Multiple-path testing for cross site scripting using genetic algorithms

Moataz A. Ahmed*, Fakhreldin Ali

*Corresponding author for this work

Research output: Contribution to journalArticlepeer-review

40 Scopus citations

Abstract

Web applications suffer from different security vulnerabilities that could be exploited by hackers to cause harm in a variety of ways. A number of approaches have been proposed to test for such vulnerabilities. However, some gaps are still to be addressed. In this paper, we address one of such gaps: the problem of automatically generating test data (i.e., possible attacks) to test for cross site scripting (XSS) type of vulnerability. The objective is to generate a set of test data to exercise candidate security-vulnerable paths in a given script. The desirable set of test data must be effective in the sense that it uncovers whether any path can indeed be exploited to launch an attack. We designed a genetic algorithm-based test data generator that uses a database of XSS attack patterns to generate possible attacks and assess whether the attack is successful. We considered different types of XSS vulnerability: stored, reflected and DOM based. We empirically validated our test data generator using case studies of Web applications developed using PHP and MySQL. Empirical results show that our test data generator is effective in generating, in one run, multiple test data to cover multiple target paths.

Original languageEnglish
Pages (from-to)50-62
Number of pages13
JournalJournal of Systems Architecture
Volume64
DOIs
StatePublished - 1 Mar 2016

Bibliographical note

Publisher Copyright:
© 2015 Elsevier B.V. All rights reserved.

Keywords

  • Cross-site scripting
  • Genetic algorithms
  • Security testing
  • Web testing

ASJC Scopus subject areas

  • Software
  • Hardware and Architecture

Fingerprint

Dive into the research topics of 'Multiple-path testing for cross site scripting using genetic algorithms'. Together they form a unique fingerprint.

Cite this