A testing framework for Web application security assessment

Computer Networks

Volumn 48, Issue 5, 2005, Pages 739-761

  Huang, Yao Wen ^a,b   Tsai, Chung Hung ^b   Lin, Tsung Po ^b   Huang, Shih Kun ^a,c   Lee, D T ^a,b,c   Kuo, Sy Yen ^a,b  

^a NATIONAL TAIWAN UNIVERSITY   (Taiwan)

^b INSTITUTE OF INFORMATION SCIENCE   (Taiwan)

^c NATIONAL CHIAO TUNG UNIVERSITY   (Taiwan)

Author keywords

Black box testing; Complete crawling; Fault injection; Security assessment; Web application testing

Indexed keywords

AUTOMATION; COMPUTER NETWORKS; COMPUTER SOFTWARE; ERROR CORRECTION; FAULT TREE ANALYSIS; REAL TIME SYSTEMS; SECURITY OF DATA;

BLACK-BOX TESTING; COMPLETE CRAWLING; FAULT INJECTION; SECURITY ASSESSMENT; WEB APPLICATION TESTING;

WORLD WIDE WEB;

EID: 18844454053     PISSN: 13891286     EISSN: None     Source Type: Journal    
DOI: 10.1016/j.comnet.2005.01.003     Document Type: Article

References (73)

