Article

Search-based security testing of web applications

Authors:

Alessandra Gorla,

Andreas ZellerAuthors Info & Claims

SBST 2014: Proceedings of the 7th International Workshop on Search-Based Software Testing

Pages 5 - 14

https://doi.org/10.1145/2593833.2593835

Published: 02 June 2014 Publication History

Abstract

SQL injections are still the most exploited web application vulnerabilities. We present a technique to automatically detect such vulnerabilities through targeted test generation. Our approach uses search-based testing to systematically evolve inputs to maximize their potential to expose vulnerabilities. Starting from an entry URL, our BIOFUZZ prototype systematically crawls a web application and generates inputs whose effects on the SQL interaction are assessed at the interface between Web server and database. By evolving those inputs whose resulting SQL interactions show best potential, BIOFUZZ exposes vulnerabilities on real-world Web applications within minutes. As a black-box approach, BIOFUZZ requires neither analysis nor instrumentation of server code; however, it even outperforms state-of-the-art white-box vulnerability scanners.

References

[1]

D. Balzarotti, M. Cova, V. Felmetsger, N. Jovanovic, E. Kirda, C. Kruegel, and G. Vigna. Saner: Composing static and dynamic analysis to validate sanitization in web applications. In Proceedings of the 2008 IEEE Symposium on Security and Privacy (SP), pages 387–401, Washington, DC, USA, 2008. IEEE Computer Society.

Digital Library

[2]

J. Bau, E. Bursztein, D. Gupta, and J. Mitchell. State of the art: Automated black-box web application vulnerability testing. In Proceedings of the 2010 IEEE Symposium on Security and Privacy (SP), pages 332–345, Washington, DC, USA, 2010. IEEE Computer Society.

Digital Library

[3]

W. R. Cook and S. Rai. Safe query objects: statically typed objects as remotely executable queries. In ACM/IEEE International Conference on Software Engineering (ICSE), pages 97–106, New York, NY, USA, 2005. ACM.

Digital Library

[4]

V. Dallmeier, M. Burger, T. Orth, and A. Zeller. Webmate: Generating test cases for web 2.0. In D. Winkler, S. Biﬄ, and J. Bergsmann, editors, SWQD, volume 133 of Lecture Notes in Business Information Processing, pages 55–69. Springer, 2013.

[5]

C. Del Grosso, G. Antoniol, E. Merlo, and P. Galinier. Detecting buffer overflow via automatic test input data generation. Journal Computers and Operations Research, 35(10):3125–3143, Oct. 2008.

Digital Library

[6]

W. G. J. Halfond, S. R. Choudhary, and A. Orso. Penetration testing with improved input vector identification. In IEEE International Conference on Software Testing, Verification and Validation (ICST), pages 346–355. IEEE Computer Society, 2009.

Digital Library

[7]

W. G. J. Halfond and A. Orso. Amnesia: analysis and monitoring for neutralizing SQL-injection attacks. In IEEE/ACM Int. Conference on Automated Software Engineering (ASE), pages 174–183. ACM, 2005.

Digital Library

[8]

W. G. J. Halfond, A. Orso, and P. Manolios. Using positive tainting and syntax-aware evaluation to counter SQL injection attacks. In ACM Symposium on the Foundations of Software Engineering (FSE), pages 175–185, New York, NY, USA, 2006. ACM.

Digital Library

[9]

C. Holler, K. Herzig, and A. Zeller. Fuzzing with code fragments. In Proceedings of the 21st USENIX conference on Security symposium, Security’12, pages 38–38, Berkeley, CA, USA, 2012. USENIX Association.

Digital Library

[10]

Y.-W. Huang, S.-K. Huang, T.-P. Lin, and C.-H. Tsai. Web application security assessment by fault injection and behavior monitoring. In International World Wide Web Conference (WWW), pages 148–159, New York, NY, USA, 2003. ACM.

Digital Library

[11]

S. Kals, E. Kirda, C. Kruegel, and N. Jovanovic. Secubat: a web vulnerability scanner. In International World Wide Web Conference (WWW), pages 247–256, New York, NY, USA, 2006. ACM.

Digital Library

[12]

A. Kiezun, V. Ganesh, P. J. Guo, P. Hooimeijer, and M. D. Ernst. HAMPI: a solver for string constraints. In ACM International Symposium on Software Testing and Analysis (ISSTA), pages 105–116, New York, NY, USA, 2009. ACM.

Digital Library

[13]

A. Kiezun, P. J. Guo, K. Jayaraman, and M. D. Ernst. Automatic creation of SQL injection and cross-site scripting attacks. In ACM/IEEE International Conference on Software Engineering (ICSE), pages 199–209. IEEE, 2009.

Digital Library

[14]

Y. Kosuga, K. Kono, M. Hanaoka, M. Hishiyama, and Y. Takahama. Sania: Syntactic and semantic analysis for automated testing against SQL injection. Computer Security Applications Conference, Annual, 0:107–117, 2007.

