Reference : Automatic Generation of Tests to Exploit XML Injection Vulnerabilities in Web Applications
Scientific journals : Article
Engineering, computing & technology : Computer science
Security, Reliability and Trust
http://hdl.handle.net/10993/33087
Automatic Generation of Tests to Exploit XML Injection Vulnerabilities in Web Applications
English
Jan, Sadeeq mailto [University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT) > >]
Panichella, Annibale mailto [University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT) > >]
Arcuri, Andrea mailto [Westerdals Oslo ACT, Oslo, Norway]
Briand, Lionel mailto [University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT) > >]
In press
IEEE Transactions on Software Engineering
Institute of Electrical and Electronics Engineers
Yes
International
New York
NY
[en] Evolutionary Testing ; XML Injection ; Security Testing
[en] Modern enterprise systems can be composed of many web services (e.g., SOAP and RESTful). Users of such systems might not have direct access to those services, and rather interact with them through a single-entry point which provides a GUI (e.g., a web page or a mobile app). Although the interactions with such entry point might be secure, a hacker could trick such systems to send malicious inputs to those internal web services. A typical example is XML injection targeting SOAP communications. Previous work has shown that it is possible to automatically generate such kind of attacks using search-based techniques.
In this paper, we improve upon previous results by providing more efficient techniques to generate such attacks. In particular, we investigate four different algorithms and two different fitness functions. A large empirical study, involving also two industrial systems, shows that our technique is effective at automatically generating XML injection attacks.
Interdisciplinary Centre for Security, Reliability and Trust (SnT) > Software Verification and Validation Lab (SVV Lab)
Researchers ; Professionals ; General public
http://hdl.handle.net/10993/33087
H2020 ; 694277 - TUNE - Testing the Untestable: Model Testing of Complex Software-Intensive Systems

File(s) associated to this reference

Fulltext file(s):

FileCommentaryVersionSizeAccess
Open access
main.pdfAuthor preprint686.41 kBView/Open

Bookmark and Share SFX Query

All documents in ORBilu are protected by a user license.