Reference : Search-based Multi-Vulnerability Testing of XML Injections in Web Applications
Scientific journals : Article
Engineering, computing & technology : Computer science
Security, Reliability and Trust
http://hdl.handle.net/10993/39101
Search-based Multi-Vulnerability Testing of XML Injections in Web Applications
English
Jan, Sadeeq [University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT) > >]
Panichella, Annibale [University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT) > >]
Arcuri, Andrea [University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT) > >]
Briand, Lionel mailto [University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT) > >]
Dec-2019
Empirical Software Engineering
Springer
24
6
3696–3729
Yes (verified by ORBilu)
International
1382-3256
1573-7616
USA
[en] vulnerabilities testing ; XML injection ; search-based software engineering
[en] Modern web applications often interact with internal web services, which are not directly accessible to users. However, malicious user inputs can be used to exploit security vulnerabilities in web services through the application front-ends. Therefore, testing techniques have been proposed to reveal security flaws in the interactions with back-end web services, e.g., XML Injections (XMLi). Given a potentially malicious message between a web application and web services, search-based techniques have been used to find input data to mislead the web application into sending such a message, possibly compromising the target web service. However, state-of-the-art techniques focus on (search for) one single malicious message at a time.

Since, in practice, there can be many different kinds of malicious messages, with only a few of them which can possibly be generated by a given front-end, searching for one single message at a time is ineffective and may not scale. To overcome these limitations, we propose a novel co-evolutionary algorithm (COMIX) that is tailored to our problem and uncover multiple vulnerabilities at the same time. Our experiments show that COMIX outperforms a single-target search approach for XMLi and other multi-target search algorithms originally defined for white-box unit testing.
Interdisciplinary Centre for Security, Reliability and Trust (SnT) > Software Verification and Validation Lab (SVV Lab)
tune
http://hdl.handle.net/10993/39101
10.1007/s10664-019-09707-8
This article is distributed under the terms of the Creative Commons Attribution 4.0 Inter- national License (http://creativecommons.org/licenses/by/4.0/), which permits unrestricted use, distribution, and reproduction in any medium, provided you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license, and indicate if changes were made.
H2020 ; 694277 - TUNE - Testing the Untestable: Model Testing of Complex Software-Intensive Systems

File(s) associated to this reference

Fulltext file(s):

FileCommentaryVersionSizeAccess
Open access
Jan2019_Article_Search-basedMulti-vulnerabilit.pdfPublisher postprint2.49 MBView/Open

Bookmark and Share SFX Query

All documents in ORBilu are protected by a user license.