1. Aladdin Knowledge Systems, eSafe Proactive Content Security, Available from:
2. I. Armstrong, Mobile code stakes its claim, SC Magazine, Cover Story, November 2000
3. L. Auronen Tool-based approach to assessing web application security 2002 Helsinki University of Technology
4. W3C, Document Object Model (DOM). Available from: < http://www.w3.org/DOM/>
5. C. Anley Advanced SQL injection in SQL server applications 2002 An NGS Software Insight Security Research (NISR) Publication
6. F. Apap, A. Honig, S. Hershkop, E. Eskin, S. Stolfo, Detecting malicious software by monitoring anomalous windows registry accesses, in: Fifth International Symposium on Recent Advances in Intrusion Detection, Zurich, Switzerland, October 2002
7. R. Balzer Assuring the safety of opening email attachments DARPA Information Survivability Conference & Exposition II 2 2001 257 262
8. M. Benedikt, J. Freire, P. Godefroid, VeriWeb: Automatically testing dynamic web sites, in: Proceedings of the 11th International Conference on the World Wide Web, Honolulu, Hawaii, May 2002
9. M.K. Bergman, The deep Web: surfacing hidden value, Deep Content Whitepaper, 2001
10. A. Bertolino, Knowledge area description of software testing, in: Guide to the Software Engineering Body of Knowledge SWEBOK (v. 0.7), Chapter 5, Software Engineering Coordinated Committee (Joint IEEE Computer Society-ACM Committee), April, 2000. Available from: < http://www.swebok.org>
11. M. Bernaschi, E. Gabrielli, L.V. Mancini, Operating system enhancements to prevent the misuse of system calls, in: Proceedings of the 7th ACM Conference on Computer and Communications Security, Athens, Greece, 2000
12. M. Bobbitt, Bulletproof web security, Network Security Magazine, TechTarget Storage Media, May 2002. Available from: < http://infosecuritymag. techtarget.com/2002/may/bulletproof.shtml>
13. C.M. Bowman, P. Danzig, D. Hardy, U. Manber, M. Schwartz, and D. Wessels Harvest: a scalablecustomizable discovery and access system 1995 Department of Computer Science, University of Colorado Boulder
14. T. Bowen, M. Segal, R. Sekar, On preventing intrusions by process behavior monitoring, in: Eighth USENIX Security Symposium, Washington, DC, August 1999
15. C. Brabrand, and A.M.I. Møller The 〈bigwig〉 project ACM Transactions on Internet Technology 2 2 2002 79 114
16. CERT, CERT® Advisory CA-2000-02 Malicious HTML Tags Embedded in Client Web Requests. Available from: < http://www.cgisecurity.com/articles/ xss-faq.shtml>
17. J. Cho, H. Garcia-Molina, Parallel crawlers, in: Proceedings of the 11th International Conference on the World Wide Web, Honolulu, Hawaii, May 2002, pp. 124-135
18. M. Curphey, D. Endler, W. Hau, S. Taylor, T. Smith, A. Russell, G. McKenna, R. Parke, K. McLaughlin, N. Tranter, A. Klien, D. Groves, I. By-Gad, S. Huseby, M. Eizner, R. McNamara, A guide to building secure Web applications, The Open Web Application Security Project v.1.1.1, September 2002
19. DHTML Central, HierMenus. Available from: < http://www.webreference. com/dhtml/hiermenus/>
20. Di Lucca, G.A. Di Penta, M. Antoniol, G. Casazza, An approach for reverse engineering of Web-based applications, in: Proceedings of the Eighth Working Conference on Reverse Engineering, Stuttgart, Germany, October 2001, pp. 231-240
21. G.A. Di Lucca, A.R. Fasolino, F. Pace, P. Tramontana, U. De Carlini, WARE: A tool for the reverse engineering of web applications, in: Proceedings of the Sixth European Conference on Software Maintenance and Reengineering, Budapest, Hungary, March 2002, pp. 241-250
22. Finjan Software, Your window of vulnerability - why anti-virus isn't enough. Available from: < http://www.finjan.com/mcrc/overview.cfm>
23. R. Gold, HttpUnit. Available from: < http://httpunit.sourceforge.net/ >
24. Y.W. Huang, S.K. Huang, T.P. Lin, C.H. Tsai, Securing Web application code by static analysis and runtime protection, in: Proceedings of the 13th International World Wide Web Conference, New York, May 17-22, 2004
25. Y.W. Huang, F. Yu, C. Hang, C.H. Tsai, D.T. Lee, S.Y. Kuo, Verifying Web applications using bounded model checking, in: Proceedings of the 2004 International Conference Dependable Systems and Networks (DSN2004), Florence, Italy, June 28-July 1, 2004
26. G. Hunt, D. Brubacher, Detours: binary interception of Win32 functions, in: USENIX Technical Program-Windows NT Symposium 99, 1999
27. P. Ipeirotis, L. Gravano, Distributed search over the hidden Web: hierarchical database sampling and selection, in: The 28th International Conference on Very Large Databases, Hong Kong, China, August 2002, pp. 394-405
28. J. Joshi, W. Aref, A. Ghafoor, and E. Spafford Security models for Web-based applications Communications of the ACM 44 2 2001 38 44
29. H. Kaiya, K. Kaijiri, Specifying runtime environments and functionalities of downloadable components under the sandbox model, in: Proceedings of the International Symposium on Principles of Software Evolution, Kanazawa, Japan, November 2000, pp. 138-142
30. Kavado, Inc., InterDo Version 3.0., Kavado Whitepaper, 2003
31. C. Ko, T. Fraser, L. Badger, D. Kilpatrick, Detecting and countering system intrusions using software wrappers, in: Proceedings of the 9th USENIX Security Symposium, Denver, Colorado, August 2000
32. A. Krishnamurthy, Hotmail, Yahoo in the run to rectify filter flaw, TechTree.com, March 24, 2004. Available from: < http://www.techtree.com/ techtree/jsp/showstory.jsp>?storyid= 5038
33. S. Liddle, D. Embley, D. Scott, S.H. Yau, Extracting data behind web forms, in: Proceedings of the Workshop on Conceptual Modeling Approaches for e-Business, Tampere, Finland, October 2002
34. C.H. Liu, D.C. Kung, P. Hsia, C.T. Hsu, Structural testing of Web applications, in: Proceedings of the 11th International Symposium Software Reliability Engineering (ISSRE2000), October 8-11, 2000, pp. 84-96
35. C.H. Liu, D.C. Kung, P. Hsia, C.T. Hsu, Object-based data flow testing of Web applications, in: Proceedings of the 1st Asia-Pacific Conference on Quality Software (APAQS'00), Hong Kong, China, October 30-31, 2000
