Skip to main content
Springer Nature Link
Log in

Security Sensitive Data Flow Coverage Criterion for Automatic Security Testing of Web Applications

  • Conference paper
Engineering Secure Software and Systems (ESSoS 2011)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 6542))

Included in the following conference series:

  • 968 Accesses

Abstract

Common coverage criteria for software testing, such as branch coverage and statement coverage, are often used to evaluate the adequacy of test cases created by automatic security testing methods. However, these criteria were not originally defined for security testing. In this paper, we discuss the limitation of traditional criteria and present a study on a new criterion called security sensitive data flow coverage. This criterion aims to show how well test cases cover security sensitive data flows. We conducted an experiment of automatic security testing of real-world web applications to evaluate the effectiveness of our proposed coverage criterion, which is intended to guide test case generation. The experiment results show that security sensitive data flow coverage helps reduce test cost while keeping the effectiveness of vulnerability detection high.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

Similar content being viewed by others

References

  1. The Open Web Application Security Project: Vulnerability Category, http://www.owasp.org/index.php/Category:Vulnerability

  2. The Open Web Application Security Project: SQL Injection Prevention Cheat Sheet, http://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet

  3. Symantec Corporation: Five common Web application vulnerabilities, http://www.symantec.com/connect/articles/five-common-web-application-vulnerabilities

  4. Chinotec Technologies Company: Paros, http://www.parosproxy.org

  5. Acunetix Web Vulnerability Scanner (2008), http://www.acunetix.com/

  6. Jovanovic, N., Kruegel, C., Kirda, E.: Pixy: A Static Analysis Tool for Detecting Web Application Vulnerabilities (Short Paper). In: Proceedings of the 2006 IEEE Symposium on Security and Privacy (SP 2006), pp. 258–263. IEEE Computer Society, Washington, DC (2006)

    Google Scholar 

  7. Dao, T.-B., Shibayama, E.: Idea: Automatic Security Testing for Web Applications. In: Massacci, F., Redwine Jr., S.T., Zannone, N. (eds.) ESSoS 2009. LNCS, vol. 5429, pp. 180–184. Springer, Heidelberg (2009)

    Chapter  Google Scholar 

  8. Zhao, R., Lyu, M.R.: Character String Predicate Based Automatic Software Test Data Generation. In: Proceedings of the Third International Conference on Quality Software (QSIC 2003), p. 255. IEEE Computer Society, Washington (2003)

    Chapter  Google Scholar 

  9. Nguyen-Tuong, A., Guarnieri, S., Greene, D., Shirley, J., Evans, D.: Automatically hardening web applications using precise tainting. In: Twentieth IFIP International Information Security Conference, SEC 2005 (2005)

    Google Scholar 

  10. Huang, Y.-W., Huang, S.-K., Lin, T.-P., Tsai, C.-H.: Web application security assessment by fault injection and behavior monitoring. In: Proceedings of the 12th International Conference on World Wide Web (WWW 2003), pp. 148–159. ACM, New York (2003)

    Google Scholar 

  11. Benjamin Livshits, V., Lam, M.S.: Finding security vulnerabilities in java applications with static analysis. In: Proceedings of the 14th Conference on USENIX Security Symposium (SSYM 2005), vol. 14, p. 18. USENIX Association, Berkeley (2005)

    Google Scholar 

  12. Smith, B., Shin, Y., Williams, L.: Proposing SQL statement coverage metrics. In: Proceedings of the Fourth International Workshop on Software Engineering For Secure Systems (SESS 2008), pp. 49–56. ACM, New York (2008)

    Chapter  Google Scholar 

  13. Halfond, W.G.J., Orso, A.: Command-Form Coverage for Testing Database Applications. In: Proceedings of the 21st IEEE/ACM International Conference on Automated Software Engineering (ASE 2006), pp. 69–80. IEEE Computer Society, Washington, DC (2006)

    Chapter  Google Scholar 

  14. Surez-Cabal, M.J., Tuya, J.: Using an SQL coverage measurement for testing database applications. In: Proceedings of the 12th ACM SIGSOFT Twelfth International Symposium on Foundations of Software Engineering (SIGSOFT 2004/FSE-12), pp. 253–262. ACM, New York (2004)

    Chapter  Google Scholar 

  15. Kapfhammer, G.M., Soffa, M.L.: A family of test adequacy criteria for database-driven applications. In: Proceedings of the 9th European Software Engineering Conference Held Jointly with 11th ACM SIGSOFT International Symposium on Foundations of Software Engineering (ESEC/FSE-11), pp. 98–107. ACM, New York (2003)

    Google Scholar 

  16. Kieyzun, A., Guo, P.J., Jayaraman, K., Ernst, M.D.: Automatic creation of SQL Injection and cross-site scripting attacks. In: Proceedings of the 31st International Conference on Software Engineering (ICSE 2009), pp. 199–209. IEEE Computer Society, Washington, DC (2009)

    Google Scholar 

  17. Zhu, H., Hall, P.A.V., May, J.H.R.: Software unit test coverage and adequacy. ACM Comput. Surv. 29(4), 366–427 (1997)

    Article  Google Scholar 

  18. Balzarotti, D., Cova, M., Felmetsger, V., Jovanovic, N., Kirda, E., Kruegel, C., Vigna, G.: Saner: Composing Static and Dynamic Analysis to Validate Sanitization in Web Applications. In: IEEE Security and Privacy Symposium (2008)

    Google Scholar 

  19. Cyber Security Bulletins, US-Cert, http://www.us-cert.gov/cas/bulletins/

Download references

Author information

Authors and Affiliations

  1. Dept. of Mathematical and Computing Sciences, Tokyo Institute of Technology, 2-12-1 O-okayama, Meguro, Tokyo, Japan

    Thanh Binh Dao

  2. Information Technology Center, The University of Tokyo, 2-11-16 Yayoi, Bunkyo-ku, Tokyo, Japan

    Etsuya Shibayama

Authors
  1. Thanh Binh Dao
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Etsuya Shibayama
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Google Inc., 1288 Pear Ave, 94043, Mountain View, CA, USA

    Úlfar Erlingsson

  2. Computer Science Department, University of Twente, Drienerlolaan 5, 7522 NB, Enschede, The Netherlands

    Roel Wieringa

  3. Faculty of Mathematics and Computer Science, Eindhoven University of Technology, Den Dolech 2, 5612 AZ, Eindhoven, The Netherlands

    Nicola Zannone

Rights and permissions

Reprints and permissions

Copyright information

© 2011 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Dao, T.B., Shibayama, E. (2011). Security Sensitive Data Flow Coverage Criterion for Automatic Security Testing of Web Applications. In: Erlingsson, Ú., Wieringa, R., Zannone, N. (eds) Engineering Secure Software and Systems. ESSoS 2011. Lecture Notes in Computer Science, vol 6542. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-19125-1_8

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-19125-1_8

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-19124-4

  • Online ISBN: 978-3-642-19125-1

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics