TY - GEN
T1 - SPaCiTE - Web application testing engine
AU - Büchler, Matthias
AU - Oudinet, Johan
AU - Pretschner, Alexander
PY - 2012
Y1 - 2012
N2 - Web applications and web services enjoy an ever-increasing popularity. Such applications have to face a variety of sophisticated and subtle attacks. The difficulty of identifying respective vulnerabilities steadily increases with the complexity of applications. Moreover, the art of penetration testing predominantly depends on the skills of highly trained test experts. The difficulty to test web applications hence represents a daunting challenge to their developers. As a step towards improving security analyses, model checking has, at the model level, been found capable of identifying complex attacks and thus moving security analyses towards a push-button technology. In order to bridge the gap with actual systems, we present Spa Cite. This tool relies on a dedicated model-checker for security analyses that generates potential attacks with regard to common vulnerabilities in web applications. Then, it semi-automatically runs those attacks on the System Under Validation (SUV) and reports which vulnerabilities were successfully exploited. We applied Spa Cite to Role-Based-Access-Control (RBAC) and Cross-Site Scripting (XSS) lessons of Web Goat, an insecure web application maintained by OWASP. The tool successfully reproduced RBAC and XSS attacks.
AB - Web applications and web services enjoy an ever-increasing popularity. Such applications have to face a variety of sophisticated and subtle attacks. The difficulty of identifying respective vulnerabilities steadily increases with the complexity of applications. Moreover, the art of penetration testing predominantly depends on the skills of highly trained test experts. The difficulty to test web applications hence represents a daunting challenge to their developers. As a step towards improving security analyses, model checking has, at the model level, been found capable of identifying complex attacks and thus moving security analyses towards a push-button technology. In order to bridge the gap with actual systems, we present Spa Cite. This tool relies on a dedicated model-checker for security analyses that generates potential attacks with regard to common vulnerabilities in web applications. Then, it semi-automatically runs those attacks on the System Under Validation (SUV) and reports which vulnerabilities were successfully exploited. We applied Spa Cite to Role-Based-Access-Control (RBAC) and Cross-Site Scripting (XSS) lessons of Web Goat, an insecure web application maintained by OWASP. The tool successfully reproduced RBAC and XSS attacks.
KW - WebGoat
KW - bridging abstraction gaps
KW - fault-injection
KW - model-checking
KW - mutation testing
KW - security testing
KW - web application
UR - http://www.scopus.com/inward/record.url?scp=84862327987&partnerID=8YFLogxK
U2 - 10.1109/ICST.2012.187
DO - 10.1109/ICST.2012.187
M3 - Conference contribution
AN - SCOPUS:84862327987
SN - 9780769546704
T3 - Proceedings - IEEE 5th International Conference on Software Testing, Verification and Validation, ICST 2012
SP - 858
EP - 859
BT - Proceedings - IEEE 5th International Conference on Software Testing, Verification and Validation, ICST 2012
T2 - 5th IEEE International Conference on Software Testing, Verification and Validation, ICST 2012
Y2 - 17 April 2012 through 21 April 2012
ER -