Web Security Testing Approaches: Comparison Framework

  • Fakhreldin T. Alssir
  • Moataz Ahmed
Part of the Advances in Intelligent and Soft Computing book series (AINSC, volume 144)


Web applications security testing is becoming a highly challenging task. A number of approaches have been proposed to deal with such a challenge. However, up to date criteria that could be used to aid practitioners in selecting appropriate approaches suitable for their particular effort do not exist. In this paper we present a set of attributes to serve as criteria for classifying and comparing these approaches and provide such aid to practitioners. The set of attributes is also meant to guide researchers interested in proposing new security testing approaches. The paper discusses a number of representative approaches against the criteria.


Generate Test Case Buffer Overflow Security Vulnerability Comparison Framework Cross Site Script 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Whittaker, J.A.: What is software testing? And why is it so hard? IEEE Software 17(1), 70–79 (2000)CrossRefGoogle Scholar
  2. 2.
    Ahmed, M.A., Hermadi, I.: GA-based multiple paths test data generator. Computers & Operations Research 35(10) (2008)Google Scholar
  3. 3.
    Myers, G.J.: The art of software testing. Wiley, New York (2004)Google Scholar
  4. 4.
    Di Lucca, G.A., Fasolino, A.R.: Testing Web-based applications: The state of the art and future trends. Information and Software Technology 48(1) (2006)Google Scholar
  5. 5.
    Ricca, F., Tonella, P.: Web testing: a roadmap for the empirical research. In: IEEE International Symposium, pp. 63–70 (2005)Google Scholar
  6. 6.
    IEEE Std. 610.12-1990. Glossary of Software Engineering Terminology. In: Software Engineering Standard Collection. IEEE CS Press, Los Alamitos (1990) Google Scholar
  7. 7.
    Nguyen, H.Q.: Testing Applications on the Web: Test Planning for Internet-Based Systems. John Wiley & Sons, Inc. (2000)Google Scholar
  8. 8.
    Chess, B., McGraw, G.: Static analysis for security. In: Security & Privacy, vol. 2(6), pp. 76–79. IEEE (November-December 2004)Google Scholar
  9. 9.
    The Open Web Application Security Project,
  10. 10.
    Kieżun, A., Guo, P.J., Jayaraman, K., Ernst, M.D.: Automatic creation of SQL injection and cross-site scripting attacks. MIT Computer Science and Artificial Intelligence Laboratory technical report, Cambridge, MA (September 2008)Google Scholar
  11. 11.
    Li, N., Xie, T., et al.: Perturbation-based user-input-validation testing of web applications. Journal of Systems and Software 83(11), 2263–2274 (2010)MathSciNetCrossRefGoogle Scholar
  12. 12.
    Stytz, M.R., Banks, S.B.: Dynamic software security testing. In: Security & Privacy, vol. 4(3), pp. 77–79. IEEE (2006)Google Scholar
  13. 13.
    Tian, H., Xu, J., Lian, K., Zhang, Y.: Research on strong-association rule based web application vulnerability detection. Computer Science and Information Technology, 237–241 (2009)Google Scholar
  14. 14.
    Akhawe, D., Barth, A., Lam, P.E., Mitchell, J., Song, D.: Towards a Formal Foundation of Web Security. In: Computer Security Foundations Symposium, pp. 290–304. IEEE (2010)Google Scholar
  15. 15.
    Shi, H.-Z., Chen, B., Yu, L.: Analysis of Web Security Comprehensive Evaluation Tools. Networks Security Wireless Communications and Trusted Computing 1, 285–289 (2010)Google Scholar
  16. 16.
    Huang, Y.-W., Tsai, C.-H., et al.: A testing framework for Web application security assessment. Computer Networks 48(5), 739–761 (2005)CrossRefGoogle Scholar
