Software testing techniques (2nd ed.)
Software testing techniques (2nd ed.)
Software unit test coverage and adequacy
ACM Computing Surveys (CSUR)
Developing Secure Web Applications
IEEE Internet Computing
Quality Attributes of Web Software Applications
IEEE Software
Web application security assessment by fault injection and behavior monitoring
WWW '03 Proceedings of the 12th international conference on World Wide Web
AMNESIA: analysis and monitoring for NEutralizing SQL-injection attacks
Proceedings of the 20th IEEE/ACM international Conference on Automated software engineering
The essence of command injection attacks in web applications
Conference record of the 33rd ACM SIGPLAN-SIGACT symposium on Principles of programming languages
Software Security: Building Security In
Software Security: Building Security In
SecuBat: a web vulnerability scanner
Proceedings of the 15th international conference on World Wide Web
Command-Form Coverage for Testing Database Applications
ASE '06 Proceedings of the 21st IEEE/ACM International Conference on Automated Software Engineering
Application layer intrusion detection for SQL injection
Proceedings of the 44th annual Southeast regional conference
Defending against injection attacks through context-sensitive string evaluation
RAID'05 Proceedings of the 8th international conference on Recent Advances in Intrusion Detection
Companion of the 30th international conference on Software engineering
Coverage criteria for automatic security testing of web applications
ICISS'10 Proceedings of the 6th international conference on Information systems security
Security sensitive data flow coverage criterion for automatic security testing of web applications
ESSoS'11 Proceedings of the Third international conference on Engineering secure software and systems
Idea: using system level testing for revealing SQL injection-related error message information leaks
ESSoS'10 Proceedings of the Second international conference on Engineering Secure Software and Systems
| Hi-index | 0.00 |
An increasing number of cyber attacks are occurring at the application layer when attackers use malicious input. These input validation vulnerabilities can be exploited by (among others) SQL injection, cross site scripting, and buffer overflow attacks. Statement coverage and similar test adequacy metrics have historically been used to assess the level of functional and unit testing which has been performed on an application. However, these currently-available metrics do not highlight how well the system protects itself through validation. In this paper, we propose two SQL injection input validation testing adequacy metrics: target statement coverage and input variable coverage. A test suite which satisfies both adequacy criteria can be leveraged as a solid foundation for input validation scanning with a blacklist. To determine whether it is feasible to calculate values for our two metrics, we perform a case study on a web healthcare application and discuss some issues in implementation we have encountered. We find that the web healthcare application scored 96.7% target statement coverage and 98.5% input variable coverage.