Abstract

In this paper, an integrated multiagent testing tool, is presented. Such tool comprises static analyzer, dynamic tester and an integrator of the two components for detecting security vulnerabilities and errors in agent based web applications written in Java. The static analysis component analyzes the source code of the web application to identify the locations of security vulnerabilities and displays them to the programmer. Consequently, dynamic testing of the web application is carried out. Here, a temporal-based assertion language is introduced to help in detecting security violations (errors) in the underlying application. The proposed language has operators for detecting SQL injection and cross-site scripting, XSS, security errors. The dynamic tester consists of two components: instrumentor (preprocessor) and run-time-agent. The instrumentor has many modules that have been implemented as software agents using Java language under the control of a multi agent framework. The agents of the instrumentor are: static analyzer agent, parser agent, and code converter agent. Moreover, an integrator for integrating both static and dynamic analyses is employed. Eventually the implementation details of IMATT are reported.

Highlights

  • The majority of the software testing tools are generic [2,23,25] in the sense that they are working independent of the style of the program under test

  • We went a step further in this direction, where IMATT extends AEC and introduces, an agent based tool for testing large agent based Web applications against security flaws

  • IMATT could be used with the following pragmatic advantages: 1. IMATT is homogeneous in the sense that both static and dynamic components are model based where the static analysis model is based on a set of grammar rules while the dynamic analysis model is based on temporal logic assertions in addition to a set of behavioral dynamic responses

Read more

Summary

Related Work

There are several generic tools such as NuSVM, FDR2, ITS4, CHESS and NESSUS that could be exploited for program (code) analysis. The static analyzer, given by livshits et al[15] finds the potential matches conservatively using a context-sensitive, flow-insensitive, inclusion-based pointer alias analysis In addition their dynamic analyzer instruments the sources program to catch the security violations when the program runs to perform user specified actions. By making use of these techniques, an analyzer has been designed and implemented to detect security flaws, resource leaks and violations of the predefined rules In their recent work Keromytis et al[6] have presented MINESTRONE as an architecture that integrates static analysis, dynamic confinement and code diversification techniques to enable the identification of vulnerabilities in a third party software. The tool Apollo has been discussed by Artzi et al in [16] It aims at finding bugs in Web applications using dynamic testing and explicit state model checking.

Proposed Architecture of IMATT
Static Analysis
Dynamic Analysis
Temporal Assertion Language
The Architecture of the dynamic testing tool
Integration of Static and Dynamic Analyzers
Tool Implementation and Testing
Code Generation for SQL Injection and XSS
Testing of Web Applications
Conclusion

Talk to us

Join us for a 30 min session where you can share your feedback and ask us any queries you have

Schedule a call

Disclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.