Information Technology Reference
In-Depth Information
1. Static analysis: taint analysis is run to detect candidate vulnerabilities in
the application under test. Each vulnerability defines a coverage criterion for
security testing (i.e. goal of security testing is to cover a vulnerability).
At the end of the preliminary phase, the oracle can be constructed by performing
the following steps:
1. Test case generation : safe (i.e. without injecting any code) test cases
are generated, either manually or automatically, such that they cover the
vulnerability criteria detected by static analysis. For this purpose, we reused
a tool we developed in a previous work [2] but any test case generation
approach is applicable in principle.
2. Attack generation : some test cases are turned into candidate attacks by
adding selected attack strings, extracted from a library of malicious frag-
ments of HTML and JavaScript, to input values. This library has been taken
from a publicly available tool [17] for penetration testing and black-box
fuzzing.
3. Manual filtering : test cases and candidate attacks are run on the web
application under analysis. Results are manually classified as safe executions
or successful injection attacks. The output pages are then parsed by using
Txl [7] and the resulting HTML parse trees are stored.
4. Training : parse trees of successful attacks and safe executions are used
respectively as positive and negative examples for the learning phase of the
oracle.
5. Classification : the oracle is ready. To evaluate a new test case, the test must
be executed on the application under analysis and the HTML output must
be parsed. Eventually, the oracle relies on the kernel to classify the HTML
parse tree either as safe execution or as successful attack. Classification is
performed on those pages that contain a candidate vulnerability and for
which some attacks have been successfully crafted.
3.1 Static Analysis
The identification of vulnerabilities relies on taint analysis [10], a static analy-
sis technique that tracks the tainted/untainted status of variables throughout
the application's control flow. A vulnerability is reported whenever a possibly
tainted variable is used in a sink statement (e.g. print). In case of XSS [20],
tainted values are those that come from untrusted sources (data base and user
input) and sinks are all the print statements that append a value to the result-
ing web page. Tainted status is propagated on assignments and tainted variables
become untainted upon sanitization (e.g., function htmlspecialchars in PHP).
Taint analysis is formulated as a flow analysis [16] problem, where the informa-
tion propagated in the control flow graph is the set of variables holding tainted
values.
Taint analysis provides the data dependency slice that gives raise to a vul-
nerability. The data slice consists of the chain of assignments that contribute
 
Search WWH ::




Custom Search