Grammar Based Testing of HTML Injection Vulnerabilities in RSS Feeds

Abstract

Grammar based test generation (GBTG) has seen extensive study and considerable practical use since the 1970s. GBTG was introduced to generate source code for testing compilers from context-free grammars specifying language syntax. More recently, GBTG has been applied to many other testing problems, including the generation of eXtensible Markup Language (XML) documents. Recent research has shown how to integrate covering-array generation into GBTG tools. While the integration offers considerable power to the tester, there are few practical demonstrations in the literature. We present a case study showing how to use grammars and covering arrays for effective input generation. The generated tests have been used to systematically evaluate an RSS feed parser for HTML injection vulnerabilities.