More and more web applications suffer the presence of cross-site scripting vulnerabilities that could be exploited by attackers to access sensitive information (such as credentials or credit card numbers). Proper tests are required to assess the security of web applications. In this paper, we resort on a search based approach for security testing of web applications. We take advantage of static analysis to detect candidate cross-site scripting vulnerabilities. Input values that trap these vulnerabilities are searched by a genetic algorithm and, to help the genetic algorithm escape local optima, symbolic constraints are collected at run-time and handled by a solver. Search results represent test cases to be used by software developers to understand and fix security problems. We implemented this procedure in a prototype and evaluated it on real world PHP code.

Security Testing of Web Applications: a Search Based Approach for Cross-Site Scripting Vulnerabilities

Avancini, Andrea;Ceccato, Mariano
2011

Abstract

More and more web applications suffer the presence of cross-site scripting vulnerabilities that could be exploited by attackers to access sensitive information (such as credentials or credit card numbers). Proper tests are required to assess the security of web applications. In this paper, we resort on a search based approach for security testing of web applications. We take advantage of static analysis to detect candidate cross-site scripting vulnerabilities. Input values that trap these vulnerabilities are searched by a genetic algorithm and, to help the genetic algorithm escape local optima, symbolic constraints are collected at run-time and handled by a solver. Search results represent test cases to be used by software developers to understand and fix security problems. We implemented this procedure in a prototype and evaluated it on real world PHP code.
9780769543475
File in questo prodotto:
Non ci sono file associati a questo prodotto.

I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.

Utilizza questo identificativo per citare o creare un link a questo documento: http://hdl.handle.net/11582/46399
 Attenzione

Attenzione! I dati visualizzati non sono stati sottoposti a validazione da parte dell'ateneo

Citazioni
  • ???jsp.display-item.citation.pmc??? ND
social impact