A Web Security Testing Method Based on Web Application Structure

Yu, Xueyong; Jiang, Guohua

doi:10.1007/978-3-319-27051-7_21

A Web Security Testing Method Based on Web Application Structure

Xueyong Yu¹⁷ &
Guohua Jiang¹⁷

Conference paper
First Online: 05 January 2016

Part of the book series: Lecture Notes in Computer Science ((LNISA,volume 9483))

Abstract

Description model of Web application structure can be used to depict the Structure of a Web application, it can also provide testing guidance for ordinary testing of Web application. In this paper, we proposed an improved description model named Web Relation Graph on the basis of Page Navigation Graph, which can describe the complex relationships in Web application. Web Relation Graph can provide guidance for Web ordinary testing, it also can provide assistance for security testing for Web application. And we used vulnerability-related paths to describe the security of the Web applications on the Web Relation Graph. We also proposed a new security testing framework on the basis of vulnerability-related paths. The framework contained two parts, client-side testing and server-side testing. Client-side testing is for testing the client entities in the paths with the methods of static analysis and penetration testing. Server-side testing is for testing the server entities with the methods of tainted-analysis and dynamic testing.

This is a preview of subscription content, log in via an institution.

Chapter: USD 29.95; Price excludes VAT (USA)

eBook: USD 39.99; Price excludes VAT (USA)

Softcover Book: USD 54.99; Price excludes VAT (USA)

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

References

Mookhey, K.K., Burghate, N.: Detection of SQL injection and cross-site scripting attacks (2004). http://www.securityfocus.com/infocus/1768
McGraw, Gary: Software security. IEEE Secur. Priv. 2(2), 80–83 (2004)
Article Google Scholar
MeDermott, J.P.: Attack net penetration testing. In: Proceedings of the 2000 Workshop on New Security Paradigms (NSPW2000), pp. 15–21. Bellybutton, Ireland (2000)
Google Scholar
Jiye, Z., Xiao-quan, X.: Penetration testing model based on attack graph. Comput. Eng. Des. 26(6), 1516–1518 (2005)
Google Scholar
Huang, Q., Zeng, Q.-K.: Taint propagation analysis and dynamic verification with information flow policy. J. Softw. 22(9), 2036–2048 (2011)
Article Google Scholar
Lam, M.S., Martin, M.C., Livshits, V.B., Whaley, J.: Securing Web applications with static and dynamic information flow tracking. In: Proceedings of the 2008. ACM (2008)
Google Scholar
Hallaraker, O., Vigna, G.: Detecting malicious javascript code in mozilla. In: Proceeding of 10th IEEE International Conference on Engineering of Complex Computer Systems (ICECCS 2005), pp. 85–94. IEEE, Shanghai, China, CS (2005)
Google Scholar
Huang, Y.W., Huang, S.K., Lin, T.P.: Web application security assessment by fault injection and behavior monitoring. In: Proceedings of the 12th International Conference on World Wild Web, WWW 2003, pp. 148–159 (2003)
Google Scholar
Ricca, F., Tonella, P.: Analysis and testing of web applications. In: Proceedings of the 23rd International Conference on Software Engineering, pp. 25–34 (2001)
Google Scholar
Ricca, F., Tonella, P.: Web site analysis: structure and evolution. In: Proceeding of International Conference on Software Maintenance, pp. 76–86 (2000)
Google Scholar
Tonella, P., Ricca, F.: A 2-layer model for the white-box. In: Proceeding of 26th Annual International Telecommunications Energy Conference on 2004, pp. 11–19 (2004)
Google Scholar
Ricca, F., Tonella, P.: Using clustering to support the migration from static to dynamic web pages. In: Proceeding of the 11th IEEE International Workshop on Program Comprehension, pp. 207–216 (2003)
Google Scholar
Ricca, F.: Dynamic model extraction and statistical analysis of web application. In: Proceeding of 4th International workshop on Web Site Evolution, pp. 43–52 (2002)
Google Scholar
Ricca, F., et al.: Understanding and restructuring web sites with ReWeb. IEEE MultiMedia Cent. Sci. Technol. Res. 8, 40–51 (2001)
Google Scholar
Chen, J.F., Wang, Y.D., Zhang, Y.Q.: Automatic generation of attack vectors for stored-XSS. J. Grad. Univ. Chin. Acad. Sci. 29(6), 815–820 (2012)
Google Scholar
JTB: the java tree builder homepage [EB/OL] (2000). http://compilers.cs.ucla.edu/jtb/jtb-2003

Download references

Author information

Authors and Affiliations

Nanjing University of Aeronautics and Astronautics, Nanjing, China
Xueyong Yu & Guohua Jiang

Authors

Xueyong Yu
View author publications
You can also search for this author in PubMed Google Scholar
Guohua Jiang
View author publications
You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Xueyong Yu .

Editor information

Editors and Affiliations

Nanjing University of Aeronautics and As, Nanjing, China
Zhiqiu Huang
Nanjing University of Information Scienc, Nanjing, China
Xingming Sun
Nanjing, China
Junzhou Luo
Nanjing University of Aeronautics and As, Nanjing, China
Jian Wang

Rights and permissions

Reprints and permissions

Copyright information

About this paper

Cite this paper

Yu, X., Jiang, G. (2015). A Web Security Testing Method Based on Web Application Structure. In: Huang, Z., Sun, X., Luo, J., Wang, J. (eds) Cloud Computing and Security. ICCCS 2015. Lecture Notes in Computer Science(), vol 9483. Springer, Cham. https://doi.org/10.1007/978-3-319-27051-7_21

Download citation

DOI: https://doi.org/10.1007/978-3-319-27051-7_21
Published: 05 January 2016
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-27050-0
Online ISBN: 978-3-319-27051-7
eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics