Robin [122], SOA-Scanner [130], SVED [133], Scanner++ [125], SerialDetector [127], ShoVAT [128], Snout [129], Spicy [131], SuperEye [132], TChecker [135], TORPEDO [136], UE Security Reloaded [137], VAPE-BRIDGE…”

“…AIBugHunter [52], ARMONY [53], AVAIN [55], AVAIN [55], Autosploit [54], Bbuzz [56], Black Ostrich [57], Black Widow [58], Bleem [59], Cairis [60], Censys [61], Chainsaw [62], Chucky [63], Commix [64], CryptoGuard [65], CuPerFuzzer [66], DFBC [69], Deemon [67], Delta [68], Delta [68], Diane [70], EBF [71], ELAID [72], ESASCF [73], ESRFuzzer [74], ESSecA [75], FUGIO [77], FUSE [78], Firmaster [76], Gail-PT [79], Gail-PT [79], HILTI [82], HILTI [82], IoTFuzzer [83], JCOMIX [84], LAID [85], LTESniffer [88], Link [86], Lore [87], Mace [89], MaliceScript [92], MaliceScript [92], Masat [93], Mirage [94], Mirage [94], Mitch [95], MoScan …”

“…Black Ostrich [57], Black Widow [58], Censys [61], Chainsaw [62], Commix [64], Deemon [67], ESASCF [73], ESSecA [75], FUGIO [77], FUSE [78], Firmaster [76], Gail-PT [79], JCOMIX [84], Link [86], Lore [87], MAL [91], Mace [89], MaliceScript [92], Masat [93], Mitch [95], NAUTILUS [97], NAVEX [98], NetCAT [99], No Name (CSRF) [101], NodeXP [104], OSV [107], ObjectMap [105], PURITY [117], Pentest-GPT [113], PhpSAFE [114], Pyciuti [118], RAT [119], Revealer [120], Robin [122], SOA-Scanner [130], SVED [133], Scanner++ [125], SerialDetector [127], ShoVAT [128], TChecker [135], TORPEDO [136], VAPE-BRIDGE [139], VERA [140], Vulcan [142], Vulnet [145], WAPTT [148], WebFuzz…”

“…JCOMIX (2019, Stallenberg et al [84]) is a tool developed in Java that is designed to generate attacks (test objectives) to identify XML injection threats in web applications. It assesses information sanitation and validation in micro-service frameworks, aiding in the identification of vulnerabilities.…”

Bridging the Gap: A Survey and Classification of Research-Informed Ethical Hacking Tools

“…Firmaster [76], Gail-PT [79], HILTI [82], IoTFuzzer [83], JCOMIX [84], LAID [85], Link [86], Lore [87], Mace [89], MaliceScript [92], Masat [93], Mirage [94], Mitch [95], MoScan [96], NAUTILUS [97], NAVEX [98], No Name (CSRF) [101], No Name (TTCN-3) [102], NodeXP [104], OSV [107], ObjectMap [105], Owfuzz [108], PJCT [115], PURITY [117], PentestGPT [113], PhpSAFE [114], Project Achilles [116], Pyciuti [118], RAT [119], ROSploit [123], RT-RCT [124], Revealer [120], RiscyROP [121], Robin [122], SOA-Scanner [130], SVED [133], Scanner++ [125], SerialDetector [127], ShoVAT [128], Snout [129], Spicy [131], SuperEye [132], TChecker [135], TORPEDO [136], UE Security Reloaded [137], VAPE-BRIDGE…”

“…AIBugHunter [52], ARMONY [53], AVAIN [55], AVAIN [55], Autosploit [54], Bbuzz [56], Black Ostrich [57], Black Widow [58], Bleem [59], Cairis [60], Censys [61], Chainsaw [62], Chucky [63], Commix [64], CryptoGuard [65], CuPerFuzzer [66], DFBC [69], Deemon [67], Delta [68], Delta [68], Diane [70], EBF [71], ELAID [72], ESASCF [73], ESRFuzzer [74], ESSecA [75], FUGIO [77], FUSE [78], Firmaster [76], Gail-PT [79], Gail-PT [79], HILTI [82], HILTI [82], IoTFuzzer [83], JCOMIX [84], LAID [85], LTESniffer [88], Link [86], Lore [87], Mace [89], MaliceScript [92], MaliceScript [92], Masat [93], Mirage [94], Mirage [94], Mitch [95], MoScan …”

“…Black Ostrich [57], Black Widow [58], Censys [61], Chainsaw [62], Commix [64], Deemon [67], ESASCF [73], ESSecA [75], FUGIO [77], FUSE [78], Firmaster [76], Gail-PT [79], JCOMIX [84], Link [86], Lore [87], MAL [91], Mace [89], MaliceScript [92], Masat [93], Mitch [95], NAUTILUS [97], NAVEX [98], NetCAT [99], No Name (CSRF) [101], NodeXP [104], OSV [107], ObjectMap [105], PURITY [117], Pentest-GPT [113], PhpSAFE [114], Pyciuti [118], RAT [119], Revealer [120], Robin [122], SOA-Scanner [130], SVED [133], Scanner++ [125], SerialDetector [127], ShoVAT [128], TChecker [135], TORPEDO [136], VAPE-BRIDGE [139], VERA [140], Vulcan [142], Vulnet [145], WAPTT [148], WebFuzz…”

“…JCOMIX (2019, Stallenberg et al [84]) is a tool developed in Java that is designed to generate attacks (test objectives) to identify XML injection threats in web applications. It assesses information sanitation and validation in micro-service frameworks, aiding in the identification of vulnerabilities.…”

Bridging the Gap: A Survey and Classification of Research-Informed Ethical Hacking Tools

A Critical Review on Search-Based Security Testing of Programs

A systematic literature review on software security testing using metaheuristics