An Automated Approach for Testing the Security of Web Applications Against Chained Attacks
| Title | An Automated Approach for Testing the Security of Web Applications Against Chained Attacks |
| Publication Type | Conference Paper |
| Year of Publication | 2016 |
| Authors | Calvi, Alberto, Viganò, Luca |
| Conference Name | Proceedings of the 31st Annual ACM Symposium on Applied Computing |
| Publisher | ACM |
| Conference Location | New York, NY, USA |
| ISBN Number | 978-1-4503-3739-7 |
| Keywords | attack surface, Chained Attacks, Metrics, model-based testing, pubcrawl, resilience, Scalability, security, Web applications |
| Abstract | We present the Chained Attacks approach, an automated model-based approach to test the security of web applications that does not require a background in formal methods. Starting from a set of HTTP conversations and a configuration file providing the testing surface and purpose, a model of the System Under Test (SUT) is generated and input, along with the web attacker model we defined, to a model checker acting as test oracle. The HTTP conversations, payload libraries, and a mapping created while generating the model aid the concretization of the test cases, allowing for their execution on the SUT's implementation. We applied our approach to a real-life case study and we were able to find a combination of different attacks representing the concrete chained attack performed by a bug bounty hunter. |
| URL | http://doi.acm.org/10.1145/2851613.2851803 |
| DOI | 10.1145/2851613.2851803 |
| Citation Key | calvi_automated_2016 |