Skip to main content
SpringerLink
Log in

Model-Based Penetration Test Framework for Web Applications Using TTCN-3

  • Conference paper
E-Technologies: Innovation in an Open World (MCETECH 2009)

Part of the book series: Lecture Notes in Business Information Processing ((LNBIP,volume 26))

Included in the following conference series:

Abstract

Penetration testing is a widely used method for testing the security of web applications, but it can be inefficient if it is not done systematically. Public databases of web application vulnerabilities can be used to drive penetration testing, but testers need to understand them and interpret them into executable test cases. This requires an in-depth knowledge of security. This paper proposes a model-based testing approach using a data model that describes the relationship between web security knowledge, business domain knowledge, and test case development. The approach consists of a data model that represents the relevance between attack surface, application fingerprint, attack vectors, and fuzz vectors; a test case generator that automatically generates penetration test scenarios for web applications; and a penetration test framework supported by TTCN-3 test environment. The model-based testing approach can be used to provide structured tool support for developing penetration test campaigns. We demonstrate the feasibility and efficiency of the approach at the design level.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Manzuik, S., Gold, A., Gatford, C.: Network Security Assessment: From Vulnerability to Patch. Syngress Publishing (2007)

    Google Scholar 

  2. Splaine, S.: Testing Web Security: Assessing the Security of Web Sites and Applications. John Wiley & Sons, Chichester (2002)

    Google Scholar 

  3. Open Source Vulnerability Database (OSVDB), http://osvdb.org/

  4. CERT Vulnerability Notes Database, http://www.kb.cert.org/vuls/

  5. Bugtraq mailing list, http://www.securityfocus.com/archive/1

  6. Nessus vulnerability scanner, http://www.nessus.org/nessus/

  7. Potter, B., McGraw, G.: Software Security Testing. IEEE Security & Privacy 2(5), 81–85 (2004)

    Article  Google Scholar 

  8. Arkin, B., Stender, S., McGraw, G.: Software Penetration Testing. IEEE Security & Privacy 3(1), 84–87 (2005)

    Article  Google Scholar 

  9. Thompson, H.: Application Penetration Testing. IEEE Security & Privacy 3(1), 66–69 (2005)

    Article  Google Scholar 

  10. Bishop, M.: About Penetration Testing. IEEE Security & Privacy 5(6), 84–87 (2007)

    Article  Google Scholar 

  11. OWASP TESTING GUIDE Version 3.0, OWASP Foundation (2008)

    Google Scholar 

  12. Andreu, A.: Professional Pen Testing for Web Applications. Wrox Press (2006)

    Google Scholar 

  13. Palmer, S.: Web Application Vulnerabilities: Detect, Exploit, Prevent. Syngress Publishing (2007)

    Google Scholar 

  14. Common Vulnerabilities and Exposures (CVE), http://cve.mitre.org

  15. Common Attack Pattern Enumeration and Classification (CAPEC), http://capec.mitre.org

  16. Common Weakness Enumeration (CWE), http://cwe.mitre.org

  17. SANS Top-20, Security Risks (2007), http://www.sans.org/top20/

  18. OWASP TOP Ten (2007), http://www.owasp.org/index.php/Top_10_2007

  19. ETSI ES 201 873-1, The Testing and Test Control Notation version 3, Part1: TTCN-3 Core notation, V3.4.1 (September 2008)

    Google Scholar 

  20. Probert, R.L., Xiong, P., Stepien, B.: Life-cycle E-Commerce Testing with OO-TTCN-3. In: FORTE 2004 Workshops proceedings (September 2004)

    Google Scholar 

  21. Stepien, B., Peyton, L., Xiong, P.: Framework Testing of Web Applications using TTCN-3. International Journal on Software Tools for Technology Transfer 10(4), 371–381 (2008)

    Article  Google Scholar 

  22. Xiong, P., Probert, R.L., Stepien, B.: An Efficient Formal Testing Approach for Web Service with TTCN-3. In: Proc. of the 13th International Conference on Software, Telecommunications and Computer Networks (SoftCOM 2005) (September 2005)

    Google Scholar 

  23. OWASP WebGoat Project, http://www.owasp.org/index.php/Category:OWASP_WebGoat_Project

  24. OWASP WebScarab Project, http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project

Download references

Author information

Authors and Affiliations

  1. School of Information Technology and Engineering, University of Ottawa, Canada

    Pulei Xiong, Bernard Stepien & Liam Peyton

Authors
  1. Pulei Xiong
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Bernard Stepien
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Liam Peyton
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Technologies de l’Information, HEC Montréal, 3000, ch. de la Côte-Sainte-Catherine, H3T 2A7, Montréal, (Québec), Canada

    Gilbert Babin

  2. Institut d’informatique, Université de Neuchâtel, Rue Emile Argand 11, 2000, Neuchâtel, Switzerland

    Peter Kropf

  3. School of Computer Science, Carleton University, K1S 5B6, Ottawa, Ontario, Canada

    Michael Weiss

Rights and permissions

Reprints and permissions

Copyright information

© 2009 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Xiong, P., Stepien, B., Peyton, L. (2009). Model-Based Penetration Test Framework for Web Applications Using TTCN-3. In: Babin, G., Kropf, P., Weiss, M. (eds) E-Technologies: Innovation in an Open World. MCETECH 2009. Lecture Notes in Business Information Processing, vol 26. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-01187-0_12

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-01187-0_12

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-01186-3

  • Online ISBN: 978-3-642-01187-0

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation