References of "Jan, Sadeeq 50002034"
     in
Bookmark and Share    
Full Text
Peer Reviewed
See detailSearch-based Multi-Vulnerability Testing of XML Injections in Web Applications
Jan, Sadeeq UL; Panichella, Annibale UL; Arcuri, Andrea UL et al

in Empirical Software Engineering (2019), 24(6), 36963729

Modern web applications often interact with internal web services, which are not directly accessible to users. However, malicious user inputs can be used to exploit security vulnerabilities in web ... [more ▼]

Modern web applications often interact with internal web services, which are not directly accessible to users. However, malicious user inputs can be used to exploit security vulnerabilities in web services through the application front-ends. Therefore, testing techniques have been proposed to reveal security flaws in the interactions with back-end web services, e.g., XML Injections (XMLi). Given a potentially malicious message between a web application and web services, search-based techniques have been used to find input data to mislead the web application into sending such a message, possibly compromising the target web service. However, state-of-the-art techniques focus on (search for) one single malicious message at a time. Since, in practice, there can be many different kinds of malicious messages, with only a few of them which can possibly be generated by a given front-end, searching for one single message at a time is ineffective and may not scale. To overcome these limitations, we propose a novel co-evolutionary algorithm (COMIX) that is tailored to our problem and uncover multiple vulnerabilities at the same time. Our experiments show that COMIX outperforms a single-target search approach for XMLi and other multi-target search algorithms originally defined for white-box unit testing. [less ▲]

Detailed reference viewed: 345 (39 UL)
Full Text
Peer Reviewed
See detailAutomatic Generation of Tests to Exploit XML Injection Vulnerabilities in Web Applications
Jan, Sadeeq UL; Panichella, Annibale UL; Arcuri, Andrea UL et al

in IEEE Transactions on Software Engineering (2019), 45(4), 335-362

Modern enterprise systems can be composed of many web services (e.g., SOAP and RESTful). Users of such systems might not have direct access to those services, and rather interact with them through a ... [more ▼]

Modern enterprise systems can be composed of many web services (e.g., SOAP and RESTful). Users of such systems might not have direct access to those services, and rather interact with them through a single-entry point which provides a GUI (e.g., a web page or a mobile app). Although the interactions with such entry point might be secure, a hacker could trick such systems to send malicious inputs to those internal web services. A typical example is XML injection targeting SOAP communications. Previous work has shown that it is possible to automatically generate such kind of attacks using search-based techniques. In this paper, we improve upon previous results by providing more efficient techniques to generate such attacks. In particular, we investigate four different algorithms and two different fitness functions. A large empirical study, involving also two industrial systems, shows that our technique is effective at automatically generating XML injection attacks. [less ▲]

Detailed reference viewed: 567 (105 UL)
Full Text
See detailAutomated and Effective Security Testing for XML-based Vulnerabilities
Jan, Sadeeq UL

Doctoral thesis (2017)

Nowadays, the External Markup Language (XML) is the most commonly used technology in web services for enabling service providers and consumers to exchange data. XML is also widely used to store data and ... [more ▼]

Nowadays, the External Markup Language (XML) is the most commonly used technology in web services for enabling service providers and consumers to exchange data. XML is also widely used to store data and configuration files that control the operation of software systems. Nevertheless, XML suffers from several well-known vulnerabilities such as XML Injections (XMLi). Any exploitation of these vulnerabilities might cause serious and undesirable consequences, e.g., denial of service and accessing or modifying highly-confidential data. Fuzz testing techniques have been investigated in the literature to detect XMLi vulnerabilities. However, their success rate tends to be very low since they cannot generate complex test inputs required for the detection of these vulnerabilities. Furthermore, these approaches are not effective for real-world complex XML-based enterprise systems, which are composed of several components including front-end web applications, XML gateway/firewall, and back-end web services. In this dissertation, we propose several automated security testing strategies for detecting XML-based vulnerabilities. In particular, we tackle the challenges of security testing in an industrial context. Our proposed strategies, target various and complementary aspects of security testing for XML-based systems, e.g., test case generation for XML gateway/firewall. The development and evaluation of these strategies have been done in close collaboration with a leading financial service provider in Luxembourg/Switzerland, namely SIX Payment Services (formerly known as CETREL S.A.). SIX Payment Services processes several thousand financial transactions daily, providing a range of financial services, e.g., online payments, issuing of credit and debit cards. The main research contributions of this dissertation are: -A large-scale and systematic experimental assessment for detecting vulnerabilities in numerous widely-used XML parsers and the underlying systems using them. In particular, we targeted two common XML parser’s vulnerabilities: (i) XML Billion Laughs (BIL), and (ii) XML External Entities (XXE). - A novel automated testing approach, that is based on constraint-solving and input mutation techniques, to detect XMLi vulnerabilities in XML gateway/firewall and back-end web services. - A black-box search-based testing approach to detect XMLi vulnerabilities in front-end web applications. Genetic algorithms are used to search for inputs that can manipulate the application to generate malicious XML messages. - An in-depth analysis of various search algorithms and fitness functions, to improve the search-based testing approach for front-end web applications. - Extensive evaluations of our proposed testing strategies on numerous real-world industrial web services, XML gateway/firewall, and web applications as well as several open-source systems. [less ▲]

