Search-based multi-vulnerability testing of XML injections in web applications

  • Sadeeq JanEmail author
  • Annibale Panichella
  • Andrea Arcuri
  • Lionel Briand


Modern web applications often interact with internal web services, which are not directly accessible to users. However, malicious user inputs can be used to exploit security vulnerabilities in web services through the application front-ends. Therefore, testing techniques have been proposed to reveal security flaws in the interactions with back-end web services, e.g., XML Injections (XMLi). Given a potentially malicious message between a web application and web services, search-based techniques have been used to find input data to mislead the web application into sending such a message, possibly compromising the target web service. However, state-of-the-art techniques focus on (search for) one single malicious message at a time.

Since, in practice, there can be many different kinds of malicious messages, with only a few of them which can possibly be generated by a given front-end, searching for one single message at a time is ineffective and may not scale. To overcome these limitations, we propose a novel co-evolutionary algorithm (COMIX) that is tailored to our problem and uncover multiple vulnerabilities at the same time. Our experiments show that COMIX outperforms a single-target search approach for XMLi and other multi-target search algorithms originally defined for white-box unit testing.


Security testing Code injection vulnerabilities Search-based software engineering 



This work is supported by the European Research Council (ERC) under the European Union’s Horizon 2020 research and innovation programme (grant agreement No 694277) and the Research Council of Norway (project on Evolutionary Enterprise Testing, grant agreement No 274385).


