A Generic Web Application Testing and Attack Data Generation Method

  • Hsiao-Yu Shih
  • Han-Lin Lu
  • Chao-Chun Yeh
  • Hsu-Chun Hsiao
  • Shih-Kun Huang
Conference paper
Part of the Advances in Intelligent Systems and Computing book series (AISC, volume 733)


With the advances of diversified online services, there is an increasing demand for web applications. However, most web applications contain critical bugs affecting their security, allowing unauthorized access and remote code execution. It is challenging for programmers to identify potential vulnerabilities in their applications before releasing the service due to the lack of resources and security knowledge, and thus such hidden defects may remain unnoticed for a long time until being reported by users or third-party risk exposure. In this paper, we develop an automated detection method to support timely and flexible discovery of a wide variety of vulnerability types in web applications. The key insight of our work is adding a lightweight detecting sensor that differentiates attack types before performing symbolic execution. Based on the technique of symbolic execution, our work generates testing and attack data by tracking the address of program instruction and checking the arguments of dangerous functions. Compared to prior analysis tools that also use symbolic execution, our work flexibly supports the detection of more types of web attacks and improve system flexibility for users thanks to the detecting sensor. We have evaluated our solution by applying this detecting process to several known vulnerabilities on open-source web applications and CTF (Capture The Flag) problems, and detected various types of web attacks successfully.


Web application testing Symbolic execution Capture The Flag Software vulnerability 



This work was supported by the Institute for Information Industry under the grant 106-EC-17-D-11-1502.