Detailed reference viewed: 300 (24 UL)
Full Text
Peer Reviewed
See detailA Search-based Testing Approach for XML Injection Vulnerabilities in Web Applications
Jan, Sadeeq UL; Nguyen, Duy Cu UL; Andrea, Arcuri UL et al

in 10th IEEE International Conference on Software Testing, Verification and validation (ICST 2017), Tokyo 13-18 March 2017 (2017)

In most cases, web applications communicate with web services (SOAP and RESTful). The former act as a front-end to the latter, which contain the business logic. A hacker might not have direct access to ... [more ▼]

In most cases, web applications communicate with web services (SOAP and RESTful). The former act as a front-end to the latter, which contain the business logic. A hacker might not have direct access to those web services (e.g., they are not on public networks), but can still provide malicious inputs to the web application, thus potentially compromising related services. Typical examples are XML injection attacks that target SOAP communications. In this paper, we present a novel, search-based approach used to generate test data for a web application in an attempt to deliver malicious XML messages to web services. <br />Our goal is thus to detect XML injection vulnerabilities in web applications. The proposed approach is evaluated on two studies, including an industrial web application with millions of users. Results show that we are able to effectively generate test data (e.g., input values in an HTML form) that detect such vulnerabilities. [less ▲]

Detailed reference viewed: 420 (39 UL)
Full Text
Peer Reviewed
See detailAutomated and Effective Testing of Web Services for XML Injection Attacks
Jan, Sadeeq UL; Nguyen, Duy Cu UL; Briand, Lionel UL

in ISSTA'16-The International Symposium on Software Testing and Analysis, Saarbrücken 18-20 July 2016 (2016, July 18)

XML is extensively used in web services for integration and data exchange. Its popularity and wide adoption make it an attractive target for attackers and a number of XML-based attack types have been ... [more ▼]

XML is extensively used in web services for integration and data exchange. Its popularity and wide adoption make it an attractive target for attackers and a number of XML-based attack types have been reported recently. This raises the need for cost-effective, automated testing of web services to detect XML-related vulnerabilities, which is the focus of this paper. We discuss a taxonomy of the types of XML injection attacks and use it to derive four different ways to mutate XML messages, turning them into attacks (tests) automatically. Further, we consider domain constraints and attack grammars, and use a constraint solver to generate XML messages that are both malicious and valid, thus making it more difficult for any protection mechanism to recognise them. As a result, such messages have a better chance to detect vulnerabilities. Our evaluation on an industrial case study has shown that a large proportion (78.86%) of the attacks generated using our approach could circumvent the first layer of security protection, an XML gateway (firewall), a result that is much better than what a state-of-the-art tool based on fuzz testing could achieve. [less ▲]

Detailed reference viewed: 501 (32 UL)
Full Text
Peer Reviewed
See detailKnown XML Vulnerabilities Are Still a Threat to Popular Parsers and Open Source Systems
Jan, Sadeeq UL; Nguyen, Duy Cu UL; Briand, Lionel UL

in The 2015 IEEE International Conference on Software Quality, Reliability & Security, Vancouver 3-5 August 2015 (2015, August 03)

The Extensible Markup Language (XML) is extensively used in software systems and services. Various XML-based attacks, which may result in sensitive information leakage or denial of services, have been ... [more ▼]

The Extensible Markup Language (XML) is extensively used in software systems and services. Various XML-based attacks, which may result in sensitive information leakage or denial of services, have been discovered and published. However, due to development time pressures and limited security expertise, such attacks are often overlooked in practice. In this paper, following a rigorous and extensive experimental process, we study the presence of two types of XML-based attacks: BIL and XXE in 13 popular XML parsers. Furthermore, we investigate whether open-source systems that adopt a vulnerable XML parser apply any mitigation to prevent such attacks. Our objective is to provide clear and solid scientific evidence about the extent of the threat associated with such XML-based attacks and to discuss the implications of the obtained results. Our conclusion is that most of the studied parsers are vulnerable and so are systems that use them. Such strong evidence can be used to raise awareness among software developers and is a strong motivation for developers to provide security measures to thwart BIL and XXE attacks before deployment when adopting existing XML parsers. [less ▲]

Detailed reference viewed: 302 (25 UL)