36. U. Manber, M. Smith, B. Gopal, WebGlimpse - combining browsing and searching, in: Proceedings of the USENIX 1997 Annual Technical Conference, Anaheim, California, January 1997)
37. Microsoft, Scriptlet Security, Getting Started with Scriptlets, MSDN Library, 1997. Available from: < http://msdn.microsoft.com/library/default. asp?url=/library/en-us/dnindhtm/html/instantdhtmlscriptlets.asp>
38. R.C. Miller, K. Bharat, SPHinx: a framework for creating personal, site-specific Web crawlers, in: Proceedings of the 7th International World Wide Web Conference, Brisbane, Australia, April 1998, pp. 119-130
39. Mozilla.org, Mozilla Layout Engine. Available from: < http://www.mozilla.org/newlayout/>
40. P.G. Neumann Risks to the public in computers and related systems ACM SIGSOFT Software Engineering Notes 25 3 2000 15 23
41. Netscape, JavaScript Security in Communicator 4.x. Available from: < http://developer.netscape.com/docs/manuals/communicator/jssec/contents. htm#1023448>
42. J. Offutt Quality attributes of web software applications IEEE Software 19 2 2002 25 32
43. K. Ohmaki, Open source software research activities in aist towards secure open systems, in: Proceedings of the 7th IEEE International Symposium High Assurance Systems Engineering (HASE'02), Tokyo, Japan, October 23-25, 2002, p. 37
44. OWASP, WebScarab Project. Available from: < http://www.owasp.org/ webscarab/>
45. Pelican Security Inc., Active content security: risks and solutions, Pelican Security Whitepaper, 1999
46. P. Privateer, Making the net safe for ebusiness: solving the problem of malicious Internet mobile code, in: Proceedings of the eSolutions World 2000 Conference, Philiadelphia, Pennsylvania, September 2000
47. P. Uppuluri, R. Sekar, Experiences with specification based intrusion detection system, in: Fourth International Symposium on Recent Advances in Intrusion Detection, Davis, California, October 2001
48. S. Raghavan, H. Garcia-Molina, Crawling the hidden Web, in: Proceedings of the 27th VLDB Conference, Roma, Italy, September 2001, pp. 129-138
49. S. Raghavan, H. Garcia-Molina, Crawling the hidden Web, in: Technical Report 2000-36, Database Group, Computer Science Department, Stanford, November 2000
50. S. Rapps, and E.J. Weyuker Selecting software test data using data flow information IEEE Transactions on Software Engineering SE-11 1985 367 375
51. F. Ricca, P. Tonella, Analysis and testing of Web applications, in: Proceedings of the 23rd IEEE International Conference on Software Engineering, Toronto, Ontario, Canada, May 2001, pp. 25-34
52. F. Ricca, P. Tonella, and I.D. Baxter Restructuring Web applications via transformation rules Information and Software Technology 44 13 2002 811 825
53. F. Ricca, and P. Tonella Understanding and restructuring Web sites with ReWeb IEEE Multimedia 8 2 2001 40 51
54. F. Ricca, P. Tonella, Web application slicing, in: Proceedings of the IEEE International Conference on Software Maintenance, Florence, Italy, November 2001, pp. 148-157
55. F. Ricca, P. Tonella, Web site analysis: structure and evolution, in: Proceedings of the IEEE International Conference on Software Maintenance, San Jose, California, October 2000, pp. 76-86
56. Sanctum Inc., AppShield 4.0 Whitepaper, 2002. Available from: < http://www.sanctuminc.com>
57. Sanctum Inc., Web Application Security Testing-AppScan3.5. Available from: < http://www.sanctuminc.com>
58. D. Scott, R. Sharp, Abstracting application-level Web security, in: The 11th International Conference on the World Wide Web, Honolulu, Hawaii, May 2002, pp. 396-407
59. D. Scott, and R. Sharp Developing secure Web applications IEEE Internet Computing 6 6 2002 38 45
60. R. Sekar, P. Uppuluri, Synthesizing fast intrusion detection/prevention systems from high-level specifications, in: USENIX Security Symposium, 1999
61. Sebastien@ailleret.com, Larbin: A multi-purpose Web crawler. http://larbin.sourceforge.net/index-eng.html
62. SecurityGlobal.net, Security Tracker Statistics, April 2002-March 2002. Available from: < http://securitytracker.com/learn/statistics.html>
63. U. Shankar, K. Talwar, J.S. Foster, D. Wagner, Detecting format string vulnerabilities with type qualifiers, in: Proceeding of the 10th USENIX Security Symposium (USENIX'02), Washington DC, August 2002, pp. 201-220
64. V. Shkapenyuk, T. Suel, Design and implementation of a high-performance distributed Web crawler, in: Proceedings of the 18th IEEE International Conference on Data Engineering, San Jose, California, Febraury 2002, pp. 357-368
65. R. Song, H. Liu, J.R. Wen, W.Y. Ma, Learning block importance models for Web pages, in: Proceedings of the 13th International World Wide Web Conference, New York, May 17-22, 2004, pp. 203-211
66. SPI Dynamics, Web application security assessment, SPI Dynamics Whitepaper, 2003
67. Tennyson Maxwell Information Systems, Inc., Teleport Webspiders. Available from: < http://www.tenmax.com/teleport/home.htm>
68. S. Tilley, S. Huang, Evaluating the reverse engineering capabilities of Web tools for understanding site content and structure: A case study, in: Proceedings of the 23rd IEEE International Conference on Software Engineering, Toronto, Ontario, Canada, May 2001, pp. 514-523
69. United States Patent and Trademark Office. Available from: < http://www.uspto.gov/patft/>
70. S. Varghese, Microsoft patches critical Hotmail hole, TheAge.com, March 24, 2004. Available from: < http://www.theage.com.au/articles/2004/03/24/ 1079939690076.html>
71. R. Vibert, AV alternatives: extending scanner range, in: Information Security Magazine, February 2001
72. J. Voas, and G. McGraw Software fault injection: inoculating programs against errors 1997 Wiley New York pp. 47-48
73. WinMerge, WinMerge: A visual text file differencing and merging tool for Win32 platforms. Available from: < http://winmerge.sourceforge.net>