Abstract
Web applications suffer from different security vulnerabilities that could be exploited by hackers to cause harm in a variety of ways. A number of approaches have been proposed to test for such vulnerabilities. However, some gaps are still to be addressed. In this paper, we address one of such gaps: the problem of automatically generating test data (i.e., possible attacks) to test for cross site scripting (XSS) type of vulnerability. The objective is to generate a set of test data to exercise candidate security-vulnerable paths in a given script. The desirable set of test data must be effective in the sense that it uncovers whether any path can indeed be exploited to launch an attack. We designed a genetic algorithm-based test data generator that uses a database of XSS attack patterns to generate possible attacks and assess whether the attack is successful. We considered different types of XSS vulnerability: stored, reflected and DOM based. We empirically validated our test data generator using case studies of Web applications developed using PHP and MySQL. Empirical results show that our test data generator is effective in generating, in one run, multiple test data to cover multiple target paths.
Original language | English |
---|---|
Pages (from-to) | 50-62 |
Number of pages | 13 |
Journal | Journal of Systems Architecture |
Volume | 64 |
DOIs | |
State | Published - 1 Mar 2016 |
Bibliographical note
Publisher Copyright:© 2015 Elsevier B.V. All rights reserved.
Keywords
- Cross-site scripting
- Genetic algorithms
- Security testing
- Web testing
ASJC Scopus subject areas
- Software
- Hardware and Architecture