Leveraging user interactions for in-depth testing of web applications

Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

Volumn 5230 LNCS, Issue , 2008, Pages 191-210

  McAllister, Sean ^a   Kirda, Engin ^b   Kruegel, Christopher ^c  

^a VIENNA UNIVERSITY OF TECHNOLOGY   (Austria)

^b EURECOM   (France)

^c UNIVERSITY OF CALIFORNIA   (United States)

Author keywords

[No Author keywords available]

Indexed keywords

AUTOMATED TESTING TOOLS; BLACK BOXES; COMPLEX FORMS; COMPREHENSIVE TESTS; INPUT VALIDATIONS; SECURITY VULNERABILITIES; SOFTWARE QUALITIES; SQL INJECTIONS; TESTING TECHNIQUES; USER INTERACTIONS; VULNERABILITY SCANNERS; WEB APPLICATIONS;

APPLICATIONS; COMPUTER SOFTWARE SELECTION AND EVALUATION; INTRUSION DETECTION; JAVA PROGRAMMING LANGUAGE; PROGRAM DEBUGGING; SOFTWARE TESTING; TESTING; WORLD WIDE WEB;

SCANNING;

EID: 56549119554     PISSN: 03029743     EISSN: 16113349     Source Type: Book Series    
DOI: 10.1007/978-3-540-87403-4_11     Document Type: Conference Paper

References (32)

1. Acunetix. Acunetix Web Vulnerability Scanner (2008), http://www.acunetix. com/
2. Balzarotti, D., Cova, M., Felmetsger, V., Jovanov, N., Kirda, E., Kruegel, C., Vigna, G.: Saner: Composing Static and Dynamic Analysis to Validate Sanitization in Web Applications. In: IEEE Security and Privacy Symposium (2008)
3. Boizor, B.: Software System Testing and Quality Assurance. Van Nostrand Reinhold (1984)
4. Beizer, B.: Software Testing Techniques. Van Nostrand Reinhold (1990)
5. Spider, B.: Web Application Security (2008), http://portswigger.net/ spider/
6. Cadar, C., Ganesh, V., Pawlowski, P., Dill, D., Engler, D.: EXE: Automatically Generating Inputs of Death. In: ACM Conference on Computer and Communication Security (2006)
7. Hannson, D.: Ruby on Rails (2008), http://www.rubyonrails.org/
8. Django. The Web Framework for Professionals with Deadlines (2008), http://www.djangoproject.com/
9. Basic Django Blog Application, http://code.google.com/p/django-basic- blog/
10. Endler, D.: The Evolution of Cross Site Scripting Attacks. Technical report, iDE-FENSE Labs (2002)
11. Ghezzi, C., Jazayeri, M., Mandrioli, D.: Fundamentals of Software Engineering. Prentice-Hall International, Englewood Cliffs (1994)
12. Godefroid, P., Klarlund, N., Sen, K.: DART. In: Programming Language Design and Implementation (PLD1) (2005)
13. Huang, Y., Huang, S., Lin, T.: Web Application Security Assessment by Fault Injection and Behavior Monitoring. In: 12th World Wide Web Conference (2003)
14. Insecure.org. NMap Network Scanner (2008), http://www.insecure.org/nmap/
15. Jovanovic, N., Kruegel, C., Kirda, E.: Pixy: A Static Analysis Tool for Detecting Web Application Vulnerabilities (Short Paper). In: IEEE Symposium on Security and Privacy (2006)
16. Kals, S., Kirda, E., Kruegel, C., Jovanovic, N.: SecuBat: A Web Vulnerability Scanner. In: World Wide Web Conference (2006)
17. Mitre. Common Vulnerabilities and Exposures, http://cve.mitre.org/
18. Moser, A., Kruegel, C., Kirda, E.: Exploring Multiple Execution Paths for Malware Analysis. In: IEEE Symposium on Security and Privacy (2007)
19. Nikto. Web Server Scanner (2008). http://www.cirt.net/code/nikto.shtml
20. Offutt, J., Abdurazik, A.: Generating Tests from UML Specifications. In: Second International Conference on the Unified Modeling Language (1999)
21. Offutt, J., Abdurazik, A.: Using UML Collaboration Diagrams for Static Checking and Test Generation. In: Evans, A., Kent, S., Selic, B. (eds.) UML 2000. LNCS, vol. 1939, pp. 383-395. Springer, Heidelberg (2000)
22. Offutt, J., Liu, S., Abdurazik, A., Ammann, P.: Generating Test Data from Statebased Specifications. In: Journal of Software Testing, Verification and Reliability (2003)
23. Poulton, R.: Django Forum Component, http://code.google.com/p/django- forum/
24. Satchmo, http://www.satchmoproject.com/
25. Scott, D., Sharp, R.: Abstracting Application-level Web Security. In: 11th World Wide Web Conference (2002)
26. WhitcHat Security. Web Application Security 101 (2005), http://www.whitehatsec.com/articles/webappsec101.pdf
27. Su, Z., Wassermann, G.: The Essence of Command Injection Attacks in Web Applications. In: Symposium on Principles of Programming Languages (2006)
28. Sun. Java Servlets (2008), http://java.sun.com/products/servlet/
29. Tenable Network Security. Nessus Open Source Vulnerability Scanner Project (2008), http://www.nessus.org/
30. Twill. Twill: A Simple Scripting Language for Web Browsing (2008), http://twill.idyll.org/
31. Web Application Attack and Audit Framework, http://w3af.sourceforge.net/
32. Xie, Y., Aiken, A.: Static Detection of Security Vulnerabilities in Scripting Languages. In: 15th USENIX Security Symposium (2006)