• DocumentCode
    2472283
  • Title

    Grammar based oracle for security testing of web applications

  • Author

    Avancini, Andrea ; Ceccato, Mariano

  • Author_Institution
    Fondazione Bruno Kessler, Trento, Italy
  • fYear
    2012
  • fDate
    2-3 June 2012
  • Firstpage
    15
  • Lastpage
    21
  • Abstract
    The goal of security testing is to detect those defects that could be exploited to conduct attacks. Existing works, however, address security testing mostly from the point of view of automatic generation of test cases. Less attention is paid to the problem of developing and integrating with a security oracle. In this paper we address the problem of the security oracle, in particular for Cross-Site Scripting vulnerabilities. We rely on existing test cases to collect HTML pages in safe conditions, i.e. when no attack is run. Pages are then used to construct the safe model of the application under analysis, a model that describes the structure of an application response page for safe input values. The oracle eventually detects a successful attack when a test makes the application display a web page that is not compliant with the safe model.
  • Keywords
    Internet; grammars; hypermedia markup languages; program testing; security of data; HTML pages; Web applications; Web page; application response page; automatic generation; cross-site scripting vulnerabilities; grammar based oracle; security testing; Analytical models; Computational modeling; Genetic algorithms; HTML; Security; Testing; Web pages; cross site scripting; security testing; test oracle;
  • fLanguage
    English
  • Publisher
    ieee
  • Conference_Titel
    Automation of Software Test (AST), 2012 7th International Workshop on
  • Conference_Location
    Zurich
  • Print_ISBN
    978-1-4673-1821-1
  • Type

    conf

  • DOI
    10.1109/IWAST.2012.6228984
  • Filename
    6228984
    • Link To Document
    https://search.isc.ac/dl/search/defaultta.aspx?DTC=49&DC=2472283