Software unit test coverage and adequacy
ACM Computing Surveys (CSUR)
Analysis and testing of Web applications
ICSE '01 Proceedings of the 23rd International Conference on Software Engineering
Modeling Web Navigation by Statechart
COMPSAC '00 24th International Computer Software and Applications Conference
APSEC '04 Proceedings of the 11th Asia-Pacific Software Engineering Conference
Security Technologies Go Phishing
Computer
The battle against phishing: Dynamic Security Skins
SOUPS '05 Proceedings of the 2005 symposium on Usable privacy and security
Protecting Users Against Phishing Attacks with AntiPhish
COMPSAC '05 Proceedings of the 29th Annual International Computer Software and Applications Conference - Volume 01
An Antiphishing Strategy Based on Visual Similarity Assessment
IEEE Internet Computing
PHONEY: Mimicking User Response to Detect Phishing Attacks
WOWMOM '06 Proceedings of the 2006 International Symposium on on World of Wireless, Mobile and Multimedia Networks
Anomaly Based Web Phishing Page Detection
ACSAC '06 Proceedings of the 22nd Annual Computer Security Applications Conference
Cantina: a content-based approach to detecting phishing web sites
Proceedings of the 16th international conference on World Wide Web
Learning to detect phishing emails
Proceedings of the 16th international conference on World Wide Web
Advanced White List Approach for Preventing Access to Phishing Sites
ICCIT '07 Proceedings of the 2007 International Conference on Convergence Information Technology
On the Effectiveness of Techniques to Detect Phishing Sites
DIMVA '07 Proceedings of the 4th international conference on Detection of Intrusions and Malware, and Vulnerability Assessment
Anti-Phishing in Offense and Defense
ACSAC '08 Proceedings of the 2008 Annual Computer Security Applications Conference
Modeling Web Browser Interactions and Generating Tests
CIS '08 Proceedings of the 2008 International Conference on Computational Intelligence and Security - Volume 02
A hybrid phish detection approach by identity discovery and keywords retrieval
Proceedings of the 18th international conference on World wide web
A phishing sites blacklist generator
AICCSA '08 Proceedings of the 2008 IEEE/ACS International Conference on Computer Systems and Applications
Testing for trustworthiness in scientific software
SECSE '09 Proceedings of the 2009 ICSE Workshop on Software Engineering for Computational Science and Engineering
Beyond blacklists: learning to detect malicious web sites from suspicious URLs
Proceedings of the 15th ACM SIGKDD international conference on Knowledge discovery and data mining
Discovering phishing target based on semantic link network
Future Generation Computer Systems
Foundations of Software Testing
Foundations of Software Testing
PhishTester: Automatic Testing of Phishing Attacks
SSIRI '10 Proceedings of the 2010 Fourth International Conference on Secure Software Integration and Reliability Improvement
Winning the Phishing War: A Strategy for Australia
CTC '10 Proceedings of the 2010 Second Cybercrime and Trustworthy Computing Workshop
Relating navigation and request routing models in web applications
MODELS'07 Proceedings of the 10th international conference on Model Driven Engineering Languages and Systems
Editorial: Special section: Trusting software behavior
Future Generation Computer Systems
| Hi-index | 0.00 |
Phishing attacks allure website users to visit fake web pages and provide their personal information. However, testing of phishing websites is challenging. Unlike traditional web-based program testing, we do not know the response of form submissions in advance. There exists lack of efforts to help anti-phishing professionals who manually verify a reported phishing site and take further actions. Moreover, current tools cannot detect phishing attacks that leverage vulnerabilities in trusted websites such as cross site scripting. An attacker might generate input forms by injecting script code and steal credentials. To address these challenges, we propose testing suspected phishing websites based on trustworthiness testing approach. In a trustworthiness testing, a website is not tested against a set of known inputs and matched the expected outputs with the actual ones. Rather, we check whether the behavior (response) of websites matches with our knowledge of phishing or legitimate website behaviors to decide whether a website is phishing or legitimate. We consider a suspected website as a web-based program and test the program based on a behavior model. The model is described using the notion of Finite State Machine (FSM) that captures the submission of forms with random inputs and the corresponding responses. We then identify a number of heuristics followed by a set of heuristic combination to assist a tester deciding whether websites are phishing or legitimate based on their up-to-date behaviors. We implement a tool named PhishTester to automate the testing process. We evaluate the proposed approach with both phishing and legitimate websites. The results show that the approach incurs zero false negatives and positives in detecting phishing and legitimate websites, respectively. Moreover, our approach can detect advanced XSS-based attacks that many contemporary tools currently fail to detect.