Metamorphic Security Testing for Web Systems

Phu X. Mai, Fabrizio Pastore, Arda Goknil, Lionel Briand

Research output: Chapter in Book/Report/Conference proceedingConference contributionpeer-review

Abstract

Security testing verifies that the data and the resources of software systems are protected from attackers. Unfortunately, it suffers from the oracle problem, which refers to the challenge, given an input for a system, of distinguishing correct from incorrect behavior. In many situations where potential vulnerabilities are tested, a test oracle may not exist, or it might be impractical due to the many inputs for which specific oracles have to be defined. In this paper, we propose a metamorphic testing approach that alleviates the oracle problem in security testing. It enables engineers to specify metamorphic relations (MRs) that capture security properties of the system. Such MRs are then used to automate testing and detect vulnerabilities. We provide a catalog of 22 system-agnostic MRs to automate security testing in Web systems. Our approach targets 39% of the OWASP security testing activities not automated by state-of-the-art techniques. It automatically detected 10 out of 12 vulnerabilities affecting two widely used systems, one commercial and the other open source (Jenkins).

Original languageEnglish
Title of host publicationProceedings - 2020 IEEE 13th International Conference on Software Testing, Verification and Validation, ICST 2020
PublisherInstitute of Electrical and Electronics Engineers Inc.
Pages186-197
Number of pages12
ISBN (Electronic)9781728157771
DOIs
Publication statusPublished - Oct 2020
Externally publishedYes
Event13th IEEE International Conference on Software Testing, Verification and Validation, ICST 2020 - Porto, Portugal
Duration: 23 Mar 202027 Mar 2020

Publication series

NameProceedings - 2020 IEEE 13th International Conference on Software Testing, Verification and Validation, ICST 2020

Conference

Conference13th IEEE International Conference on Software Testing, Verification and Validation, ICST 2020
Country/TerritoryPortugal
CityPorto
Period23/03/2027/03/20

Keywords

  • Software Engineering
  • Software Security

Fingerprint

Dive into the research topics of 'Metamorphic Security Testing for Web Systems'. Together they form a unique fingerprint.

Cite this