  1. Afzal W, Torkar R, Feldt R (2009) A systematic review of search-based testing for non-functional system properties. Inf Softw Technol 51(6):957–976. Google Scholar
  2. Allen FE, Cocke J (1976) A program data flow analysis procedure. Commun ACM 19(3):137–.
  3. Alshraideh M, Bottaci L (2006) Search-based software test data generation for string data using program-specific search operators: Research articles. Softw Test Verif Reliab 16(3):175–203. Google Scholar
  4. Appelt D, Nguyen C, Briand CL, Alshahwan N (2014) Automated testing for sql injection vulnerabilities: An input mutation approach. In: 2014 international symposium on software testing and analysis, ISSTA 2014 - ProceedingsGoogle Scholar
  5. Appelt D, Nguyen CD, Briand L (2015) Behind an application firewall, are we safe from SQL injection attacks?. In: 2015 IEEE 8th international conference on software testing, verification and validation (ICST), pp 1–10.
  6. Arcuri A (2017) Many independent objective (MIO) algorithm for test suite generation. In: International symposium on search based software engineering (SSBSE)Google Scholar
  7. Arcuri A, Fraser G (2013) Parameter tuning or default values? an empirical investigation in search-based software engineering. Empir Softw Eng 18(3):594–623Google Scholar
  8. Arcuri A, Iqbal MZZ, Briand L (2012) Random testing: Theoretical results and practical implications. IEEE Trans Software Eng 38(2):258–277. Google Scholar
  9. Avancini A, Ceccato M (2010) Towards security testing with taint analysis and genetic algorithms. In: Proceedings of the 2010 ICSE workshop on software engineering for secure systems, SESS ’10, pp. 65–71. ACM, New York
  10. Avancini A, Ceccato M (2011) Security testing of web applications: A search-based approach for cross-site scripting vulnerabilities. In: 2011 11th IEEE international working conference on source code analysis and manipulation (SCAM), pp 85–94.
  11. Bali K K, Chandra R (2015) Multi-island competitive cooperative coevolution for real parameter global optimization. In: Arik S., Huang T., Lai W. K., Liu Q. (eds) Neural information processing. Springer International Publishing, Cham, pp 127–136Google Scholar
  12. Bau J, Bursztein E, Gupta D, Mitchell J (2010) State of the art: Automated black-box web application vulnerability testing. In: 2010 IEEE symposium on security and privacy, pp 332–345.
  13. Briand L, Labiche Y, Shousha M (2006) Using genetic algorithms for early schedulability analysis and stress testing in real-time systems. Genet Program Evolvable Mach 7(2):145–170. Google Scholar
  14. Chen J, Li Q, Mao C, Towey D, Zhan Y, Wang H (2014) A web services vulnerability testing approach based on combinatorial mutation and soap message mutation. Service Oriented Computing and Applications 8:1–13. Google Scholar
  15. Chen Q, Liu B, Zhang Q, Liang J, Suganthan P, Qu B (2014) Problem definition and evaluation criteria for cec 2015 special session and competition on bound constrained single-objective computationally expensive numerical optimization. Tech repGoogle Scholar
  16. Chess B, West J (2007) Secure programming with static analysis, first edn Addison-Wesley ProfessionalGoogle Scholar
  17. Chunlei W, Li L, Qiang L (2014) Automatic fuzz testing of web service vulnerability. In: 2014 international conference on information and communications technologies (ICT 2014), pp. 1–6.
  18. Clause J, Orso A (2009) Penumbra: Automatically identifying failure-relevant inputs using dynamic tainting. In: Proceedings of the 18th international symposium on software testing and analysis, ISSTA ’09. ACM, New York, pp 249–260
  19. Curbera F, Duftler M, Khalaf R, Nagy W, Mukhi N, Weerawarana S (2002) Unraveling the web services web: an introduction to soap, wsdl, and uddi. IEEE Internet Comput 6(2):86–93Google Scholar
  20. Davis P J, Rabinowitz P (2007) Methods of numerical integration. Courier CorporationGoogle Scholar
  21. De Jong KA (1975) An analysis of the behavior of a class of genetic adaptive systems, Ph.D. thesis, Ann Arbor. AAI7609381Google Scholar
  22. Deb K, Deb D (2014) Analysing mutation schemes for real-parameter genetic algorithms. Int J Artif Intelligence Soft Comput 4(1):1–28MathSciNetGoogle Scholar
  23. Deb K, Pratap A, Agarwal S, Meyarivan T (2002) A fast and elitist multiobjective genetic algorithm: Nsga-ii. IEEE Trans Evol Comput 6(2):182–197. Google Scholar
  24. Del Grosso C, Antoniol G, Merlo E, Galinier P (2008) Detecting buffer overflow via automatic test input data generation. Comput Oper Res 35(10):3125–3143. Google Scholar
  25. Felderer M, Büchler M, Johns M, Brucker AD, Breu R, Pretschner A (2016) Chapter one-security testing: a survey. Adv Comput 101:1–51Google Scholar
