Abstract
Description model of Web application structure can be used to depict the Structure of a Web application, it can also provide testing guidance for ordinary testing of Web application. In this paper, we proposed an improved description model named Web Relation Graph on the basis of Page Navigation Graph, which can describe the complex relationships in Web application. Web Relation Graph can provide guidance for Web ordinary testing, it also can provide assistance for security testing for Web application. And we used vulnerability-related paths to describe the security of the Web applications on the Web Relation Graph. We also proposed a new security testing framework on the basis of vulnerability-related paths. The framework contained two parts, client-side testing and server-side testing. Client-side testing is for testing the client entities in the paths with the methods of static analysis and penetration testing. Server-side testing is for testing the server entities with the methods of tainted-analysis and dynamic testing.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsReferences
Mookhey, K.K., Burghate, N.: Detection of SQL injection and cross-site scripting attacks (2004). http://www.securityfocus.com/infocus/1768
McGraw, Gary: Software security. IEEE Secur. Priv. 2(2), 80–83 (2004)
MeDermott, J.P.: Attack net penetration testing. In: Proceedings of the 2000 Workshop on New Security Paradigms (NSPW2000), pp. 15–21. Bellybutton, Ireland (2000)
Jiye, Z., Xiao-quan, X.: Penetration testing model based on attack graph. Comput. Eng. Des. 26(6), 1516–1518 (2005)
Huang, Q., Zeng, Q.-K.: Taint propagation analysis and dynamic verification with information flow policy. J. Softw. 22(9), 2036–2048 (2011)
Lam, M.S., Martin, M.C., Livshits, V.B., Whaley, J.: Securing Web applications with static and dynamic information flow tracking. In: Proceedings of the 2008. ACM (2008)
Hallaraker, O., Vigna, G.: Detecting malicious javascript code in mozilla. In: Proceeding of 10th IEEE International Conference on Engineering of Complex Computer Systems (ICECCS 2005), pp. 85–94. IEEE, Shanghai, China, CS (2005)
Huang, Y.W., Huang, S.K., Lin, T.P.: Web application security assessment by fault injection and behavior monitoring. In: Proceedings of the 12th International Conference on World Wild Web, WWW 2003, pp. 148–159 (2003)
Ricca, F., Tonella, P.: Analysis and testing of web applications. In: Proceedings of the 23rd International Conference on Software Engineering, pp. 25–34 (2001)
Ricca, F., Tonella, P.: Web site analysis: structure and evolution. In: Proceeding of International Conference on Software Maintenance, pp. 76–86 (2000)
Tonella, P., Ricca, F.: A 2-layer model for the white-box. In: Proceeding of 26th Annual International Telecommunications Energy Conference on 2004, pp. 11–19 (2004)
Ricca, F., Tonella, P.: Using clustering to support the migration from static to dynamic web pages. In: Proceeding of the 11th IEEE International Workshop on Program Comprehension, pp. 207–216 (2003)
Ricca, F.: Dynamic model extraction and statistical analysis of web application. In: Proceeding of 4th International workshop on Web Site Evolution, pp. 43–52 (2002)
Ricca, F., et al.: Understanding and restructuring web sites with ReWeb. IEEE MultiMedia Cent. Sci. Technol. Res. 8, 40–51 (2001)
Chen, J.F., Wang, Y.D., Zhang, Y.Q.: Automatic generation of attack vectors for stored-XSS. J. Grad. Univ. Chin. Acad. Sci. 29(6), 815–820 (2012)
JTB: the java tree builder homepage [EB/OL] (2000). http://compilers.cs.ucla.edu/jtb/jtb-2003
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2015 Springer International Publishing Switzerland
About this paper
Cite this paper
Yu, X., Jiang, G. (2015). A Web Security Testing Method Based on Web Application Structure. In: Huang, Z., Sun, X., Luo, J., Wang, J. (eds) Cloud Computing and Security. ICCCS 2015. Lecture Notes in Computer Science(), vol 9483. Springer, Cham. https://doi.org/10.1007/978-3-319-27051-7_21
Download citation
DOI: https://doi.org/10.1007/978-3-319-27051-7_21
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-27050-0
Online ISBN: 978-3-319-27051-7
eBook Packages: Computer ScienceComputer Science (R0)