[15]

A. Liu, Y. Yuan, D. Wijesekera, and A. Stavrou. Sqlprob: a proxy-based architecture towards preventing SQL injection attacks. In Proceedings of the 2009 ACM symposium on Applied Computing (SAC), pages 2054–2061, New York, NY, USA, 2009. ACM.

Digital Library

[16]

V. B. Livshits and M. S. Lam. Finding security vulnerabilities in java applications with static analysis. In Proceedings of the 14th conference on USENIX Security Symposium, pages 18–18, Berkeley, CA, USA, 2005. USENIX Association.

Digital Library

[17]

M. Martin and M. S. Lam. Automatic generation of XSS and SQL injection attacks with goal-directed model checking. In Proceedings of the 17th conference on Security symposium (SS), pages 31–43, Berkeley, CA, USA, 2008. USENIX Association.

Digital Library

[18]

R. A. McClure and I. H. Krüger. SQL DOM: compile time checking of dynamic SQL statements. In ACM/IEEE International Conference on Software Engineering (ICSE), pages 88–96, New York, NY, USA, 2005. ACM.

Digital Library

[19]

E. Merlo, D. Letarte, and G. Antoniol. Automated protection of php applications against SQL-injection attacks. In Proceedings of the 11th European Conference on Software Maintenance and Reengineering (CSRM), pages 191–202, Washington, DC, USA, 2007. IEEE Computer Society.

Digital Library

[20]

A. Mesbah, A. van Deursen, and S. Lenselink. Crawling Ajax-based web applications through dynamic analysis of user interface state changes. ACM Transactions on the Web (TWEB), 6(1):3:1–3:30, 2012.

Digital Library

[21]

A. Nguyen-tuong, S. Guarnieri, D. Greene, J. Shirley, and D. Evans. Automatically hardening web applications using precise tainting. In In 20th IFIP International Information Security Conference, pages 372–382, 2005.

[22]

T. Pietraszek and C. V. Berghe. Defending against injection attacks through context-sensitive string evaluation. In Proceedings of the international conference on Recent Advances in Intrusion Detection (RAID), pages 124–145, Berlin, Heidelberg, 2005. Springer-Verlag.

Digital Library

[23]

S. Rawat and L. Mounier. Offset-aware mutation based fuzzing for buffer overflow vulnerabilities: Few preliminary results. In Proceedings of the 2011 IEEE Fourth International Conference on Software Testing, Verification and Validation Workshops, ICSTW ’11, pages 531–533, Washington, DC, USA, 2011. IEEE Computer Society.

Digital Library

[24]

M. Schur, A. Roth, and A. Zeller. Mining behavior models from enterprise web applications. In European Software Engineering Conference held jointly with ACM SIGSOFT International Symposium on Foundations of Software Engineering (ESEC/FSE), pages 422–432. ACM, 2013.

Digital Library

[25]

Y. Shin, L. Williams, and T. Xie. Sqlunitgen: SQL injection testing using static and dynamic analysis. In The 17th IEEE International Symposium on Software Reliability Engineering (ISSRE 2006), 2006.

[26]

S. Sparks, S. Embleton, R. Cunningham, and C. Zou. Automated Vulnerability Analysis: Leveraging Control Flow for Evolutionary Input Crafting. In Computer Security Applications Conference, 2007. ACSAC 2007. Twenty-Third Annual, pages 477–486, 2007.

[27]

S. Thomas, L. Williams, and T. Xie. On automated prepared statement generation to remove SQL injection vulnerabilities. Journal of Information and Software Technology, 51(3):589–598, Mar. 2009.

Digital Library

[28]

F. Valeur, D. Mutz, and G. Vigna. A learning-based approach to the detection of SQL attacks. In Proceedings of the Second international conference on Detection of Intrusions and Malware, and Vulnerability Assessment, pages 123–140, Berlin, Heidelberg, 2005. Springer-Verlag.

Digital Library

[29]

Webchess web application, visited in October 2013. http://sourceforge.net/projects/webchess.

Cited By

Wang WZhang SQiu KLiu XLi XZhao R(2025)Influencing Factors' Analysis for the Performance of Parallel Evolutionary Test Case Generation for Web ApplicationsJournal of Software: Evolution and Process10.1002/smr.275137:2Online publication date: 5-Feb-2025
https://doi.org/10.1002/smr.2751
Seran S(2024)Search-Based Security Testing of Enterprise Microservices2024 IEEE Conference on Software Testing, Verification and Validation (ICST)10.1109/ICST60714.2024.00056(463-465)Online publication date: 27-May-2024
https://doi.org/10.1109/ICST60714.2024.00056
Ahsan FAnwer F(2024)A systematic literature review on software security testing using metaheuristicsAutomated Software Engineering10.1007/s10515-024-00433-031:2Online publication date: 23-May-2024
https://doi.org/10.1007/s10515-024-00433-0
Show More Cited By

Index Terms

Search-based security testing of web applications
1. Software and its engineering
  1. Software creation and management
    1. Software verification and validation
      1. Software defect analysis
        Software testing and debugging

Recommendations

Security vulnerabilities and mitigation techniques of web applications
SIN '13: Proceedings of the 6th International Conference on Security of Information and Networks

