XSS pattern for attack modeling in testing

2013 8th International Workshop on Automation of Software Test (AST) Pub Date : 2013-05-18 DOI:10.1109/IWAST.2013.6595794

Josip Bozic, F. Wotawa

{"title":"XSS pattern for attack modeling in testing","authors":"Josip Bozic, F. Wotawa","doi":"10.1109/IWAST.2013.6595794","DOIUrl":null,"url":null,"abstract":"Security issues of web applications are still a current topic of interest especially when considering the consequences of unintended behaviour. Such services might handle sensitive data about several thousands or millions of users. Hence, exploiting services or other undesired effects that cause harm on users has to be avoided. Therefore, for software developers of such applications one of the major tasks in providing security is to embed testing methodologies into the software development cycle, thus minimizing the subsequent damage resulting in debugging and time intensive upgrading. Model-based testing evolved as one of the methodologies which offer several theoretical and practical approaches in testing the system under test (SUT) that combine several input generation strategies like mutation testing, using of concrete and symbolic execution etc. by putting the emphasis on specification of the model of an application. In this work we propose an approach that makes use of an attack pattern model in form of a UML state machine for test case generation and execution. The paper also discusses the current implementation of our attack pattern testing tool using a XSS attack pattern and demonstrates the execution in a case study.","PeriodicalId":291838,"journal":{"name":"2013 8th International Workshop on Automation of Software Test (AST)","volume":"15 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2013-05-18","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"26","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"2013 8th International Workshop on Automation of Software Test (AST)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/IWAST.2013.6595794","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 26

Abstract

Security issues of web applications are still a current topic of interest especially when considering the consequences of unintended behaviour. Such services might handle sensitive data about several thousands or millions of users. Hence, exploiting services or other undesired effects that cause harm on users has to be avoided. Therefore, for software developers of such applications one of the major tasks in providing security is to embed testing methodologies into the software development cycle, thus minimizing the subsequent damage resulting in debugging and time intensive upgrading. Model-based testing evolved as one of the methodologies which offer several theoretical and practical approaches in testing the system under test (SUT) that combine several input generation strategies like mutation testing, using of concrete and symbolic execution etc. by putting the emphasis on specification of the model of an application. In this work we propose an approach that makes use of an attack pattern model in form of a UML state machine for test case generation and execution. The paper also discusses the current implementation of our attack pattern testing tool using a XSS attack pattern and demonstrates the execution in a case study.

查看原文本刊更多论文

用于测试中的攻击建模的XSS模式

web应用程序的安全问题仍然是当前人们感兴趣的一个话题，尤其是在考虑到意外行为的后果时。此类服务可能处理数千或数百万用户的敏感数据。因此，必须避免利用服务或其他对用户造成伤害的不良影响。因此，对于此类应用程序的软件开发人员来说，提供安全性的主要任务之一是将测试方法嵌入到软件开发周期中，从而将调试和时间密集的升级所导致的后续损害最小化。基于模型的测试是一种方法，它为测试被测系统(SUT)提供了几种理论和实践方法，这些方法结合了多种输入生成策略，如突变测试、使用具体和符号执行等，强调应用程序模型的规范。在这项工作中，我们提出了一种利用UML状态机形式的攻击模式模型来生成和执行测试用例的方法。本文还讨论了使用XSS攻击模式的攻击模式测试工具的当前实现，并在案例研究中演示了执行情况。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

2013 8th International Workshop on Automation of Software Test (AST)

自引率

0.00%

发文量