article

Improving penetration testing through static and dynamic analysis

Authors:

William G. J. Halfond,

Shauvik Roy Choudhary,

Alessandro OrsoAuthors Info & Claims

Software Testing, Verification & Reliability, Volume 21, Issue 3

Pages 195 - 214

https://doi.org/10.1002/stvr.450

Published: 01 September 2011 Publication History

Abstract

Penetration testing is widely used to help ensure the security of web applications. Using penetration testing, testers discover vulnerabilities by simulating attacks on a target web application. To do this efficiently, testers rely on automated techniques that gather input vector information about the target web application and analyze the application's responses to determine whether an attack was successful. Techniques for performing these steps are often incomplete, which can leave parts of the web application untested and vulnerabilities undiscovered. This paper proposes a new approach to penetration testing that addresses the limitations of current techniques. The approach incorporates two recently developed analysis techniques to improve input vector identification and detect when attacks have been successful against a web application. This paper compares the proposed approach against two popular penetration testing tools for a suite of web applications with known and unknown vulnerabilities. The evaluation results show that the proposed approach performs a more thorough penetration testing and leads to the discovery of more vulnerabilities than both the tools. Copyright © 2011 John Wiley & Sons, Ltd.

Cited By

View all

Xie BLi QQian H(2021)Weak Password Scanning System for Penetration TestingCyberspace Safety and Security10.1007/978-3-030-94029-4_9(120-130)Online publication date: 9-Nov-2021
https://dl.acm.org/doi/10.1007/978-3-030-94029-4_9
(2018)Investigation framework of web applications vulnerabilities, attacks and protection techniques in structured query language injection attacksInternational Journal of Wireless and Mobile Computing10.1504/IJWMC.2018.09113714:2(103-122)Online publication date: 1-Jan-2018
https://dl.acm.org/doi/10.1504/IJWMC.2018.091137
(2016)A four-phase methodology for protecting web applications using an effective real-time techniqueInternational Journal of Internet Technology and Secured Transactions10.1504/IJITST.2016.0830086:4(303-323)Online publication date: 1-Jan-2016
https://dl.acm.org/doi/10.1504/IJITST.2016.083008
Show More Cited By

Index Terms

Improving penetration testing through static and dynamic analysis

Index terms have been assigned to the content through auto-classification.

Recommendations

A Penetration Testing Method for E-Commerce Authentication System Security
ICMECG '09: Proceedings of the 2009 International Conference on Management of e-Commerce and e-Government

E-Commerce systems are suffering more and more security issues. Vulnerabilities of authentication systems are revealed when various attacks and malicious abuses are developed and deployed to violate security of system and information. To improve the ...
Threat led advanced persistent threat penetration test

Cyber security attacks have been on the rise in recent years. One of the most destructive attacks are known as advanced persistent threat (APT) attacks which can inflict massive damages to a network. A common approach of testing the security of an IT ...
Static Analysis and Penetration Testing from the Perspective of Maintenance Teams
ESEM '16: Proceedings of the 10th ACM/IEEE International Symposium on Empirical Software Engineering and Measurement

Static analysis and penetration testing are common techniques used to discover security bugs in implementation code. Penetration testing is often performed in black-box way by probing the attack surface of a running system and discovering its security ...

Comments

Information & Contributors

Information

Published In

cover image Software Testing, Verification & Reliability

Software Testing, Verification & Reliability Volume 21, Issue 3

September 2011

109 pages

ISSN:0960-0833

Issue’s Table of Contents

Publisher

John Wiley and Sons Ltd.

United Kingdom

Publication History

Published: 01 September 2011

Author Tags

Qualifiers

Article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

8
Total Citations
View Citations
0
Total Downloads

Downloads (Last 12 months)0
Downloads (Last 6 weeks)0

Reflects downloads up to 30 Aug 2024

Other Metrics

View Author Metrics

Citations

Cited By

View all

Xie BLi QQian H(2021)Weak Password Scanning System for Penetration TestingCyberspace Safety and Security10.1007/978-3-030-94029-4_9(120-130)Online publication date: 9-Nov-2021
https://dl.acm.org/doi/10.1007/978-3-030-94029-4_9
(2018)Investigation framework of web applications vulnerabilities, attacks and protection techniques in structured query language injection attacksInternational Journal of Wireless and Mobile Computing10.1504/IJWMC.2018.09113714:2(103-122)Online publication date: 1-Jan-2018
https://dl.acm.org/doi/10.1504/IJWMC.2018.091137
(2016)A four-phase methodology for protecting web applications using an effective real-time techniqueInternational Journal of Internet Technology and Secured Transactions10.1504/IJITST.2016.0830086:4(303-323)Online publication date: 1-Jan-2016
https://dl.acm.org/doi/10.1504/IJITST.2016.083008
Kim SKim RPark Y(2016)Software Vulnerability Detection Methodology Combined with Static and Dynamic AnalysisWireless Personal Communications: An International Journal10.1007/s11277-015-3152-189:3(777-793)Online publication date: 1-Aug-2016
https://dl.acm.org/doi/10.1007/s11277-015-3152-1
Gong LPradel MSridharan MSen KYoung MXie T(2015)DLint: dynamically checking bad coding practices in JavaScriptProceedings of the 2015 International Symposium on Software Testing and Analysis10.1145/2771783.2771809(94-105)Online publication date: 13-Jul-2015
https://dl.acm.org/doi/10.1145/2771783.2771809
Møller ASchwarz M(2014)Automated Detection of Client-State Manipulation VulnerabilitiesACM Transactions on Software Engineering and Methodology10.1145/253192123:4(1-30)Online publication date: 5-Sep-2014
https://dl.acm.org/doi/10.1145/2531921
Yan LLi XFeng RFeng ZHu J(2013)Detection Method of the Second-Order SQL Injection in Web ApplicationsStructured Object-Oriented Formal Language and Method10.1007/978-3-319-04915-1_11(154-165)Online publication date: 29-Oct-2013
https://dl.acm.org/doi/10.1007/978-3-319-04915-1_11
Avancini ACeccato MHoffman DHughes JXu D(2012)Grammar based oracle for security testing of web applicationsProceedings of the 7th International Workshop on Automation of Software Test10.5555/2663608.2663612(15-21)Online publication date: 2-Jun-2012
https://dl.acm.org/doi/10.5555/2663608.2663612

View Options

View options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Abstract

Cited By

Index Terms

Recommendations

A Penetration Testing Method for E-Commerce Authentication System Security

Threat led advanced persistent threat penetration test

Static Analysis and Penetration Testing from the Perspective of Maintenance Teams

Comments

Information

Published In

Publisher

Publication History

Author Tags

Qualifiers

Contributors

Other Metrics

Bibliometrics

Article Metrics

Other Metrics

Citations

Cited By

View options

Get Access

Login options

Full Access

Figures

Other

Share

Share this Publication link

Share on social media

Affiliations