Information Technology Reference
In-Depth Information
highly dynamic and could generate different HTML pages, according to which
vulnerability data slice is tested. Vulnerability criteria, in fact, are represented
by different sets of target branches that lead to the presence of a variety of
HTML structures in the resulting page.
In terms of scalability, the security oracle showed to be able to work on real
size code. HTML pages parsed by the oracle contain up to 1,202 distinct nodes,
which represents a fairly complex HTML page with several syntactic elements.
5 Related Works
A fundamental problem of security testing is deciding about successful attacks,
i.e. when a test case is able to inject malicious code and to reveal a defect.
Initially, checking code injection was a manual task delegated to programmers.
For instance, in the work by Tappenden et al. [18], security testing is approached
with an agile methodology using HTTP-unit, while verification of test outcomes
is a manual task.
Other approaches provide a higher level of automation. In [12], a library of
documented attacks is used to generate valid inputs for a web application. A
symbolic data base is implemented to propagate tainted status of input values
through the data base to the final attack sinks. A first stage of the oracle adopts
dynamic taint analysis to verify if tainted data are used in a sink, while a second
stage performs a comparison of safe pages with pages generated by candidate
attacks. This check consists in verifying if pages differ with respect to “script-
inducing constructs”, i.e. new scripts or different
href
attributes.
In other works [13,8], the oracle consists in checking if a response page contains
the same
<
script
>
tag passed as input. McAllister et al. [13] adopt a black-box
approach to detect XSS vulnerabilities. Data collected during the interaction
with real users are subjected to fuzzing, so as to increase test coverage. The
oracle for XSS attacks checks if the script passed as input is also present in the
output page.
The paper by Halfond et al. [8] presents a complete approach to identify XSS
and SQLI vulnerabilities in Java web applications. (1) Input vectors are identified
and grouped together with their domains into input interfaces. Then (2), attack
patterns are used to generate many attacks for these interfaces. Eventually (3),
page execution is monitored and HTTP response is inspected to verify if attacks
are successful. The oracle detects if the response page contains the same script
tag that was injected in the input data.
Limiting the check to injected script tags guarantees a high precision, but
recall may be low, because of vulnerabilities depending on other tags may not
be detected by these oracles. Our approach is more general, because it relies
on structural differences among safe executions and attacks, that are general
enough to capture different forms of code injection.
To assess the classification accuracy of security oracle, we needed a corpus of
safe test cases and successful attacks. To build this corpus, we conveniently relied
on a previous tool developed by us in previous works [1,2], but other approaches
Search WWH ::
Custom Search