Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                
Skip to main content
SpringerLink
Log in

A Systematic Approach to Web Application Penetration Testing Using TTCN-3

  • Conference paper
E-Technologies: Transformation in a Connected World (MCETECH 2011)

Part of the book series: Lecture Notes in Business Information Processing ((LNBIP,volume 78))

Included in the following conference series:

Abstract

Penetration testing is critical for ensuring web application security. It is often implemented using traditional 3GL web test frameworks (e.g. HttpUnit, HtmlUnit). There is little awareness in the literature that a test specification language like TTCN-3 can be effectively combined with such frameworks. In this paper, we identify the essential aspects of TTCN-3 for penetration testing and how best to use them. These include separating abstract test logic from concrete data extraction logic, as well as support for templates, matching test oracles and parallel test components. The advantages of leveraging TTCN-3 together with 3GL web test frameworks for penetration testing is demonstrated and evaluated using example scenarios. The work was performed with a prototype TTCN-3 tool that extends the TTCN-3 model architecture to support the required integration with 3GL web test frameworks. A concrete proposal for modifying the TTCN-3 standard to support this refinement is described.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Subscribe and save

Springer+ Basic
EUR 32.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or Ebook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

Similar content being viewed by others

References

  1. Andreu, A.: Professional Pen Testing for Web Applications. Wrox Press (2006)

    Google Scholar 

  2. Arkin, B., Stender, S., McGraw, G.: Software Penetration Testing. IEEE Security & Privacy 3(1), 84–87 (2005)

    Article  Google Scholar 

  3. AttackAPI (2010), http://www.gnucitizen.org/blog/attackapi/ (retrieved November 2010)

  4. Bishop, M.: About Penetration Testing. IEEE Security & Privacy 5(6), 84–87 (2007)

    Article  Google Scholar 

  5. ETSI ES 201 873-1 (2008). The Testing and Test Control Notation version 3, Part 1: TTCN-3 Core notation, V3.4.1 (September 2008)

    Google Scholar 

  6. ETSI ES 201 873-5 (2008). The Testing and Test Control Notation version 3, Part 5: TTCN-3 Runtime Interface, V3.4.1 (September 2008)

    Google Scholar 

  7. ETSI ES 201 873-6 (2008). The Testing and Test Control Notation version 3, Part 6: TTCN-3 Control Interface (TCI), V3.4.1 (September 2008)

    Google Scholar 

  8. FireBug (2010), http://getfirebug.com/ (retrieved November 2010)

  9. GreaseMonkey (2010), https://addons.mozilla.org/en-US/firefox/addon/748/ (retrieved November 2010)

  10. HtmlUnit (2010), http://HtmlUnit.sourceforge.net/ (retrieved November 2010)

  11. HttpUnit (2010), http://HttpUnit.sourceforge.net/ (retrieved November 2010)

  12. JUnit (2010), http://www.junit.org/ (retrieved November 2010)

  13. Brzezinski, K.M.: Intrusion Detection as Passive Testing: Linguistic Support with TTCN-3 (Extended Abstract). In: Hämmerli, B.M., Sommer, R. (eds.) DIMVA 2007. LNCS, vol. 4579, pp. 79–88. Springer, Heidelberg (2007)

    Chapter  Google Scholar 

  14. Manzuik, S., Gold, A., Gatford, C.: Network Security Assessment: From Vulnerability to Patch. Syngress Publishing (2007)

    Google Scholar 

  15. Metasploit project (2010), http://www.metasploit.com/ (retrieved November 2010)

  16. OWASP Testing Guide, OWASP Testing Guide (2008), https://www.owasp.org/images/8/89/OWASP_Testing_Guide_V3.pdf (retrieved November 2010)

  17. OWASP TOP 10, OWASP TOP 10: The Ten Most Critical Web Application Security Vulnerabilities (2007), http://www.owasp.org/images/e/e8/OWASP_Top_10_2007.pdf (retrieved November 2010)

  18. Palmer, S.: Web Application Vulnerabilities: Detect, Exploit, Prevent. Syngress Publishing (2007)

    Google Scholar 

  19. Potter, B., McGraw, G.: Software Security Testing. IEEE Computer Society Press 2(5), 81–85 (2004)

    Google Scholar 

  20. Prabhakar, T.V., Krishna, G., Garge, S.: Telecom equipment assurance testing, a T3UC India presentation (2010), http://www.ttcn3.org/TTCN3UC_INDIA2009/Presentation/1-ttcn3-user-conference-nov_updated_-2009.pdf (retrieved November 2010)

  21. SANS TOP 20, 2010 TOP 20 Internet Security Problems, Threats and Risks, from The SANS (SysAdmin, Audit, Network, Security) Institute (2010), http://www.sans.org/top20/ (retrieved November 2010)

  22. Splaine, S.: Testing Web Security: Assessing the Security of Web Sites and Applications. John Wiley & Sons, Chichester (2002)

    Google Scholar 

  23. Stepien, B., Peyton, L., Xiong, P.: Framework Testing of Web Applications using TTCN-3. International Journal on Software Tools for Technology Transfer 10(4), 371–381 (2008)

    Article  Google Scholar 

  24. Thompson, H.: Application Penetration Testing. IEEE Computer Society Press 3(1), 66–69 (2005)

    Google Scholar 

  25. Xiong, P., Stepien, B., Peyton, L.: Model-based Penetration Test Framework for Web Applications Using TTCN-3. In: Proceedings Mce.Tech. 2009. Springer, Heidelberg (2009)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. School of Information Technology and Engineering, University of Ottawa, Canada

    Bernard Stepien, Pulei Xiong & Liam Peyton

Authors
  1. Bernard Stepien
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Pulei Xiong
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Liam Peyton
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Technologies de l’Information, HEC Montréal, 3000, ch. de la Côte-Sainte-Catherine, H3T 2A7, Montréal, Québec, Canada

    Gilbert Babin

  2. Academy of Journalism and Media, University of Neuchâtel, rue Emile-Argand 11, CH-2000, Neuchâtel, Switzerland

    Katarina Stanoevska-Slabeva

  3. Institute of Computer Science, University of Neuchâtel, rue Emile-Argand 11, CH-2000, Neuchâtel, Switzerland

    Peter Kropf

Rights and permissions

Reprints and permissions

Copyright information

© 2011 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Stepien, B., Xiong, P., Peyton, L. (2011). A Systematic Approach to Web Application Penetration Testing Using TTCN-3. In: Babin, G., Stanoevska-Slabeva, K., Kropf, P. (eds) E-Technologies: Transformation in a Connected World. MCETECH 2011. Lecture Notes in Business Information Processing, vol 78. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-20862-1_1

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-20862-1_1

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-20861-4

  • Online ISBN: 978-3-642-20862-1

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation