A Search-Based Testing Approach for XML Injection Vulnerabilities in Web Applications

Sadeeq Jan; Cu D. Nguyen; Andrea Arcuri; Lionel Briand

doi:10.1109/ICST.2017.39

A Search-Based Testing Approach for XML Injection Vulnerabilities in Web Applications

Sadeeq Jan, Cu D. Nguyen, Andrea Arcuri, Lionel Briand

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

Abstract

In most cases, web applications communicate with web services (SOAP and RESTful). The former act as a front-end to the latter, which contain the business logic. A hacker might not have direct access to those web services (e.g., they are not on public networks), but can still provide malicious inputs to the web application, thus potentially compromising related services. Typical examples are XML injection attacks that target SOAP communications. In this paper, we present a novel, search-based approach used to generate test data for a web application in an attempt to deliver malicious XML messages to web services. Our goal is thus to detect XML injection vulnerabilities in web applications. The proposed approach is evaluated on two studies, including an industrial web application with millions of users. Results show that we are able to effectively generate test data (e.g., input values in an HTML form) that detect such vulnerabilities.

Original language	English
Title of host publication	Proceedings - 10th IEEE International Conference on Software Testing, Verification and Validation, ICST 2017
Publisher	Institute of Electrical and Electronics Engineers Inc.
Pages	356-366
Number of pages	11
ISBN (Electronic)	9781509060313
DOIs	https://doi.org/10.1109/ICST.2017.39
Publication status	Published - 15 May 2017
Externally published	Yes
Event	10th IEEE International Conference on Software Testing, Verification and Validation, ICST 2017 - Tokyo, Japan Duration: 13 Mar 2017 → 17 Mar 2017

Publication series

Name	Proceedings - 10th IEEE International Conference on Software Testing, Verification and Validation, ICST 2017

Conference

Conference	10th IEEE International Conference on Software Testing, Verification and Validation, ICST 2017
Country/Territory	Japan
City	Tokyo
Period	13/03/17 → 17/03/17

Keywords

Sbst
Security testing
Xml injection

Access to Document

10.1109/ICST.2017.39

Cite this

Jan, S., Nguyen, C. D., Arcuri, A., & Briand, L. (2017). A Search-Based Testing Approach for XML Injection Vulnerabilities in Web Applications. In Proceedings - 10th IEEE International Conference on Software Testing, Verification and Validation, ICST 2017 (pp. 356-366). Article 7927989 (Proceedings - 10th IEEE International Conference on Software Testing, Verification and Validation, ICST 2017). Institute of Electrical and Electronics Engineers Inc.. https://doi.org/10.1109/ICST.2017.39

Jan, Sadeeq ; Nguyen, Cu D. ; Arcuri, Andrea et al. / A Search-Based Testing Approach for XML Injection Vulnerabilities in Web Applications. Proceedings - 10th IEEE International Conference on Software Testing, Verification and Validation, ICST 2017. Institute of Electrical and Electronics Engineers Inc., 2017. pp. 356-366 (Proceedings - 10th IEEE International Conference on Software Testing, Verification and Validation, ICST 2017).

@inproceedings{845a95ce394e45d4b953ccd31c71d22a,

title = "A Search-Based Testing Approach for XML Injection Vulnerabilities in Web Applications",

abstract = "In most cases, web applications communicate with web services (SOAP and RESTful). The former act as a front-end to the latter, which contain the business logic. A hacker might not have direct access to those web services (e.g., they are not on public networks), but can still provide malicious inputs to the web application, thus potentially compromising related services. Typical examples are XML injection attacks that target SOAP communications. In this paper, we present a novel, search-based approach used to generate test data for a web application in an attempt to deliver malicious XML messages to web services. Our goal is thus to detect XML injection vulnerabilities in web applications. The proposed approach is evaluated on two studies, including an industrial web application with millions of users. Results show that we are able to effectively generate test data (e.g., input values in an HTML form) that detect such vulnerabilities.",

keywords = "Sbst, Security testing, Xml injection",

author = "Sadeeq Jan and Nguyen, {Cu D.} and Andrea Arcuri and Lionel Briand",

note = "Publisher Copyright: {\textcopyright} 2017 IEEE.; 10th IEEE International Conference on Software Testing, Verification and Validation, ICST 2017 ; Conference date: 13-03-2017 Through 17-03-2017",

year = "2017",

month = may,

day = "15",

doi = "10.1109/ICST.2017.39",

language = "English",

series = "Proceedings - 10th IEEE International Conference on Software Testing, Verification and Validation, ICST 2017",

publisher = "Institute of Electrical and Electronics Engineers Inc.",

pages = "356--366",

booktitle = "Proceedings - 10th IEEE International Conference on Software Testing, Verification and Validation, ICST 2017",

