Abstract
Security testing verifies that the data and the resources of software systems are protected from attackers. Unfortunately, it suffers from the oracle problem, which refers to the challenge, given an input for a system, of distinguishing correct from incorrect behavior. In many situations where potential vulnerabilities are tested, a test oracle may not exist, or it might be impractical due to the many inputs for which specific oracles have to be defined. In this paper, we propose a metamorphic testing approach that alleviates the oracle problem in security testing. It enables engineers to specify metamorphic relations (MRs) that capture security properties of the system. Such MRs are then used to automate testing and detect vulnerabilities. We provide a catalog of 22 system-agnostic MRs to automate security testing in Web systems. Our approach targets 39% of the OWASP security testing activities not automated by state-of-the-art techniques. It automatically detected 10 out of 12 vulnerabilities affecting two widely used systems, one commercial and the other open source (Jenkins).
Highlights
Security testing aims to uncover flaws in software mechanisms that protect data and ensure the delivery of the intended system functionality
Security testing suffers from the oracle problem [6]–[8], which refers to situations where it is extremely difficult or impractical to determine the correct output for a given test input
To what extent can metamorphic testing address the oracle problem in the context of security testing? We aim to determine which types of security vulnerabilities can be addressed by our solution
Summary
Security testing aims to uncover flaws in software mechanisms that protect data and ensure the delivery of the intended system functionality. In contexts where test case execution is automated, an automated test oracle (i.e., a mechanism for determining whether a test case has passed or failed) is needed to check the execution result. It often consists of comparing expected and observed outputs. A security test case for the bypass authorization schema vulnerability should verify, for every specific user role, whether it is possible to access resources that should be available only to a user who holds a different role [9]. It is not always feasible to answer such questions when expected outputs need to be identified for a large set of test inputs (e.g., for various resources, roles and privileges). If there is a violation of the relation, f is faulty
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a callDisclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.
