Title :
Supporting Security Testers in Discovering Injection Flaws
Author :
Turpe, S. ; Poller, Andreas ; Trukenmuller, J. ; Repp, Jürgen ; Bornmann, Christian
Author_Institution :
Fraunhofer-Inst. for Secure Inf. Technol. SIT, Darmstadt
Abstract :
We present a platform for software security testing primarily designed to support human testers in discovering injection flaws in distributed systems. Injection is an important class of security faults, caused by unsafe concatenation of input into strings interpreted by other components of the system. Examples include two of the most common security issues in Web applications, SQL injection and cross site scripting. This paper briefly discusses the fault model, derives a testing strategy that should discover a large subset of the injection flaws present, and describes a platform that helps security testers to discover injection flaws through dynamic grey-box testing. Our platform combines the respective strengths of machines and humans, automating what is easily automated while leaving to the tester the artistic portion of security testing. Although designed with a specific fault model in mind, our platform may be useful in a wide range of security testing tasks.
Keywords :
SQL; program testing; security of data; SQL injection; Web applications; cross site scripting; distributed systems; dynamic grey-box testing; injection flaws; security faults; security testers; software security; unsafe concatenation; Application software; Automatic testing; Computer industry; Humans; Information security; Information technology; Software systems; Software testing; Software tools; System testing; injection vulnerability; security testing;
Conference_Titel :
Practice and Research Techniques, 2008. TAIC PART '08. Testing: Academic & Industrial Conference
Conference_Location :
Windsor
Print_ISBN :
978-0-7695-3383-4
DOI :
10.1109/TAIC-PART.2008.7