  17. 17.
    Shahriar, H., Zulkernine, M.: MUTEC: Mutation-based testing of Cross Site Scripting. Software Engineering for Secure Systems, 47–53 (2009)Google Scholar
  18. 18.
    Kurshan, R.: Formal Verification in a Commercial Setting. In: Proceedings of the 34th Annual Conference on Design Automation, New York, vol. 00, pp. 258–262 (2007)Google Scholar
  19. 19.
    Tappenden, A., Beatty, P., Miller, J., Geras, A., Smith, M.: Agile Security Testing of Web-based Systems via HTTPUnit. In: Proceedings of Agile Development Conference (ADC), Denver, Colorad, pp. 29–38 (2005)Google Scholar
  20. 20.
    Salas, P., Krishnan, Ross, K.J.: Model-Based Security Vulnerability Testing. In: Proceedings of Australian Software Engineering Conference, Australia, pp. 284–296 (2007)Google Scholar
  21. 21.
    Eaton, C., Memon, A.M.: Advances in Web Testing. In: Advances in Computers, vol. 75(Computer Performance Issues), pp. 281–306. Elsevier (2009)Google Scholar
  22. 22.
    Offutt, J., Wu, Y., Du, X., Huang, H.: Bypass Testing of Web Applications. In: Proceedings of the 15th Symposium on Software Reliability Engineering, France, pp. 187–197 (2004)Google Scholar
  23. 23.
    Mcallister, S., Kirda, E., Kruegel, C.: Leveraging User Interactions for In-Depth Testing of Web Applications. In: Proceedings of the 11th Symposium on Recent Advances in Intrusion Detection, Massachusetts, USA, pp. 191–210 (2008)Google Scholar
  24. 24.
    Shahriar, H., Zulkernine, M.: MUSIC: Mutation-based SQL Injection Vulnerability Checking. In: Proceedings of the Eighth International Conference on Quality Software (QSIC2008), pp. 77–86. IEEE CS Press, London (2008)CrossRefGoogle Scholar
  25. 25.
    Avancini, A., Ceccato, M.: Towards security testing with taint analysis and genetic algorithms. In: Proceedings of the 2010 ICSE Workshop on Software Engineering for Secure Systems, pp. 65–71. ACM, Cape Town (2010)CrossRefGoogle Scholar
  26. 26.
    Kals, S., Krida, E., Kruegel, C., Jovanovic, N.: SecuBat: A Web Vulnerability Scanner. In: Proceedings of the 15th International Conference on World Wide Web, Edinburgh, Scotland, May 2006, pp. 247–256 (2006)Google Scholar
  27. 27.
    Huang, Y.-W., Tsai, C.-H.: Non-detrimental Web application security scanning. In: 15th International Symposium on Software Reliability Engineering, ISSRE 2004, November 2-5, pp. 219–230 (2004)Google Scholar
  28. 28.
    Kosuga, Y., Kono, K., Hanaoka, M., Hishiyama, M., Takahama, Y.: Sania: Syntactic and Semantic Analysis for Automated Testing against SQL Injection. In: Proceedings of the 23rd Annual Computer Security Applications Conference, Miami, December 2007, pp. 107–117 (2007)Google Scholar
  29. 29.
    Shahriar, H., Zulkernine, M.: Mutation-based Testing of Buffer Overflow Vulnerabilities. To appear in the Proceedings of the Second International Workshop on Security in Software Engineering (IWSSE 2008), pp. 979–984. IEEE CS Press, Turku (2008)Google Scholar
  30. 30.
  31. 31.
    Shahriar, H., Zulkernine, M.: Automatic Testing of Program Security Vulnerabilities. In: 33rd Annual IEEE International Computer Software and Applications Conference, COMPSAC 2009, July 20-24, vol. 2, pp. 550–555 (2009)Google Scholar
  32. 32.
    WAVE - Web Accessibility Evaluation Tool,

Copyright information

© Springer-Verlag GmbH Berlin Heidelberg 2012

Authors and Affiliations

  1. 1.King Fahd University of Petroleum and MineralsDhahranSaudi Arabia

Personalised recommendations