Visible to the public Biblio

Filters: Author is Calvi, Alberto  [Clear All Filters]
2017-11-01
Calvi, Alberto, Viganò, Luca.  2016.  An Automated Approach for Testing the Security of Web Applications Against Chained Attacks. Proceedings of the 31st Annual ACM Symposium on Applied Computing. :2095–2102.

We present the Chained Attacks approach, an automated model-based approach to test the security of web applications that does not require a background in formal methods. Starting from a set of HTTP conversations and a configuration file providing the testing surface and purpose, a model of the System Under Test (SUT) is generated and input, along with the web attacker model we defined, to a model checker acting as test oracle. The HTTP conversations, payload libraries, and a mapping created while generating the model aid the concretization of the test cases, allowing for their execution on the SUT's implementation. We applied our approach to a real-life case study and we were able to find a combination of different attacks representing the concrete chained attack performed by a bug bounty hunter.