Abstract
Penetration testing is a widely used method for testing the security of web applications, but it can be inefficient if it is not done systematically. Public databases of web application vulnerabilities can be used to drive penetration testing, but testers need to understand them and interpret them into executable test cases. This requires an in-depth knowledge of security. This paper proposes a model-based testing approach using a data model that describes the relationship between web security knowledge, business domain knowledge, and test case development. The approach consists of a data model that represents the relevance between attack surface, application fingerprint, attack vectors, and fuzz vectors; a test case generator that automatically generates penetration test scenarios for web applications; and a penetration test framework supported by TTCN-3 test environment. The model-based testing approach can be used to provide structured tool support for developing penetration test campaigns. We demonstrate the feasibility and efficiency of the approach at the design level.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Manzuik, S., Gold, A., Gatford, C.: Network Security Assessment: From Vulnerability to Patch. Syngress Publishing (2007)
Splaine, S.: Testing Web Security: Assessing the Security of Web Sites and Applications. John Wiley & Sons, Chichester (2002)
Open Source Vulnerability Database (OSVDB), http://osvdb.org/
CERT Vulnerability Notes Database, http://www.kb.cert.org/vuls/
Bugtraq mailing list, http://www.securityfocus.com/archive/1
Nessus vulnerability scanner, http://www.nessus.org/nessus/
Potter, B., McGraw, G.: Software Security Testing. IEEE Security & Privacy 2(5), 81–85 (2004)
Arkin, B., Stender, S., McGraw, G.: Software Penetration Testing. IEEE Security & Privacy 3(1), 84–87 (2005)
Thompson, H.: Application Penetration Testing. IEEE Security & Privacy 3(1), 66–69 (2005)
Bishop, M.: About Penetration Testing. IEEE Security & Privacy 5(6), 84–87 (2007)
OWASP TESTING GUIDE Version 3.0, OWASP Foundation (2008)
Andreu, A.: Professional Pen Testing for Web Applications. Wrox Press (2006)
Palmer, S.: Web Application Vulnerabilities: Detect, Exploit, Prevent. Syngress Publishing (2007)
Common Vulnerabilities and Exposures (CVE), http://cve.mitre.org
Common Attack Pattern Enumeration and Classification (CAPEC), http://capec.mitre.org
Common Weakness Enumeration (CWE), http://cwe.mitre.org
SANS Top-20, Security Risks (2007), http://www.sans.org/top20/
OWASP TOP Ten (2007), http://www.owasp.org/index.php/Top_10_2007
ETSI ES 201 873-1, The Testing and Test Control Notation version 3, Part1: TTCN-3 Core notation, V3.4.1 (September 2008)
Probert, R.L., Xiong, P., Stepien, B.: Life-cycle E-Commerce Testing with OO-TTCN-3. In: FORTE 2004 Workshops proceedings (September 2004)
Stepien, B., Peyton, L., Xiong, P.: Framework Testing of Web Applications using TTCN-3. International Journal on Software Tools for Technology Transfer 10(4), 371–381 (2008)
Xiong, P., Probert, R.L., Stepien, B.: An Efficient Formal Testing Approach for Web Service with TTCN-3. In: Proc. of the 13th International Conference on Software, Telecommunications and Computer Networks (SoftCOM 2005) (September 2005)
OWASP WebGoat Project, http://www.owasp.org/index.php/Category:OWASP_WebGoat_Project
OWASP WebScarab Project, http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2009 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Xiong, P., Stepien, B., Peyton, L. (2009). Model-Based Penetration Test Framework for Web Applications Using TTCN-3. In: Babin, G., Kropf, P., Weiss, M. (eds) E-Technologies: Innovation in an Open World. MCETECH 2009. Lecture Notes in Business Information Processing, vol 26. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-01187-0_12
Download citation
DOI: https://doi.org/10.1007/978-3-642-01187-0_12
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-01186-3
Online ISBN: 978-3-642-01187-0
eBook Packages: Computer ScienceComputer Science (R0)