  26. Fielding R T (2000) Architectural styles and the design of network-based software architectures. Ph.D. thesis. University of California, IrvineGoogle Scholar
  27. Fraser G, Arcuri A (2014) A large-scale evaluation of automated unit test generation using EvoSuite. ACM Trans Softw Eng Methodol (TOSEM) 24(2):8Google Scholar
  28. Gallagher T (2008) Automated detection of cross site scripting vulnerabilities. US Patent 7,343,626
  29. García S, Molina D, Lozano M, Herrera F (2008) A study on the use of non-parametric tests for analyzing the evolutionary algorithms’ behaviour: a case study on the cec’2005 special session on real parameter optimization. J Heuristics 15(6):617. zbMATHGoogle Scholar
  30. Goh CK, Tan KC (2009) A competitive-cooperative coevolutionary paradigm for dynamic multiobjective optimization. IEEE Trans Evol Comput 13(1):103–127. Google Scholar
  31. Grefenstette J (1986) Optimization of control parameters for genetic algorithms. IEEE Trans Syst Man Cybern Syst 16(1):122–128. Google Scholar
  32. Halfond W, Orso A, Manolios P (2008) Wasp: Protecting web applications using positive tainting and syntax-aware evaluation. IEEE Trans Softw Eng 34(1):65–81. Google Scholar
  33. Halfond WGJ, Orso A, Manolios P (2006) Using positive tainting and syntax-aware evaluation to counter sql injection attacks. In: Proceedings of the 14th ACM SIGSOFT international symposium on foundations of software engineering, SIGSOFT ’06/FSE-14. ACM, New York, pp 175–185
  34. Harman M (2007) The current state and future of search based software engineering. In: 2007 future of software engineering, FOSE ’07. IEEE Computer Society, Washington, pp 342–357
  35. Harman M, McMinn P (2010) A theoretical and empirical study of search-based testing: Local, global, and hybrid search. IEEE Trans Softw Eng 36(2):226–247. Google Scholar
  36. Haupt R L, Haupt S E (2004) Practical genetic algorithms. Wiley, New YorkzbMATHGoogle Scholar
  37. Holm S (1979) A simple sequentially rejective multiple test procedure. Scandinavian journal of statistics, pp 65–70Google Scholar
  38. Huang YW, Tsai CH, Lin TP, Huang SK, Lee D, Kuo SY (2005) A testing framework for web application security assessment. Comput Netw 48 (5):739–761. Web SecurityGoogle Scholar
  39. Huang YW, Yu F, Hang C, Tsai CH, Lee DT, Kuo SY (2004) Securing web application code by static analysis and runtime protection. In: Proceedings of the 13th international conference on world wide web, WWW ’04. ACM, New York, pp 40–52
  40. Jan S, Nguyen C D, Arcuri A, Briand L (2017a) A search-based testing approach for xml injection vulnerabilities in web applications. In: Proceedings of the 10th IEEE International Conference on Software Testing, Verification and Validation (ICST 2017)Google Scholar
  41. Jan S, Nguyen C D, Briand L (2015) Known XML vulnerabilities are still a threat to popular parsers and open source systems. In: 2015 IEEE international conference on software quality, reliability and security (QRS), pp 233–241.
  42. Jan S, Nguyen CD, Briand L (2016) Automated and effective testing of web services for XML injection attacks. In: Proceedings of the 2016 international symposium on software testing and analysis (ISSTA)Google Scholar
  43. Jan S, Panichella A, Arcuri A, Briand L (2017b) Automatic generation of tests to exploit xml injection vulnerabilities in web applications. IEEE Trans Softw Eng PP(99):1–1.
  44. Jansen T (2002) On the analysis of dynamic restart strategies for evolutionary algorithms. In: PPSN, vol 2, pp 33–43. SpringerGoogle Scholar
  45. Jovanovic N, Kruegel C, Kirda E (2006) Pixy: a static analysis tool for detecting web application vulnerabilities. In: 2006 IEEE symposium on security and privacy (S P’06), pp 6 pp–263.
  46. Jovanovic N, Kruegel C, Kirda E (2006) Pixy: A static analysis tool for detecting web application vulnerabilities (short paper). In: Proceedings of the 2006 IEEE symposium on security and privacy, SP ’06. IEEE Computer Society, Washington, pp 258–263
  47. Junjin M (2009) An approach for sql injection vulnerability detection. In: 6th international conference on information technology: New generations, 2009. ITNG ’09, pp 1411–1414.
  48. Keerativuttitumrong N, Chaiyaratana N, Varavithya V (2002) Multi-objective co-operative co-evolutionary genetic algorithm. Parallel Problem Solving from Nature—PPSN VII:288–297Google Scholar
  49. Kieyzun A, Guo P J, Jayaraman K, Ernst M D (2009) Automatic creation of sql injection and cross-site scripting attacks. In: 2009 IEEE 31st international conference on software engineering, pp 199–209.
  50. Kosuga Y, Kono K, Hanaoka M, Hishiyama M, Takahama Y (2007) Sania: Syntactic and semantic analysis for automated testing against sql injection. In: 23rd annual computer security applications conference (ACSAC 2007), pp 107–117Google Scholar
  51. Liu H, Tan HBK (2008) Testing input validation in web applications through automated model recovery. J Syst Softw 81(2):222–233. Model-Based Software TestingGoogle Scholar
  52. Livshits VB, Lam MS (2005) Finding security vulnerabilities in java applications with static analysis. In: Proceedings of the 14th conference on USENIX security symposium - Volume 14, SSYM’05. USENIX Association, Berkeley, pp 18–18
  53. Magical Code Injection Rainbow (MCIR) (2016) Accessed: 2016-04-26
  54. Mainka C, Somorovsky J, Schwenk J (2012) Penetration testing tool for web services security. In: 2012 IEEE 8th world congress on services (SERVICES), pp 163–170.
  55. McMinn P (2004) Search-based software test data generation: A survey. Software Testing Verification and Reliability 14(2):105–156Google Scholar
  56. McMinn P (2004) Search-based software test data generation: A survey. Softw Test Verif Reliab 14(2):105–156. Google Scholar
  57. Newman S (2015) Building microservices. ” O’Reilly Media Inc.”Google Scholar
  58. OWASP (2016) Accessed: 2016-04-26
  59. Panichella A, Kifetew F, Tonella P (2017) Automated test case generation as a many-objective optimisation problem with dynamic selection of the targets. IEEE Transactions on Software Engineering. To appearGoogle Scholar
  60. Panichella A, Kifetew F M, Tonella P (2015) Reformulating branch coverage as a many-objective optimization problem. In: 2015 IEEE 8th international conference on software testing, verification and validation (ICST), pp 1–10. IEEEGoogle Scholar
  61. Panichella A, Molina U R (2017) Java unit testing tool competition - fifth round. In: 10th IEEE/ACM international workshop on search-based software testing (SBST), pp 32–38.
  62. Potter M A, De Jong K A (1994) A cooperative coevolutionary approach to function optimization. In: Davidor Y, Schwefel HP, Männer R (eds) Parallel problem solving from nature — PPSN III. Springer, Berlin, pp 249–257Google Scholar
  63. Rawat S, Mounier L (2011) Offset-aware mutation based fuzzing for buffer overflow vulnerabilities: Few preliminary results. In: 2011 IEEE 4th international conference on software testing, verification and validation workshops (ICSTW), pp 531–533.
  64. Rosa T, Santin A, Malucelli A (2013) Mitigating XML injection 0-day attacks through strategy-based detection systems. IEEE Secur Priv 11(4):46–53. Google Scholar
  65. Schaffer J D, Caruana R A, Eshelman L J, Das R (1989) A study of control parameters affecting online performance of genetic algorithms for function optimization. In: Proceedings of the third international conference on Genetic algorithms, pp. 51–60. Morgan Kaufmann Publishers IncGoogle Scholar
  66. Sharma SRVR, Gonzalez D (2017) Microservices: Building Scalable Software. Packt Publishing.
  67. Smith J E, Fogarty T C (1996) Adaptively parameterised evolutionary systems: Self adaptive recombination and mutation in a genetic algorithm. In: Parallel problem solving from nature—PPSN IV, pp 441–450. SpringerGoogle Scholar
  68. Strom RE, Yemini S (1986) Typestate: A programming language concept for enhancing software reliability. IEEE Trans Softw Eng 12(1):157–171. zbMATHGoogle Scholar
  69. Tan KC, Yang YJ, Goh CK (2006) A distributed cooperative coevolutionary algorithm for multiobjective optimization. Trans Evol Comp 10(5):527–549. Google Scholar
  70. Testing for XML Injection (2016) Accessed: 2016-04-26
  71. Thomé J, Gorla A, Zeller A (2014) Search-based security testing of web applications. In: Proceedings of the 7th international workshop on search-based software testing, SBST 2014. ACM, New York, pp 5–14
  72. Türpe S (2011) Search-Based Application Security Testing: Towards a Structured Search Space. In: 2011 IEEE 4th international conference on software testing, verification and validation workshops (ICSTW), pp 198–201.
  73. Wassermann G, Su Z (2007) Sound and precise analysis of web applications for injection vulnerabilities. SIGPLAN Not 42(6):32–41. Google Scholar
  74. Williams J, Wichers D (2013) Owasp, top 10, the ten most critical web application security risks. Tech. rep., The Open Web Application Security ProjectGoogle Scholar
  75. WSFuzzer Tool (2016) Accessed: 2016-04-26

Copyright information

© Springer Science+Business Media, LLC, part of Springer Nature 2019

Authors and Affiliations

  1. 1.SnTUniversity of LuxembourgLuxembourgLuxembourg
  2. 2.Department of Computer Science & ITUniversity of Engineering & TechnologyPeshawarPakistan
  3. 3.Delft University of TechnologyDelftNetherlands
  4. 4.Faculty of TechnologyKristiania University CollegeOsloNorway

Personalised recommendations