Knowledge-based security testing of web applications by logic programming

Philipp Zech,Michael Felderer,Ruth Breu

doi:10.1007/s10009-017-0472-3

Abstract

This article introduces a new method for knowledge-based security testing by logic programming and the related tool implementation for model-based non-functional security testing of web applications. Our method helps to overcome the current prevalent focus on functional instead of non-functional (or negative) requirements as well as the required high level of security knowledge when performing non-functional security testing. It addresses issues like considering non-functional requirements for testing, managing the virtually infinite amount of negative security test cases, advancing non-functional security testing away from its prevalent penetration testing-like style, and making non-functional security testing feasible for testers that are not experts in security via a security knowledge base. The method and its model-based tool implementation are evaluated in two studies, which show the method’s effectiveness in detecting vulnerabilities in web applications and thus, also its value in making software system more secure.

Highlights

In recent years, web applications have become a central part of our lives, both commercially and privately
We have evaluated our method and its modelbased tool implementation in two experiments (Sect. 5) where we used it to detect SQL injection (SQLI) and XSS vulnerabilities in Damn Vulnerable Web Application (DVWA) [8], a PHP/MySQL web application that is highly vulnerable providing a legal environment for security professionals to test their skills and tools
The results presented in this article contribute to secure software engineering and to security testing in the following respects: (1) A method and model-based tool implementation for non-functional security testing of web applications by logic programming

Summary

Introduction

Web applications have become a central part of our lives, both commercially and privately. These applications share and process sensitive user data which must be protected by all means. In SQLI, an attacker avails himself the circumstance that user input is not properly sanitized by the application; it can carry malicious database statements which, when executed, exploit the back-end database of the application. In XSS, an attacker avails himself the circumstance that user input is not properly sanitized, yet with the goal that malicious input is reflected by the application (e.g., in some HTML output) to be executed in the victim’s browser

Methods

Results

Conclusion