Character String Predicate Based Automatic Software Test Data Generation
QSIC '03 Proceedings of the Third International Conference on Quality Software
AMNESIA: analysis and monitoring for NEutralizing SQL-injection attacks
Proceedings of the 20th IEEE/ACM international Conference on Automated software engineering
Pixy: A Static Analysis Tool for Detecting Web Application Vulnerabilities (Short Paper)
SP '06 Proceedings of the 2006 IEEE Symposium on Security and Privacy
Coverage criteria for automatic security testing of web applications
ICISS'10 Proceedings of the 6th international conference on Information systems security
Security sensitive data flow coverage criterion for automatic security testing of web applications
ESSoS'11 Proceedings of the Third international conference on Engineering secure software and systems
Security Testing Methodology for Vulnerabilities Detection of XSS in Web Services and WS-Security
Electronic Notes in Theoretical Computer Science (ENTCS)
| Hi-index | 0.00 |
With the increasingly important role of web applications in online services and business systems, vulnerabilities such as SQL Injection have become serious security threats. Finding these vulnerabilities by manual testing is a time-consuming and error-prone practice that may result in some potential vulnerabilities being missed due to some execution branches being missed. In this paper, we describe an automatic security testing method to find vulnerabilities in web applications; this method utilizes test data generation techniques for improving the code coverage. Our security testing involves automatic attack request generation and automatic security checking using dynamic tainting technique that detects dangerous contents originating from untrustworthy sources in commands and outputs. Automatic constraint-based test data generation helps to create test data for executing program branches that may have remained unexecuted in previous tests. The experimental results indicate that our method is effective to find new vulnerabilities, and test data generation may help to improve the effectiveness of detection.