research-article

An automated approach for testing the security of web applications against chained attacks

Authors:
Alberto Calvi

Università degli Studi di Verona, Italy

Università degli Studi di Verona, Italy
View Profile

,
Luca Viganò

King's College London, UK

King's College London, UK
View Profile

SAC '16: Proceedings of the 31st Annual ACM Symposium on Applied ComputingApril 2016Pages 2095–2102https://doi.org/10.1145/2851613.2851803

Published:04 April 2016Publication History

SAC '16: Proceedings of the 31st Annual ACM Symposium on Applied Computing

Pages 2095–2102

ABSTRACT

We present the Chained Attacks approach, an automated model-based approach to test the security of web applications that does not require a background in formal methods. Starting from a set of HTTP conversations and a configuration file providing the testing surface and purpose, a model of the System Under Test (SUT) is generated and input, along with the web attacker model we defined, to a model checker acting as test oracle. The HTTP conversations, payload libraries, and a mapping created while generating the model aid the concretization of the test cases, allowing for their execution on the SUT's implementation. We applied our approach to a real-life case study and we were able to find a combination of different attacks representing the concrete chained attack performed by a bug bounty hunter.

References

D. Akhawe, A. Barth, P. Lam. Towards a formal foundation of web security. CSF, 2010. Google ScholarDigital Library
E. Alata, M. Kaaniche, V. Nicomette, R. Akrout. An Automated Approach to Generate Web Applications Attack Scenarios. LADC, pp. 78--85. IEEE, 2013. Google ScholarDigital Library
A. Armando, R. Carbone, L. Compagna. SATMC: A SAT-Based Model Checker for Security-Critical Systems. TACAS, LNCS 8413. Springer, 2014.Google ScholarCross Ref
AVANTSSAR. Deliverable 2.3 (update): ASLan++ specification and tutorial, 2011. www.avantssar.eu.Google Scholar
M. Büchler, J. Oudinet, A. Pretschner. Semiautomatic security testing of web applications from a secure model. SERE, pp. 253--262. IEEE, 2012. Google ScholarDigital Library
A. Dessiatnikoff, R. Akrout, E. Alata, M. Kaaniche, V. Nicomette. A Clustering Approach for Web Vulnerabilities Detection. LADC. IEEE, 2011.Google ScholarDigital Library
A. Dias-Neto and G. Travassos. A picture from the model-based testing area: concepts, techniques, and challenges. Advances in Computers 80. Elsevier, 2010.Google ScholarCross Ref
W. L. Fithen, S. V. Hernan, P. F. O'Rourke, D. A. Shinberg. Formal Modeling of Vulnerability. Bell Labs Technical Journal, 8(4):173--186, 2004.Google ScholarCross Ref
W. G. Halfond, J. Viegas, A. Orso. A Classification of SQL-Injection Attacks and Countermeasures. ISSSE, 2006.Google Scholar
E. Homakov. How I hacked Github again. homakov. blogspot.it/2014/02/how-i-hacked-github-again.html.Google Scholar
IETF. Hypertext Transfer Protocol -- HTTP/1.1. tools.ietf.org/html/rfc2616.Google Scholar
IETF. Oauth 2.0. tools.ietf.org/html/rfc6749.Google Scholar
F. Lebeau, B. Legeard, F. Peureux, A. Vernotte. Model-Based Vulnerability Testing for Web Applications. ICSTW, pp. 445--452. IEEE, 2013. Google ScholarDigital Library
OWASP. Webscarab Project. www.owasp.org/index.php/Category:OWASP WebScarab Project.Google Scholar
OWASP. WebGoat Project. www.owasp.org/index.php/Category:OWASP WebGoat ProjectGoogle Scholar
OWASP. Top Ten Project. www.owasp.org/index.php/Category:OWASP Top Ten ProjectGoogle Scholar
CWE/SANS Top 25 Most Dangerous Software Errors. cwe.mitre.org/top25/index.htmlGoogle Scholar
A. Salva and B. Durand. Domain-Driven Model Inference Applied To Web Applications. SERP, 2014.Google Scholar

Index Terms

An automated approach for testing the security of web applications against chained attacks
1. Security and privacy
  1. Software and application security
    1. Web application security
2. Software and its engineering
  1. Software creation and management
    1. Software verification and validation
      1. Software defect analysis
        Software testing and debugging

Recommendations

Research Questions for Model-Based Vulnerability Testing of Web Applications
ICST '13: Proceedings of the 2013 IEEE Sixth International Conference on Software Testing, Verification and Validation

This paper presents my Ph.D. research that focuses on developing concepts and techniques for Model-Based Vulnerability Testing (MBVT) of Web Applications. This research bridges the gap between MBT techniques, which are usually addressed to functional ...
Read More
Mining Executable Specifications of Web Applications from Selenium IDE Tests
SERE '12: Proceedings of the 2012 IEEE Sixth International Conference on Software Security and Reliability

A common practice for system testing of web-based applications is to perform the test cases through a web browser. These tests are often recorded and managed by a record and replay tool, such as Selenium IDE. Mining specifications from such tests can be ...
Read More
On Security Issues in Web Applications through Cross Site Scripting (XSS)
APSEC '13: Proceedings of the 2013 20th Asia-Pacific Software Engineering Conference (APSEC) - Volume 01

Web applications have become a very popular means of developing software. This is because of many advantages of web applications like no need of installation on each client machine, centralized data, reduction in business cost etc. With the increase in ...
Read More

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Published in
SAC '16: Proceedings of the 31st Annual ACM Symposium on Applied Computing
April 2016
2360 pages
ISBN:9781450337397
DOI:10.1145/2851613
Conference Chair:
Sascha Ossowski
University Rey Juan Carlos, Spain
Copyright © 2016 ACM
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 4 April 2016
Permissions
Request permissions about this article.
Request Permissions

Check for updates
Author Tags
model-based testing
security
web applications
Qualifiers
- research-article
Conference

Acceptance Rates
SAC '16 Paper Acceptance Rate252of1,047submissions,24%Overall Acceptance Rate1,650of6,669submissions,25%
More
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 5
  Total Citations
  View Citations
- 237
  Total Downloads
- Downloads (Last 12 months)10
- Downloads (Last 6 weeks)0
Other Metrics
View Author Metrics
Cited By
View all

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

An automated approach for testing the security of web applications against chained attacks

SAC '16: Proceedings of the 31st Annual ACM Symposium on Applied Computing

ABSTRACT

References

Cited By

Index Terms

Recommendations

Research Questions for Model-Based Vulnerability Testing of Web Applications

Mining Executable Specifications of Web Applications from Selenium IDE Tests

On Security Issues in Web Applications through Cross Site Scripting (XSS)