ABSTRACT
We present the Chained Attacks approach, an automated model-based approach to test the security of web applications that does not require a background in formal methods. Starting from a set of HTTP conversations and a configuration file providing the testing surface and purpose, a model of the System Under Test (SUT) is generated and input, along with the web attacker model we defined, to a model checker acting as test oracle. The HTTP conversations, payload libraries, and a mapping created while generating the model aid the concretization of the test cases, allowing for their execution on the SUT's implementation. We applied our approach to a real-life case study and we were able to find a combination of different attacks representing the concrete chained attack performed by a bug bounty hunter.
- D. Akhawe, A. Barth, P. Lam. Towards a formal foundation of web security. CSF, 2010. Google ScholarDigital Library
- E. Alata, M. Kaaniche, V. Nicomette, R. Akrout. An Automated Approach to Generate Web Applications Attack Scenarios. LADC, pp. 78--85. IEEE, 2013. Google ScholarDigital Library
- A. Armando, R. Carbone, L. Compagna. SATMC: A SAT-Based Model Checker for Security-Critical Systems. TACAS, LNCS 8413. Springer, 2014.Google ScholarCross Ref
- AVANTSSAR. Deliverable 2.3 (update): ASLan++ specification and tutorial, 2011. www.avantssar.eu.Google Scholar
- M. Büchler, J. Oudinet, A. Pretschner. Semiautomatic security testing of web applications from a secure model. SERE, pp. 253--262. IEEE, 2012. Google ScholarDigital Library
- A. Dessiatnikoff, R. Akrout, E. Alata, M. Kaaniche, V. Nicomette. A Clustering Approach for Web Vulnerabilities Detection. LADC. IEEE, 2011.Google ScholarDigital Library
- A. Dias-Neto and G. Travassos. A picture from the model-based testing area: concepts, techniques, and challenges. Advances in Computers 80. Elsevier, 2010.Google ScholarCross Ref
- W. L. Fithen, S. V. Hernan, P. F. O'Rourke, D. A. Shinberg. Formal Modeling of Vulnerability. Bell Labs Technical Journal, 8(4):173--186, 2004.Google ScholarCross Ref
- W. G. Halfond, J. Viegas, A. Orso. A Classification of SQL-Injection Attacks and Countermeasures. ISSSE, 2006.Google Scholar
- E. Homakov. How I hacked Github again. homakov. blogspot.it/2014/02/how-i-hacked-github-again.html.Google Scholar
- IETF. Hypertext Transfer Protocol -- HTTP/1.1. tools.ietf.org/html/rfc2616.Google Scholar
- IETF. Oauth 2.0. tools.ietf.org/html/rfc6749.Google Scholar
- F. Lebeau, B. Legeard, F. Peureux, A. Vernotte. Model-Based Vulnerability Testing for Web Applications. ICSTW, pp. 445--452. IEEE, 2013. Google ScholarDigital Library
- OWASP. Webscarab Project. www.owasp.org/index.php/Category:OWASP WebScarab Project.Google Scholar
- OWASP. WebGoat Project. www.owasp.org/index.php/Category:OWASP WebGoat ProjectGoogle Scholar
- OWASP. Top Ten Project. www.owasp.org/index.php/Category:OWASP Top Ten ProjectGoogle Scholar
- CWE/SANS Top 25 Most Dangerous Software Errors. cwe.mitre.org/top25/index.htmlGoogle Scholar
- A. Salva and B. Durand. Domain-Driven Model Inference Applied To Web Applications. SERP, 2014.Google Scholar
Index Terms
- An automated approach for testing the security of web applications against chained attacks
Recommendations
Research Questions for Model-Based Vulnerability Testing of Web Applications
ICST '13: Proceedings of the 2013 IEEE Sixth International Conference on Software Testing, Verification and ValidationThis paper presents my Ph.D. research that focuses on developing concepts and techniques for Model-Based Vulnerability Testing (MBVT) of Web Applications. This research bridges the gap between MBT techniques, which are usually addressed to functional ...
Mining Executable Specifications of Web Applications from Selenium IDE Tests
SERE '12: Proceedings of the 2012 IEEE Sixth International Conference on Software Security and ReliabilityA common practice for system testing of web-based applications is to perform the test cases through a web browser. These tests are often recorded and managed by a record and replay tool, such as Selenium IDE. Mining specifications from such tests can be ...
On Security Issues in Web Applications through Cross Site Scripting (XSS)
APSEC '13: Proceedings of the 2013 20th Asia-Pacific Software Engineering Conference (APSEC) - Volume 01Web applications have become a very popular means of developing software. This is because of many advantages of web applications like no need of installation on each client machine, centralized data, reduction in business cost etc. With the increase in ...
Comments