}

Jan, S, Nguyen, CD, Arcuri, A & Briand, L 2017, A Search-Based Testing Approach for XML Injection Vulnerabilities in Web Applications. in Proceedings - 10th IEEE International Conference on Software Testing, Verification and Validation, ICST 2017., 7927989, Proceedings - 10th IEEE International Conference on Software Testing, Verification and Validation, ICST 2017, Institute of Electrical and Electronics Engineers Inc., pp. 356-366, 10th IEEE International Conference on Software Testing, Verification and Validation, ICST 2017, Tokyo, Japan, 13/03/17. https://doi.org/10.1109/ICST.2017.39

A Search-Based Testing Approach for XML Injection Vulnerabilities in Web Applications. / Jan, Sadeeq; Nguyen, Cu D.; Arcuri, Andrea et al.
Proceedings - 10th IEEE International Conference on Software Testing, Verification and Validation, ICST 2017. Institute of Electrical and Electronics Engineers Inc., 2017. p. 356-366 7927989 (Proceedings - 10th IEEE International Conference on Software Testing, Verification and Validation, ICST 2017).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

TY - GEN

T1 - A Search-Based Testing Approach for XML Injection Vulnerabilities in Web Applications

AU - Jan, Sadeeq

AU - Nguyen, Cu D.

AU - Arcuri, Andrea

AU - Briand, Lionel

PY - 2017/5/15

Y1 - 2017/5/15

N2 - In most cases, web applications communicate with web services (SOAP and RESTful). The former act as a front-end to the latter, which contain the business logic. A hacker might not have direct access to those web services (e.g., they are not on public networks), but can still provide malicious inputs to the web application, thus potentially compromising related services. Typical examples are XML injection attacks that target SOAP communications. In this paper, we present a novel, search-based approach used to generate test data for a web application in an attempt to deliver malicious XML messages to web services. Our goal is thus to detect XML injection vulnerabilities in web applications. The proposed approach is evaluated on two studies, including an industrial web application with millions of users. Results show that we are able to effectively generate test data (e.g., input values in an HTML form) that detect such vulnerabilities.

AB - In most cases, web applications communicate with web services (SOAP and RESTful). The former act as a front-end to the latter, which contain the business logic. A hacker might not have direct access to those web services (e.g., they are not on public networks), but can still provide malicious inputs to the web application, thus potentially compromising related services. Typical examples are XML injection attacks that target SOAP communications. In this paper, we present a novel, search-based approach used to generate test data for a web application in an attempt to deliver malicious XML messages to web services. Our goal is thus to detect XML injection vulnerabilities in web applications. The proposed approach is evaluated on two studies, including an industrial web application with millions of users. Results show that we are able to effectively generate test data (e.g., input values in an HTML form) that detect such vulnerabilities.

KW - Sbst

KW - Security testing

KW - Xml injection

UR - http://www.scopus.com/inward/record.url?scp=85020734249&partnerID=8YFLogxK

U2 - 10.1109/ICST.2017.39

DO - 10.1109/ICST.2017.39

M3 - Conference contribution

AN - SCOPUS:85020734249

T3 - Proceedings - 10th IEEE International Conference on Software Testing, Verification and Validation, ICST 2017

SP - 356

EP - 366

BT - Proceedings - 10th IEEE International Conference on Software Testing, Verification and Validation, ICST 2017

PB - Institute of Electrical and Electronics Engineers Inc.

T2 - 10th IEEE International Conference on Software Testing, Verification and Validation, ICST 2017

Y2 - 13 March 2017 through 17 March 2017

ER -

Jan S, Nguyen CD, Arcuri A, Briand L. A Search-Based Testing Approach for XML Injection Vulnerabilities in Web Applications. In Proceedings - 10th IEEE International Conference on Software Testing, Verification and Validation, ICST 2017. Institute of Electrical and Electronics Engineers Inc. 2017. p. 356-366. 7927989. (Proceedings - 10th IEEE International Conference on Software Testing, Verification and Validation, ICST 2017). doi: 10.1109/ICST.2017.39

A Search-Based Testing Approach for XML Injection Vulnerabilities in Web Applications

Abstract

Publication series

Conference

Keywords

Access to Document

Other files and links

Fingerprint

Cite this