Abstract
Penetration testing is critical for ensuring web application security. It is often implemented using traditional 3GL web test frameworks (e.g. HttpUnit, HtmlUnit). There is little awareness in the literature that a test specification language like TTCN-3 can be effectively combined with such frameworks. In this paper, we identify the essential aspects of TTCN-3 for penetration testing and how best to use them. These include separating abstract test logic from concrete data extraction logic, as well as support for templates, matching test oracles and parallel test components. The advantages of leveraging TTCN-3 together with 3GL web test frameworks for penetration testing is demonstrated and evaluated using example scenarios. The work was performed with a prototype TTCN-3 tool that extends the TTCN-3 model architecture to support the required integration with 3GL web test frameworks. A concrete proposal for modifying the TTCN-3 standard to support this refinement is described.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
Similar content being viewed by others
References
Andreu, A.: Professional Pen Testing for Web Applications. Wrox Press (2006)
Arkin, B., Stender, S., McGraw, G.: Software Penetration Testing. IEEE Security & Privacy 3(1), 84–87 (2005)
AttackAPI (2010), http://www.gnucitizen.org/blog/attackapi/ (retrieved November 2010)
Bishop, M.: About Penetration Testing. IEEE Security & Privacy 5(6), 84–87 (2007)
ETSI ES 201 873-1 (2008). The Testing and Test Control Notation version 3, Part 1: TTCN-3 Core notation, V3.4.1 (September 2008)
ETSI ES 201 873-5 (2008). The Testing and Test Control Notation version 3, Part 5: TTCN-3 Runtime Interface, V3.4.1 (September 2008)
ETSI ES 201 873-6 (2008). The Testing and Test Control Notation version 3, Part 6: TTCN-3 Control Interface (TCI), V3.4.1 (September 2008)
FireBug (2010), http://getfirebug.com/ (retrieved November 2010)
GreaseMonkey (2010), https://addons.mozilla.org/en-US/firefox/addon/748/ (retrieved November 2010)
HtmlUnit (2010), http://HtmlUnit.sourceforge.net/ (retrieved November 2010)
HttpUnit (2010), http://HttpUnit.sourceforge.net/ (retrieved November 2010)
JUnit (2010), http://www.junit.org/ (retrieved November 2010)
Brzezinski, K.M.: Intrusion Detection as Passive Testing: Linguistic Support with TTCN-3 (Extended Abstract). In: Hämmerli, B.M., Sommer, R. (eds.) DIMVA 2007. LNCS, vol. 4579, pp. 79–88. Springer, Heidelberg (2007)
Manzuik, S., Gold, A., Gatford, C.: Network Security Assessment: From Vulnerability to Patch. Syngress Publishing (2007)
Metasploit project (2010), http://www.metasploit.com/ (retrieved November 2010)
OWASP Testing Guide, OWASP Testing Guide (2008), https://www.owasp.org/images/8/89/OWASP_Testing_Guide_V3.pdf (retrieved November 2010)
OWASP TOP 10, OWASP TOP 10: The Ten Most Critical Web Application Security Vulnerabilities (2007), http://www.owasp.org/images/e/e8/OWASP_Top_10_2007.pdf (retrieved November 2010)
Palmer, S.: Web Application Vulnerabilities: Detect, Exploit, Prevent. Syngress Publishing (2007)
Potter, B., McGraw, G.: Software Security Testing. IEEE Computer Society Press 2(5), 81–85 (2004)
Prabhakar, T.V., Krishna, G., Garge, S.: Telecom equipment assurance testing, a T3UC India presentation (2010), http://www.ttcn3.org/TTCN3UC_INDIA2009/Presentation/1-ttcn3-user-conference-nov_updated_-2009.pdf (retrieved November 2010)
SANS TOP 20, 2010 TOP 20 Internet Security Problems, Threats and Risks, from The SANS (SysAdmin, Audit, Network, Security) Institute (2010), http://www.sans.org/top20/ (retrieved November 2010)
Splaine, S.: Testing Web Security: Assessing the Security of Web Sites and Applications. John Wiley & Sons, Chichester (2002)
Stepien, B., Peyton, L., Xiong, P.: Framework Testing of Web Applications using TTCN-3. International Journal on Software Tools for Technology Transfer 10(4), 371–381 (2008)
Thompson, H.: Application Penetration Testing. IEEE Computer Society Press 3(1), 66–69 (2005)
Xiong, P., Stepien, B., Peyton, L.: Model-based Penetration Test Framework for Web Applications Using TTCN-3. In: Proceedings Mce.Tech. 2009. Springer, Heidelberg (2009)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2011 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Stepien, B., Xiong, P., Peyton, L. (2011). A Systematic Approach to Web Application Penetration Testing Using TTCN-3. In: Babin, G., Stanoevska-Slabeva, K., Kropf, P. (eds) E-Technologies: Transformation in a Connected World. MCETECH 2011. Lecture Notes in Business Information Processing, vol 78. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-20862-1_1
Download citation
DOI: https://doi.org/10.1007/978-3-642-20862-1_1
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-20861-4
Online ISBN: 978-3-642-20862-1
eBook Packages: Computer ScienceComputer Science (R0)