XSS pattern for attack modeling in testing

Božić, Josip; Wotawa, Franz

doi:10.1109/iwast.2013.6595794

Cited by 20 publications

(17 citation statements)

References 10 publications

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…Establishing similar vectors with help of deterministic finite state machine algorithm to compare with attack vector of the multiple mode to improve the quality of detection method. The whole detection method use some steps, which are establishing skip list feature library, regulating script, using MD5 encoding and converting long integer, pre-screening attack vectors, judging attack vectors, to make up entire modular cross-site scripting attack detection framework [14]. We use this framework and the existing general XSS detection methods for comparative experiment.…”

Section: Resultsmentioning

confidence: 99%

A XSS Attack Detection Method based on Skip List

Shan¹,

Chen²,

Hu³

et al. 2016

IJSIA

View full text Add to dashboard Cite

show abstract

Section: Resultsmentioning

confidence: 99%

A XSS Attack Detection Method based on Skip List

Shan¹,

Chen²,

Hu³

et al. 2016

IJSIA

View full text Add to dashboard Cite

show abstract

“…Technical details about the implementation and technical realization of the approach are demonstrated in further detail in previous works of the authors [20], [21], [4].…”

Section: Test Execution Methodsmentioning

confidence: 99%

“…The technique for test case execution in this paper is built upon former works of the authors from [20] and [21]. They describe a method called attack pattern-based testing, which is meant to execute test cases automatically against a SUT.…”

Section: Related Workmentioning

confidence: 99%

Evaluation of the IPO-Family algorithms for test case generation in web security testing

Božić

Garn

Simos

et al. 2015

2015 IEEE Eighth International Conference on Software Testing, Verification and Validation Workshops (ICSTW)

Self Cite

View full text Add to dashboard Cite

Security testing of web applications remains a major problem of software engineering. In order to reveal vulnerabilities, testing approaches use different strategies for detection of certain kinds of inputs that might lead to a security breach. Such approaches depend on the corresponding test case generation technique that are executed against the system under test. In this work we examine how two of the most popular algorithms for combinatorial test case generation, namely the IPOG and IPOG-F algorithms, perform in web security testing. For generating comprehensive and sophisticated testing inputs we have used input parameter modelling which includes also constraints between the different parameter values. To handle the test execution, we make use of a recently introduced methodology which is based on model-based testing. Our evaluation indicates that both algorithms generate test inputs that succeed in revealing security leaks in web applications with IPOG-F giving overall slightly better results w.r.t. the test quality of the generated inputs. In addition, using constraints during the modelling of the attack grammars results in an increase on the number of test inputs that cause security breaches. Last but not least, a detailed analysis of our evaluation results confirms that combinatorial testing is an efficient test case generation method for web security testing as the security leaks are mainly due to the interaction of a few parameters. This statement is further supported by some combinatorial coverage measurement experiments on the successful test inputs.

show abstract

“…The authors from [4] define attack patterns in form of UML statecharts in order to test web applications against cross-site scripting attacks. First they specify manually an adaptable XSS attack pattern model and implement Java functions, which are called from within the model once the execution takes place.…”

Section: Related Workmentioning

confidence: 99%

“…This paper takes the technique from [4], which elaborates a modelbased testing approach for testing of web applications. The difference to other model-based approaches is the fact, that we do not use a model of the SUT to derive test cases but take as a model the definition of attack patterns from [12], where such a construct is specified by a goal, preconditions, actions and postconditions.…”

Section: Attack Pattern-based Testingmentioning

confidence: 99%

Attack pattern-based combinatorial testing

Božić

Simos

Wotawa

2014

Proceedings of the 9th International Workshop on Automation of Software Test

Self Cite

View full text Add to dashboard Cite

The number of potential security threats rises with the increasing number of web applications, which cause tremendous financial and existential implications for developers and users as well. The biggest challenge for security testing is to specify and implement ways in order to detect potential vulnerabilities of the developed system in a never ending quest against new security threats but also to cover already known ones so that a program is suited against typical attack vectors. For these purposes many approaches have been developed in the area of model-based security testing in order to come up with solutions for real-world application problems. These approaches provide theoretical background as well as practical solutions for certain security issues. In this paper, we partially rely on previous work but focus on the representation of attack patterns using UML state diagrams. We extend previous work in combining the attack pattern models with combinatorial testing in order to provide concrete test input, which is submitted to the system under test. With combinatorial testing we capture different combinations of inputs and thus increasing the likelihood to find weaknesses in the implementation under test that can be exploited. Besides the foundations of our approach we further report on first experiments that indicate its practical use.

show abstract

XSS pattern for attack modeling in testing

Cited by 20 publications

References 10 publications

A XSS Attack Detection Method based on Skip List

A XSS Attack Detection Method based on Skip List

Evaluation of the IPO-Family algorithms for test case generation in web security testing

Attack pattern-based combinatorial testing

Contact Info

Product

Resources

About