Skip to main content
SpringerLink
Log in

A Web services vulnerability testing approach based on combinatorial mutation and SOAP message mutation

  • Special Issue Paper
  • Published:
Service Oriented Computing and Applications Aims and scope Submit manuscript

Abstract

The testing of Web services is an essential aspect of their quality assurance, however, because this testing often involves injecting only one mutant at one time, some vulnerability faults cannot be detected. To address this, the current paper presents a set of mutation operators that can be combined and defines the corresponding combinatorial strategies based on data perturbation and combinatorial testing. Based on this, multiple mutants can be injected at one time to help uncover interactive faults. To improve testing efficiency and effectiveness, a combinatorial testing approach focusing on Web service vulnerability is proposed: Firstly, initial test data are generated with perturbation techniques based on Web Services Description Language documents and Simple Object Access Protocol messages. Then, a combinatorial testing cases generation (CTCG) algorithm is used to generate the final combinatorial test data according to the proposed strategies. Furthermore, for some special Web services in which there is only one parameter or one method in service interface, a fuzzy mutation approach algorithm, as a complementary approach to CTCG, is also proposed. Finally, some testing experiments are conducted to verify the effectiveness of the proposed approaches in an integrated testing platform. The experiments show that proposed approaches are both feasible and effective: They can find more vulnerability faults than the traditional approaches.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8
Fig. 9

Similar content being viewed by others

References

  1. Samer H, Malcolm M (2007) An approach for specification-based test case generation for Web services. In: Proceeding of computer systems and applications, IEEE/ACS international conference, pp 16–23

  2. Shaban MJ, Gillian D, Jing S (2009) Towards specification based testing for semantic Web services. In: Proceeding of 2009 Australian software engineering conference, pp 54–63

  3. Bloomberg J (2002) Testing web services today and tomorrow. Ration Edge E-zine for the Rational Community

  4. Jiang Y, Xin GM, Shan JH et al (2005) A method of automated test data generation for web service. J Comput 28(4):568–577

    Google Scholar 

  5. de Melo ACV, Silveira P (2011) Improving data perturbation testing techniques for web services. Inform Sci 181:600–619

    Article  Google Scholar 

  6. Offutt J, Xu W (2004) Generating test cases for web services using data perturbation. ACM SIGSOFT Softw Eng Notes 29(5):1–10

    Google Scholar 

  7. Xu W, Offutt J, Luo J (2005) Testing web services by XML perturbation. In: Proceedings of the 16th IEEE international symposium on software reliability engineering (ISSRE’05), pp 257–266

  8. LF Junior de Almeida, SR Vergilio (2006) Exploring perturbation based testing for Web services. In: Proceedings of the IEEE international conference on web services (ICWS’06), IEEE Computer Society. Washington, DC, USA pp 717–726

  9. Watkins KZ (2010) Introducing fault-based combinatorial testing to Web services. In: Proceeding of the IEEE SoutheastCon (SoutheastCon), pp 131–134

  10. Jorgensen PC (2008) Software testing: a Craftsman’s approach. Taylor & Francis Group, UK

    Google Scholar 

  11. Papazoglou MP (2012) Web services: principles and technology. Pearson Education Canada, Upper Saddle River

    Google Scholar 

  12. Tsai WT, Paul R, Wang Y et a1 (2002) Extending WSDL to facilitate Web services testing. In: Proceedings of the 7th IEEE international symposium on high assurance systems engineering, pp 171–172

  13. Martin E, Basu S, Xie T (2007) Automated testing and response analysis of Web services. In: Proceedings of 2007 IEEE international conference on Web services (ICWS 2007), IEEE Computer Society, pp 647–654

  14. Sneed HM, Huan S (2006) WSDLTest-A tool for testing Web services. In: Proceedings of eighth IEEE international symposium Web site evolution, IEEE Computer Society, pp 14–21

  15. Bai X, Dong W, Tsai WT et al (2005) WSDL-based automatic test case generation for Web services testing. In: Proceeding of the 2005 IEEE international workshop on service-oriented system engineering (SOSE’05), pp 207–212

  16. Hanna S, Munro M (2007) An approach for specification-based test case generation for Web services. In: Proceeding of IEEE/ACS international conference on computer systems and applications. Wasington, pp 16–23

  17. Jinfu C, Yansheng L, Xiaodong X (2009) A fault injection model of component security testing. J Comput Res Dev 46(7):1127–1135

    Google Scholar 

  18. Kim HC, Choi YH, Lee DH (2011) Efficient file fuzz testing using automated analysis of binary file format. J Syst Archit 57(3):259–268

    Article  MathSciNet  Google Scholar 

  19. Miller BP, Koski D, Lee CP, Maganty V, Murthy R, Natarajan A, Steidl J (2000) Fuzz revisited: a re-examination of the reliability of UNIX utilities and services, vol 1. Computer Sciences Department, University of Wisconsin, Wisconsin

    Google Scholar 

  20. Sofia B, Chaouki B, Roland G, Laurent M (2011) Finding software vulnerabilities by smart fuzzing. In: Proceeding of the fourth IEEE international conference on software testing, verification and validation, pp 427–430

  21. YH Choi, HC Kim, Lee DH (2007) Tag-aware text file fuzz testing for security of a software system. In: Proceedings of the convergence information technology, IEEE computer society, pp 2254–22

  22. Bekrar S, Bekrar C, Groz R et al (2011) Finding software vulnerabilities by smart fuzzing. In The fourth IEEE international conference on software testing, verification and validation, Wasington, pp 427–430

  23. SoapUI (2012) SmartBear Software. Available at http://www.soapui.org (last access Sept 2012)

  24. WS-Security (2010) OASIS. Available at http://www.oasis-open.org/specs (last access May 2010)

Download references

Acknowledgments

This work was supported by the National Natural Science Foundation of China (NSFC) under Grants No. 61202110 and No. 61063013, Natural Science Foundation of Jiangsu Province under Grant No. BK2012284 and the Research Fund for the Doctoral Program of Higher Education of China under Grant No. 2010322 7120005.

Author information

Authors and Affiliations

  1. School of Computer Science and Telecommunication Engineering, Jiangsu University, Zhenjiang, 212013, China

    Jinfu Chen, Qing Li, Yongzhao Zhan & Huanhuan Wang

  2. School of Software and Communication Engineering, Jiangxi University of Finance and Economics, Nanchang, 330013, China

    Chengying Mao

  3. BNU-HKBU: United International College, Zhuhai, 519085, Guangdong, China

    Dave Towey

Authors
  1. Jinfu Chen
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Qing Li
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Chengying Mao
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Dave Towey
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Yongzhao Zhan
    View author publications

    You can also search for this author in PubMed Google Scholar

  6. Huanhuan Wang
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Jinfu Chen.

Rights and permissions

Reprints and permissions

About this article

Cite this article

Chen, J., Li, Q., Mao, C. et al. A Web services vulnerability testing approach based on combinatorial mutation and SOAP message mutation. SOCA 8, 1–13 (2014). https://doi.org/10.1007/s11761-013-0139-1

Download citation

  • Received:

  • Revised:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s11761-013-0139-1

Keywords

Search

Navigation