Using TTCN-3 as a modeling language for web penetration testing

Abstract

Penetration testing is widely used for vulnerability assessment of web applications. Usually, it is performed by specialized security experts after development is completed and the application deployed into production, but recent research has proposed a model based penetration test framework for web applications which provides a repeatable, systematic and cost-efficient approach fully integrated into a security-oriented software development life cycle. In this context, we evaluate the test specification language TTCN-3 as a modeling language for web penetration testing and show how its inherent abstraction features make the process of generating web penetration test campaigns easier. In particular, we demonstrate the advantages of combining separate models for the relevant web vulnerabilities and web application functionalities, with a generic web abstraction model and a TTCN-3 test framework model.