Web applications contain vulnerabilities, which may lead to serious security breaches such as stealing of confidential information. To protect against security breaches, it is necessary to understand the detailed steps of attacks and the pros and cons ...
Semi-Automatic Security Testing of Web Applications from a Secure Model
SERE '12: Proceedings of the 2012 IEEE Sixth International Conference on Software Security and Reliability

Web applications are a major target of attackers. The increasing complexity of such applications and the subtlety of today's attacks make it very hard for developers to manually secure their web applications. Penetration testing is considered an art, ...
An Alternative Threat Model-based Approach for Security Testing

In modern interaction, web applications has gained more and more popularity, which leads to a significate growth of exposure to malicious users and vulnerability attacks. This causes organizations and companies to lose valuable information and suffer ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

SBST 2014: Proceedings of the 7th International Workshop on Search-Based Software Testing

June 2014

38 pages

ISBN:9781450328524

DOI:10.1145/2593833

Program Chairs:
Phil McMinn,
Mark Harman

Copyright © 2014 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGSOFT: ACM Special Interest Group on Software Engineering

In-Cooperation

TCSE: IEEE Computer Society's Tech. Council on Software Engin.

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 02 June 2014

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Article

Conference

ICSE '14

Sponsor:

SIGSOFT

ICSE '14: 36th International Conference on Software Engineering

June 2 - 3, 2014

Hyderabad, India

Upcoming Conference

ICSE 2025

2025 IEEE/ACM 46th International Conference on Software Engineering

April 26 - May 3, 2025

Ottawa , ON , Canada

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

25
Total Citations
View Citations
810
Total Downloads

Downloads (Last 12 months)37
Downloads (Last 6 weeks)1

Reflects downloads up to 19 Feb 2025

Other Metrics

View Author Metrics

Citations

Cited By

Wang WZhang SQiu KLiu XLi XZhao R(2025)Influencing Factors' Analysis for the Performance of Parallel Evolutionary Test Case Generation for Web ApplicationsJournal of Software: Evolution and Process10.1002/smr.275137:2Online publication date: 5-Feb-2025
https://doi.org/10.1002/smr.2751
Seran S(2024)Search-Based Security Testing of Enterprise Microservices2024 IEEE Conference on Software Testing, Verification and Validation (ICST)10.1109/ICST60714.2024.00056(463-465)Online publication date: 27-May-2024
https://doi.org/10.1109/ICST60714.2024.00056
Ahsan FAnwer F(2024)A systematic literature review on software security testing using metaheuristicsAutomated Software Engineering10.1007/s10515-024-00433-031:2Online publication date: 23-May-2024
https://doi.org/10.1007/s10515-024-00433-0
Wang LWang W(2023)Sensitive Path oriented Malicious data Generation for Web applications2023 6th International Conference on Data Science and Information Technology (DSIT)10.1109/DSIT60026.2023.00009(1-6)Online publication date: 28-Jul-2023
https://doi.org/10.1109/DSIT60026.2023.00009
Thome JJohnson JDawson IBolkensteyn DHenriksen MArt M(2023)SourceWarp: A scalable, SCM-driven testing and benchmarking approach to support data-driven and agile decision making for CI/CD tools and DevOps platforms2023 IEEE/ACM International Conference on Automation of Software Test (AST)10.1109/AST58925.2023.00011(68-78)Online publication date: May-2023
https://doi.org/10.1109/AST58925.2023.00011
Wang WWu SLi ZZhao R(2023)Parallel evolutionary test case generation for web applicationsInformation and Software Technology10.1016/j.infsof.2022.107113155(107113)Online publication date: Mar-2023
https://doi.org/10.1016/j.infsof.2022.107113
Ahsan FAnwer F(2023)A Critical Review on Search-Based Security Testing of ProgramsComputational Intelligence10.1007/978-981-19-7346-8_19(207-225)Online publication date: 16-Feb-2023
https://doi.org/10.1007/978-981-19-7346-8_19
Li ZMa PWang HWang STang QNie SWu SDwyer MDamian DZeller A(2022)Unleashing the power of compiler intermediate representation to enhance neural program embeddingsProceedings of the 44th International Conference on Software Engineering10.1145/3510003.3510217(2253-2265)Online publication date: 21-May-2022
https://dl.acm.org/doi/10.1145/3510003.3510217
Amouei MRezvani MFateh M(2022)RAT: Reinforcement-Learning-Driven and Adaptive Testing for Vulnerability Discovery in Web Application FirewallsIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2021.309541719:5(3371-3386)Online publication date: 1-Sep-2022
https://doi.org/10.1109/TDSC.2021.3095417
Zheng JLi JLi CLi R(2022)A SQL Blind Injection Method Based on Gated Recurrent Neural Network2022 7th IEEE International Conference on Data Science in Cyberspace (DSC)10.1109/DSC55868.2022.00078(519-525)Online publication date: Jul-2022
https://doi.org/10.1109/DSC55868.2022.00078
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Figures

Tables

Media

View Table of Conten