Metamorphic Security Testing for Web Systems

Mai, Xuan Phu; Pastore, Fabrizio; Goknil, Arda; Briand, Lionel

Reference : Metamorphic Security Testing for Web Systems


	Document type :	Scientific congresses, symposiums and conference proceedings : Paper published in a book
	Discipline(s) :	Engineering, computing & technology : Computer science
	Focus Areas :	Security, Reliability and Trust
	To cite this reference:	http://hdl.handle.net/10993/41229

Title :	Metamorphic Security Testing for Web Systems
Language :	English
Author, co-author :	Mai, Xuan Phu [University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT) > >]
	Pastore, Fabrizio [University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT) > >]
	Goknil, Arda []
	Briand, Lionel [University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT) > >]
Publication date :	Mar-2020
Main document title :	IEEE International Conference on Software Testing, Verification and Validation (ICST) 2020
Publisher :	IEEE
Peer reviewed :	Yes
On invitation :	No
Audience :	International
Event name :	IEEE International Conference on Software Testing, Verification and Validation (ICST) 2020
Event date :	March 23-27, 2020
Event place (city) :	Porto
Event country :	Portugal
Keywords :	[en] Software Engineering ; Software Security ; Metamorphic Testing ; Metamorphic Relations ; Security Testing ; Web Security ; System Testing
Abstract :	[en] Security testing verifies that the data and the resources of software systems are protected from attackers. Unfortunately, it suffers from the oracle problem, which refers to the challenge, given an input for a system, of distinguishing correct from incorrect behavior. In many situations where potential vulnerabilities are tested, a test oracle may not exist, or it might be impractical due to the many inputs for which specific oracles have to be defined. In this paper, we propose a metamorphic testing approach that alleviates the oracle problem in security testing. It enables engineers to specify metamorphic relations (MRs) that capture security properties of the system. Such MRs are then used to automate testing and detect vulnerabilities. We provide a catalog of 22 system-agnostic MRs to automate security testing in Web systems. Our approach targets 39% of the OWASP security testing activities not automated by state-of-the-art techniques. It automatically detected 10 out of 12 vulnerabilities affecting two widely used systems, one commercial and the other open source (Jenkins).
Research centres :	Interdisciplinary Centre for Security, Reliability and Trust (SnT) > Software Verification and Validation Lab (SVV Lab)
Target :	Researchers ; Professionals ; Students ; General public ; Others
Permalink :	http://hdl.handle.net/10993/41229
Framework Programme / European Project :	H2020 ; 694277 - TUNE - Testing the Untestable: Model Testing of Complex Software-Intensive Systems
FnR project :	FnR ; FNR11213850 > Lionel Briand > EDLAH 2 > Enhanced Daily Living and Health 2 – an incentive basedservice > 01/06/2016 > 30/11/2018 > 2015

File(s) associated to this reference

Fulltext file(s):

	File	Commentary	Version	Size	Access
Open access	Mai-ICST-2020.pdf		Author postprint	1.84 MB	View/Open

All documents in ORBi^lu are protected by a user license.

University of Luxembourg Library | Feedback | Legal notices