Coverage criteria for automatic security testing of web applications

Authors:
Thanh Binh Dao;Etsuya Shibayama
Affiliations:
Dept. of Mathematical and Computing Sciences, Tokyo Institute of Technology, Tokyo, Japan;Information Technology Center, The University of Tokyo, Tokyo, Japan
Venue:
ICISS'10 Proceedings of the 6th international conference on Information systems security
Year:
2010

Citing 12
Cited 0

Software unit test coverage and adequacy

ACM Computing Surveys (CSUR)
Web application security assessment by fault injection and behavior monitoring

WWW '03 Proceedings of the 12th international conference on World Wide Web
A family of test adequacy criteria for database-driven applications

Proceedings of the 9th European software engineering conference held jointly with 11th ACM SIGSOFT international symposium on Foundations of software engineering
Character String Predicate Based Automatic Software Test Data Generation

QSIC '03 Proceedings of the Third International Conference on Quality Software
Using an SQL coverage measurement for testing database applications

Proceedings of the 12th ACM SIGSOFT twelfth international symposium on Foundations of software engineering
Pixy: A Static Analysis Tool for Detecting Web Application Vulnerabilities (Short Paper)

SP '06 Proceedings of the 2006 IEEE Symposium on Security and Privacy
Command-Form Coverage for Testing Database Applications

ASE '06 Proceedings of the 21st IEEE/ACM International Conference on Automated Software Engineering
Finding security vulnerabilities in java applications with static analysis

SSYM'05 Proceedings of the 14th conference on USENIX Security Symposium - Volume 14
Proposing SQL statement coverage metrics

Proceedings of the fourth international workshop on Software engineering for secure systems
Saner: Composing Static and Dynamic Analysis to Validate Sanitization in Web Applications

SP '08 Proceedings of the 2008 IEEE Symposium on Security and Privacy
Idea: Automatic Security Testing for Web Applications

ESSoS '09 Proceedings of the 1st International Symposium on Engineering Secure Software and Systems
Automatic creation of SQL Injection and cross-site scripting attacks

ICSE '09 Proceedings of the 31st International Conference on Software Engineering

Quantified Score

Hi-index	0.00

Visualization

Abstract

In security testing of web applications, the selection of coverage criteria for adequacy evaluation of test cases is based on the trade off between test cost and vulnerability detection effectiveness. Coverage criteria used in traditional software testing such as branch coverage and statement coverage are commonly used but they are not originally defined for security testing purpose. In this paper, we present an overview of the limitations of those common coverage criteria and propose wrapper coverage, vulnerability-aware sink coverage and vulnerability-aware wrapper coverage as other options that are more appropriate for security testing. We conduct an experiment of security testing of real-world web applications to evaluate the usefulness and discuss about the usage of these proposed coverage criteria.