Automatic Generation of Tests to Exploit XML Injection Vulnerabilities in Web Applications

Jan, Sadeeq; Panichella, Annibale; Arcuri, Andrea; Briand, Lionel

doi:10.1109/TSE.2017.2778711

Download

Article (Scientific journals)

Automatic Generation of Tests to Exploit XML Injection Vulnerabilities in Web Applications

Jan, Sadeeq; Panichella, Annibale; Arcuri, Andrea et al.

2019 • In IEEE Transactions on Software Engineering, 45 (4), p. 335-362

Peer reviewed

Permalink
https://hdl.handle.net/10993/33087

DOI
10.1109/TSE.2017.2778711

Files (1)Send to Details Statistics Bibliography Similar publications

Files

Full Text

main.pdf

Author postprint (702.88 kB)

Download

All documents in ORBilu are protected by a user license.

Send to

RIS BibTex APA Chicago Permalink X Linkedin

Details

Keywords :

Evolutionary Testing; XML Injection; Security Testing

Abstract :

[en] Modern enterprise systems can be composed of many web services (e.g., SOAP and RESTful). Users of such systems might not have direct access to those services, and rather interact with them through a single-entry point which provides a GUI (e.g., a web page or a mobile app). Although the interactions with such entry point might be secure, a hacker could trick such systems to send malicious inputs to those internal web services. A typical example is XML injection targeting SOAP communications. Previous work has shown that it is possible to automatically generate such kind of attacks using search-based techniques. In this paper, we improve upon previous results by providing more efficient techniques to generate such attacks. In particular, we investigate four different algorithms and two different fitness functions. A large empirical study, involving also two industrial systems, shows that our technique is effective at automatically generating XML injection attacks.

Research center :

Interdisciplinary Centre for Security, Reliability and Trust (SnT) > Software Verification and Validation Lab (SVV Lab)

Disciplines :

Computer science

Author, co-author :

Jan, Sadeeq ; University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT)

Panichella, Annibale ; University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT)

Arcuri, Andrea; Westerdals Oslo ACT, Oslo, Norway

Briand, Lionel ; University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT)

External co-authors :

yes

Language :

English

Title :

Automatic Generation of Tests to Exploit XML Injection Vulnerabilities in Web Applications

Publication date :

April 2019

Journal title :

IEEE Transactions on Software Engineering

ISSN :

0098-5589

Publisher :

Institute of Electrical and Electronics Engineers, New York, United States - New York

Volume :

Issue :

Pages :

335-362

Peer reviewed :

Peer reviewed

Focus Area :

Security, Reliability and Trust

European Projects :

H2020 - 694277 - TUNE - Testing the Untestable: Model Testing of Complex Software-Intensive Systems

Funders :

CE - Commission Européenne [BE]

Available on ORBilu :

since 21 November 2017

Statistics

Number of views

423 (102 by Unilu)

Number of downloads

1178 (36 by Unilu)

More statistics

Scopus citations^®

Scopus citations^®
without self-citations

WoS citations^™