Paper published in a book (Scientific congresses, symposiums and conference proceedings)
A Search-based Testing Approach for XML Injection Vulnerabilities in Web Applications
Jan, Sadeeq; Nguyen, Duy Cu; Andrea, Arcuri et al.
2017In 10th IEEE International Conference on Software Testing, Verification and validation (ICST 2017), Tokyo 13-18 March 2017
Peer reviewed
 

Files


Full Text
main.pdf
Author postprint (846.27 kB)
Request a copy

All documents in ORBilu are protected by a user license.

Send to



Details



Keywords :
security; xml Parsers; sbst
Abstract :
[en] In most cases, web applications communicate with web services (SOAP and RESTful). The former act as a front-end to the latter, which contain the business logic. A hacker might not have direct access to those web services (e.g., they are not on public networks), but can still provide malicious inputs to the web application, thus potentially compromising related services. Typical examples are XML injection attacks that target SOAP communications. In this paper, we present a novel, search-based approach used to generate test data for a web application in an attempt to deliver malicious XML messages to web services. <br />Our goal is thus to detect XML injection vulnerabilities in web applications. The proposed approach is evaluated on two studies, including an industrial web application with millions of users. Results show that we are able to effectively generate test data (e.g., input values in an HTML form) that detect such vulnerabilities.
Research center :
Interdisciplinary Centre for Security, Reliability and Trust-University of Luxembourg
Disciplines :
Computer science
Author, co-author :
Jan, Sadeeq ;  University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT)
Nguyen, Duy Cu ;  University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT) ; POST Luxembourg > Cyber Security Department
Andrea, Arcuri;  University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT) ; Westerdals, Oslo Norway
Briand, Lionel ;  University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT)
External co-authors :
yes
Language :
English
Title :
A Search-based Testing Approach for XML Injection Vulnerabilities in Web Applications
Publication date :
2017
Event name :
10th IEEE International Conference on Software Testing, Verification and validation (ICST 2017)
Event organizer :
Waseda University, Nishiwaseda Campus
Event place :
Tokyo, Japan
Event date :
13-18 March 2017
Audience :
International
Main work title :
10th IEEE International Conference on Software Testing, Verification and validation (ICST 2017), Tokyo 13-18 March 2017
Peer reviewed :
Peer reviewed
Focus Area :
Security, Reliability and Trust
FnR Project :
FNR6024200 - An Effective Automated Testing Approach For Detection Of Xml Injection, 2013 (15/09/2013-14/09/2017) - Sadeeq Jan
Funders :
FNR - Fonds National de la Recherche [LU]
Available on ORBilu :
since 28 November 2016

Statistics


Number of views
375 (48 by Unilu)
Number of downloads
20 (10 by Unilu)

Scopus citations®
 
13
Scopus citations®
without self-citations
10
WoS citations
 
5

Bibliography


Similar publications



Contact ORBilu