  1. 1.
    Huang, S.-K., Lu, H.-L., Leong, W.-M., Liu, H.: Craxweb: automatic web application testing and attack generation. In: 2013 IEEE 7th International Conference on Software Security and Reliability (SERE), pp. 208–217. IEEE (2013)Google Scholar
  2. 2.
    Bisht, P., Hinrichs, T., Skrupsky, N., Venkatakrishnan, V.: WAPTEC: whitebox analysis of web applications for parameter tampering exploit construction. In: Proceedings of the 18th ACM Conference on Computer and Communications Security, pp. 575–586. ACM (2011)Google Scholar
  3. 3.
    Martin, M., Lam, M.S.: Automatic generation of XSS and SQL injection attacks with goal-directed model checking. In: Proceedings of the 17th Conference on Security Symposium, pp. 31–43. USENIX Association (2008)Google Scholar
  4. 4.
    Avgerinos, T., Cha, S.K., Rebert, A., Schwartz, E.J., Woo, M., Brumley, D.: Automatic exploit generation. Commun. ACM 57(2), 74–84 (2014)CrossRefGoogle Scholar
  5. 5.
    King, J.C.: Symbolic execution and program testing. Commun. ACM 19(7), 385–394 (1976)MathSciNetzbMATHCrossRefGoogle Scholar
  6. 6.
    Schwartz, E.J., Avgerinos, T., Brumley, D.: All you ever wanted to know about dynamic taint analysis and forward symbolic execution (but might have been afraid to ask). In: 2010 IEEE Symposium on Security and Privacy (SP), pp. 317–331. IEEE (2010)Google Scholar
  7. 7.
    Halfond, W.G., Viegas, J., Orso, A.: A classification of SQL-injection attacks and countermeasures. In: Proceedings of the IEEE International Symposium on Secure Software Engineering, vol. 1, pp. 13–15. IEEE (2006)Google Scholar
  8. 8.
    Artzi, S., et al.: Finding bugs in dynamic web applications. In: Proceedings of the 2008 International Symposium on Software Testing and Analysis, pp. 261–272. ACM (2008)Google Scholar
  9. 9.
    Sen, K., Kalasapur, S., Brutch, T., Gibbs, S.: Jalangi: a selective record-replay and dynamic analysis framework for JavaScript. In: Proceedings of the 2013 9th Joint Meeting on Foundations of Software Engineering, pp. 488–498. ACM (2013)Google Scholar
  10. 10.
    Li, G., Andreasen, E., Ghosh, I.: SymJS: automatic symbolic testing of JavaScript web applications. In: Proceedings of the 22nd ACM SIGSOFT International Symposium on Foundations of Software Engineering, pp. 449–459. ACM (2014)Google Scholar
  11. 11.
    Near, J.P., Jackson, D.: Derailer: interactive security analysis for web applications. In: Proceedings of the 29th ACM/IEEE International Conference on Automated Software Engineering, pp. 587–598. ACM (2014)Google Scholar
  12. 12.
    Bucur, S., Kinder, J., Candea, G.: Prototyping symbolic execution engines for interpreted languages. ACM SIGARCH Comput. Archit. News 42(1), 239–254 (2014)Google Scholar
  13. 13.
    Chipounov, V., Kuznetsov, V., Candea, G.: S2E: a platform for in-vivo multi-path analysis of software systems. ACM SIGPLAN Not. 46(3), 265–278 (2011)CrossRefGoogle Scholar
  14. 14.
    Sen, K., Necula, G., Gong, L., Choi, W.: MultiSE: multi-path symbolic execution using value summaries. In: Proceedings of the 2015 10th Joint Meeting on Foundations of Software Engineering, pp. 842–853. ACM (2015)Google Scholar
  15. 15.
    Jovanovic, N., Kruegel, C., Kirda, E.: Pixy: a static analysis tool for detecting web application vulnerabilities. In: 2006 IEEE Symposium on Security and Privacy, pp. 258–263. IEEE (2006)Google Scholar
  16. 16.
    Bisht, P., Venkatakrishnan, V.: XSS-GUARD: precise dynamic prevention of cross-site scripting attacks. In: International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment, pp. 23–43. Springer (2008)Google Scholar
  17. 17.
    Li, N., Xie, T., Jin, M., Liu, C.: Perturbation-based user-input-validation testing of web applications. J. Syst. Softw. 83(11), 2263–2274 (2010)CrossRefGoogle Scholar
  18. 18.
    Ali, A.B.M., Abdullah, M.S., Alostad, J.: SQL-injection vulnerability scanning tool for automatic creation of SQL-injection attacks. Procedia Comput. Sci. 3, 453–458 (2011)CrossRefGoogle Scholar
  19. 19.
    Tian, W., Yang, J.-F., Xu, J., Si, G.-N.: Attack model based penetration test for SQL injection vulnerability. In: 2012 IEEE 36th Annual Computer Software and Applications Conference Workshops (COMPSACW), pp. 589–594. IEEE (2012)Google Scholar
  20. 20.
    Zheng, Y., Zhang, X.: Path sensitive static analysis of web applications for remote code execution vulnerability detection. In: Proceedings of the 2013 International Conference on Software Engineering, pp. 652–661. IEEE Press (2013)Google Scholar
  21. 21.
    Gupta, M.K., Govil, M.C., Singh, G., Sharma, P., XSSDM: towards detection and mitigation of cross-site scripting vulnerabilities in web applications. In: 2015 International Conference on Advances in Computing, Communications and Informatics (ICACCI), pp. 2010–2015. IEEE (2015)Google Scholar
  22. 22.
    Naderi-Afooshteh, A., Nguyen-Tuong, A., Bagheri-Marzijarani, M., Hiser, J.D., Davidson, J.W.: Joza: hybrid taint inference for defeating web application SQL injection attacks. In: 2015 45th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN), pp. 172–183. IEEE (2015)Google Scholar
  23. 23.
    Sekar, R.: An efficient black-box technique for defeating web application attacks. In: NDSS (2009)Google Scholar
  24. 24.
    Nguyen-Tuong, A., et al.: To B or not to B: blessing OS commands with software DNA shotgun sequencing. In: 2014 Tenth European Dependable Computing Conference (EDCC), pp. 238–249. IEEE (2014)Google Scholar
  25. 25.
    Medeiros, I., Neves, N., Correia, M.: DEKANT: a static analysis tool that learns to detect web application vulnerabilities. In: Proceedings of the 25th International Symposium on Software Testing and Analysis, pp. 1–11. ACM (2016)Google Scholar
  26. 26.
    Fu, X., Qian, K.: SAFELI: SQL injection scanner using symbolic execution. In: Proceedings of the 2008 Workshop on Testing, Analysis, and Verification of Web Services and Applications, pp. 34–39. ACM (2008)Google Scholar
  27. 27.
    Kieyzun, A., Guo, P.J., Jayaraman, K., Ernst, M.D.: Automatic creation of SQL injection and cross-site scripting attacks. In: IEEE 31st International Conference on Software Engineering, ICSE 2009, pp. 199–209. IEEE (2009)Google Scholar
  28. 28.
    Saxena, P., Akhawe, D., Hanna, S., Mao, F., McCamant, S., Song, D.: A symbolic execution framework for javascript. In: 2010 IEEE Symposium on Security and Privacy (SP), pp. 513–528. IEEE (2010)Google Scholar
  29. 29.
    Chaudhuri, A., Foster, J.S.: Symbolic security analysis of ruby-on-rails web applications. In: Proceedings of the 17th ACM Conference on Computer and Communications Security, pp. 585–594. ACM (2010)Google Scholar
  30. 30.
    Huang, Y.-Y., Chen, K., Chiang, S.-L.: Finding security vulnerabilities in Java Web applications with test generation and dynamic taint analysis. In: Proceedings of the 2011 2nd International Congress on Computer Applications and Computational Science, pp. 133–138. Springer (2012)Google Scholar
  31. 31.
    Agosta, G., Barenghi, A., Parata, A., Pelosi, G.: Automated security analysis of dynamic web applications through symbolic code execution. In: 2012 Ninth International Conference on Information Technology: New Generations (ITNG), pp. 189–194. IEEE (2012)Google Scholar

Copyright information

© Springer International Publishing AG, part of Springer Nature 2018

Authors and Affiliations

  • Hsiao-Yu Shih
    • 1
  • Han-Lin Lu
    • 1
  • Chao-Chun Yeh
    • 1
    • 3
  • Hsu-Chun Hsiao
    • 4
  • Shih-Kun Huang
    • 1
    • 2
  1. 1.Department of Computer ScienceNational Chiao Tung UniversityHsinchuTaiwan
  2. 2.Information Technology Service CenterNational Chiao Tung UniversityHsinchuTaiwan
  3. 3.Computational Intelligence Technology CenterIndustrial Technology Research InstituteHsinchuTaiwan
  4. 4.Department of Computer Science and Information EngineeringNational Taiwan UniversityTaipeiTaiwan

Personalised recommendations