Skip to main content
SpringerLink
Log in
Book cover

International Workshop on Recent Advances in Intrusion Detection

RAID 2008: Recent Advances in Intrusion Detection pp 191–210Cite as

Leveraging User Interactions for In-Depth Testing of Web Applications

  • Conference paper

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 5230))

Abstract

Over the last years, the complexity of web applications has grown significantly, challenging desktop programs in terms of functionality and design. Along with the rising popularity of web applications, the number of exploitable bugs has also increased significantly. Web application flaws, such as cross-site scripting or SQL injection bugs, now account for more than two thirds of the reported security vulnerabilities.

Black-box testing techniques are a common approach to improve software quality and detect bugs before deployment. There exist a number of vulnerability scanners, or fuzzers, that expose web applications to a barrage of malformed inputs in the hope to identify input validation errors. Unfortunately, these scanners often fail to test a substantial fraction of a web application’s logic, especially when this logic is invoked from pages that can only be reached after filling out complex forms that aggressively check the correctness of the provided values.

In this paper, we present an automated testing tool that can find reflected and stored cross-site scripting (XSS) vulnerabilities in web applications. The core of our system is a black-box vulnerability scanner. This scanner is enhanced by techniques that allow one to generate more comprehensive test cases and explore a larger fraction of the application. Our experiments demonstrate that our approach is able to test more thoroughly these programs and identify more bugs than a number of open-source and commercial web vulnerability scanners.

This is a preview of subscription content, log in via an institution.

Chapter
USD   29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD   89.00
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Acunetix. Acunetix Web Vulnerability Scanner (2008), http://www.acunetix.com/

  2. Balzarotti, D., Cova, M., Felmetsger, V., Jovanov, N., Kirda, E., Kruegel, C., Vigna, G.: Saner: Composing Static and Dynamic Analysis to Validate Sanitization in Web Applications. In: IEEE Security and Privacy Symposium (2008)

    Google Scholar 

  3. Beizer, B.: Software System Testing and Quality Assurance. Van Nostrand Reinhold (1984)

    Google Scholar 

  4. Beizer, B.: Software Testing Techniques. Van Nostrand Reinhold (1990)

    Google Scholar 

  5. Spider, B.: Web Application Security (2008), http://portswigger.net/spider/

  6. Cadar, C., Ganesh, V., Pawlowski, P., Dill, D., Engler, D.: EXE: Automatically Generating Inputs of Death. In: ACM Conference on Computer and Communication Security (2006)

    Google Scholar 

  7. Hannson, D.: Ruby on Rails (2008), http://www.rubyonrails.org/

  8. Django. The Web Framework for Professionals with Deadlines (2008), http://www.djangoproject.com/

  9. Basic Django Blog Application, http://code.google.com/p/django-basic-blog/

  10. Endler, D.: The Evolution of Cross Site Scripting Attacks. Technical report, iDEFENSE Labs (2002)

    Google Scholar 

  11. Ghezzi, C., Jazayeri, M., Mandrioli, D.: Fundamentals of Software Engineering. Prentice-Hall International, Englewood Cliffs (1994)

    Google Scholar 

  12. Godefroid, P., Klarlund, N., Sen, K.: DART. In: Programming Language Design and Implementation (PLDI) (2005)

    Google Scholar 

  13. Huang, Y., Huang, S., Lin, T.: Web Application Security Assessment by Fault Injection and Behavior Monitoring. In: 12th World Wide Web Conference (2003)

    Google Scholar 

  14. Insecure.org. NMap Network Scanner (2008), http://www.insecure.org/nmap/

  15. Jovanovic, N., Kruegel, C., Kirda, E.: Pixy: A Static Analysis Tool for Detecting Web Application Vulnerabilities (Short Paper). In: IEEE Symposium on Security and Privacy (2006)

    Google Scholar 

  16. Kals, S., Kirda, E., Kruegel, C., Jovanovic, N.: SecuBat: A Web Vulnerability Scanner. In: World Wide Web Conference (2006)

    Google Scholar 

  17. Mitre. Common Vulnerabilities and Exposures, http://cve.mitre.org/

  18. Moser, A., Kruegel, C., Kirda, E.: Exploring Multiple Execution Paths for Malware Analysis. In: IEEE Symposium on Security and Privacy (2007)

    Google Scholar 

  19. Nikto. Web Server Scanner (2008), http://www.cirt.net/code/nikto.shtml

  20. Offutt, J., Abdurazik, A.: Generating Tests from UML Specifications. In: Second International Conference on the Unified Modeling Language (1999)

    Google Scholar 

  21. Offutt, J., Abdurazik, A.: Using UML Collaboration Diagrams for Static Checking and Test Generation. In: Evans, A., Kent, S., Selic, B. (eds.) UML 2000. LNCS, vol. 1939, pp. 383–395. Springer, Heidelberg (2000)

    Google Scholar 

  22. Offutt, J., Liu, S., Abdurazik, A., Ammann, P.: Generating Test Data from State-based Specifications. In: Journal of Software Testing, Verification and Reliability (2003)

    Google Scholar 

  23. Poulton, R.: Django Forum Component, http://code.google.com/p/django-forum/

  24. Satchmo, http://www.satchmoproject.com/

  25. Scott, D., Sharp, R.: Abstracting Application-level Web Security. In: 11th World Wide Web Conference (2002)

    Google Scholar 

  26. WhiteHat Security. Web Application Security 101 (2005), http://www.whitehatsec.com/articles/webappsec101.pdf

  27. Su, Z., Wassermann, G.: The Essence of Command Injection Attacks in Web Applications. In: Symposium on Principles of Programming Languages (2006)

    Google Scholar 

  28. Sun. Java Servlets (2008), http://java.sun.com/products/servlet/

  29. Tenable Network Security. Nessus Open Source Vulnerability Scanner Project (2008), http://www.nessus.org/

  30. Twill. Twill: A Simple Scripting Language for Web Browsing (2008), http://twill.idyll.org/

  31. Web Application Attack and Audit Framework, http://w3af.sourceforge.net/

  32. Xie, Y., Aiken, A.: Static Detection of Security Vulnerabilities in Scripting Languages. In: 15th USENIX Security Symposium (2006)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Secure Systems Lab, Technical University, Vienna, Austria

    Sean McAllister

  2. Institute Eurecom, France

    Engin Kirda

  3. University of California, Santa Barbara,  

    Christopher Kruegel

Authors
  1. Sean McAllister
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Engin Kirda
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Christopher Kruegel
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Richard Lippmann Engin Kirda Ari Trachtenberg

Rights and permissions

Reprints and permissions

Copyright information

© 2008 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

McAllister, S., Kirda, E., Kruegel, C. (2008). Leveraging User Interactions for In-Depth Testing of Web Applications. In: Lippmann, R., Kirda, E., Trachtenberg, A. (eds) Recent Advances in Intrusion Detection. RAID 2008. Lecture Notes in Computer Science, vol 5230. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-87403-4_11

Download citation

  • DOI: https://doi.org/10.1007/978-3-540-87403-4_11

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-540-87402-7

  • Online ISBN: 978-3-540-87403-4

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation