Skip to main content
Book cover

Proceedings of the 2011 2nd International Congress on Computer Applications and Computational Science pp 163–169Cite as

Web Security Testing Approaches: Comparison Framework

  • Conference paper

Part of the Advances in Intelligent and Soft Computing book series (AINSC,volume 144)

Abstract

Web applications security testing is becoming a highly challenging task. A number of approaches have been proposed to deal with such a challenge. However, up to date criteria that could be used to aid practitioners in selecting appropriate approaches suitable for their particular effort do not exist. In this paper we present a set of attributes to serve as criteria for classifying and comparing these approaches and provide such aid to practitioners. The set of attributes is also meant to guide researchers interested in proposing new security testing approaches. The paper discusses a number of representative approaches against the criteria.

Keywords

  • Generate Test Case
  • Buffer Overflow
  • Security Vulnerability
  • Comparison Framework
  • Cross Site Script

These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

This is a preview of subscription content, access via your institution.

Chapter
USD   29.95
Price excludes VAT (USA)
  • DOI: 10.1007/978-3-642-28314-7_23
  • Chapter length: 7 pages
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
eBook
USD   229.00
Price excludes VAT (USA)
  • ISBN: 978-3-642-28314-7
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
Softcover Book
USD   299.99
Price excludes VAT (USA)
Learn about institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Whittaker, J.A.: What is software testing? And why is it so hard? IEEE Software 17(1), 70–79 (2000)

    CrossRef  Google Scholar 

  2. Ahmed, M.A., Hermadi, I.: GA-based multiple paths test data generator. Computers & Operations Research 35(10) (2008)

    Google Scholar 

  3. Myers, G.J.: The art of software testing. Wiley, New York (2004)

    Google Scholar 

  4. Di Lucca, G.A., Fasolino, A.R.: Testing Web-based applications: The state of the art and future trends. Information and Software Technology 48(1) (2006)

    Google Scholar 

  5. Ricca, F., Tonella, P.: Web testing: a roadmap for the empirical research. In: IEEE International Symposium, pp. 63–70 (2005)

    Google Scholar 

  6. IEEE Std. 610.12-1990. Glossary of Software Engineering Terminology. In: Software Engineering Standard Collection. IEEE CS Press, Los Alamitos (1990)

    Google Scholar 

  7. Nguyen, H.Q.: Testing Applications on the Web: Test Planning for Internet-Based Systems. John Wiley & Sons, Inc. (2000)

    Google Scholar 

  8. Chess, B., McGraw, G.: Static analysis for security. In: Security & Privacy, vol. 2(6), pp. 76–79. IEEE (November-December 2004)

    Google Scholar 

  9. The Open Web Application Security Project, http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project

  10. Kieżun, A., Guo, P.J., Jayaraman, K., Ernst, M.D.: Automatic creation of SQL injection and cross-site scripting attacks. MIT Computer Science and Artificial Intelligence Laboratory technical report, Cambridge, MA (September 2008)

    Google Scholar 

  11. Li, N., Xie, T., et al.: Perturbation-based user-input-validation testing of web applications. Journal of Systems and Software 83(11), 2263–2274 (2010)

    CrossRef  MathSciNet  Google Scholar 

  12. Stytz, M.R., Banks, S.B.: Dynamic software security testing. In: Security & Privacy, vol. 4(3), pp. 77–79. IEEE (2006)

    Google Scholar 

  13. Tian, H., Xu, J., Lian, K., Zhang, Y.: Research on strong-association rule based web application vulnerability detection. Computer Science and Information Technology, 237–241 (2009)

    Google Scholar 

  14. Akhawe, D., Barth, A., Lam, P.E., Mitchell, J., Song, D.: Towards a Formal Foundation of Web Security. In: Computer Security Foundations Symposium, pp. 290–304. IEEE (2010)

    Google Scholar 

  15. Shi, H.-Z., Chen, B., Yu, L.: Analysis of Web Security Comprehensive Evaluation Tools. Networks Security Wireless Communications and Trusted Computing 1, 285–289 (2010)

    Google Scholar 

  16. Huang, Y.-W., Tsai, C.-H., et al.: A testing framework for Web application security assessment. Computer Networks 48(5), 739–761 (2005)

    CrossRef  Google Scholar 

  17. Shahriar, H., Zulkernine, M.: MUTEC: Mutation-based testing of Cross Site Scripting. Software Engineering for Secure Systems, 47–53 (2009)

    Google Scholar 

  18. Kurshan, R.: Formal Verification in a Commercial Setting. In: Proceedings of the 34th Annual Conference on Design Automation, New York, vol. 00, pp. 258–262 (2007)

    Google Scholar 

  19. Tappenden, A., Beatty, P., Miller, J., Geras, A., Smith, M.: Agile Security Testing of Web-based Systems via HTTPUnit. In: Proceedings of Agile Development Conference (ADC), Denver, Colorad, pp. 29–38 (2005)

    Google Scholar 

  20. Salas, P., Krishnan, Ross, K.J.: Model-Based Security Vulnerability Testing. In: Proceedings of Australian Software Engineering Conference, Australia, pp. 284–296 (2007)

    Google Scholar 

  21. Eaton, C., Memon, A.M.: Advances in Web Testing. In: Advances in Computers, vol. 75(Computer Performance Issues), pp. 281–306. Elsevier (2009)

    Google Scholar 

  22. Offutt, J., Wu, Y., Du, X., Huang, H.: Bypass Testing of Web Applications. In: Proceedings of the 15th Symposium on Software Reliability Engineering, France, pp. 187–197 (2004)

    Google Scholar 

  23. Mcallister, S., Kirda, E., Kruegel, C.: Leveraging User Interactions for In-Depth Testing of Web Applications. In: Proceedings of the 11th Symposium on Recent Advances in Intrusion Detection, Massachusetts, USA, pp. 191–210 (2008)

    Google Scholar 

  24. Shahriar, H., Zulkernine, M.: MUSIC: Mutation-based SQL Injection Vulnerability Checking. In: Proceedings of the Eighth International Conference on Quality Software (QSIC2008), pp. 77–86. IEEE CS Press, London (2008)

    CrossRef  Google Scholar 

  25. Avancini, A., Ceccato, M.: Towards security testing with taint analysis and genetic algorithms. In: Proceedings of the 2010 ICSE Workshop on Software Engineering for Secure Systems, pp. 65–71. ACM, Cape Town (2010)

    CrossRef  Google Scholar 

  26. Kals, S., Krida, E., Kruegel, C., Jovanovic, N.: SecuBat: A Web Vulnerability Scanner. In: Proceedings of the 15th International Conference on World Wide Web, Edinburgh, Scotland, May 2006, pp. 247–256 (2006)

    Google Scholar 

  27. Huang, Y.-W., Tsai, C.-H.: Non-detrimental Web application security scanning. In: 15th International Symposium on Software Reliability Engineering, ISSRE 2004, November 2-5, pp. 219–230 (2004)

    Google Scholar 

  28. Kosuga, Y., Kono, K., Hanaoka, M., Hishiyama, M., Takahama, Y.: Sania: Syntactic and Semantic Analysis for Automated Testing against SQL Injection. In: Proceedings of the 23rd Annual Computer Security Applications Conference, Miami, December 2007, pp. 107–117 (2007)

    Google Scholar 

  29. Shahriar, H., Zulkernine, M.: Mutation-based Testing of Buffer Overflow Vulnerabilities. To appear in the Proceedings of the Second International Workshop on Security in Software Engineering (IWSSE 2008), pp. 979–984. IEEE CS Press, Turku (2008)

    Google Scholar 

  30. Gold, R.: HTTPUnit, http://httpunit.sourceforge.net/

  31. Shahriar, H., Zulkernine, M.: Automatic Testing of Program Security Vulnerabilities. In: 33rd Annual IEEE International Computer Software and Applications Conference, COMPSAC 2009, July 20-24, vol. 2, pp. 550–555 (2009)

    Google Scholar 

  32. WAVE - Web Accessibility Evaluation Tool, http://wave.webaim.org/

Download references

Author information

Authors and Affiliations

  1. King Fahd University of Petroleum and Minerals, Dhahran, 31261, Saudi Arabia, P.O. Box: 8652

    Fakhreldin T. Alssir & Moataz Ahmed

Authors
  1. Fakhreldin T. Alssir
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Moataz Ahmed
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Fakhreldin T. Alssir .

Editor information

Editors and Affiliations

  1. Bina Nusantara University, Perumahan Menteng Metropolitan Kav K3-No1 7., Caking, Indonesia

    Ford Lumban Gaol

  2. , School of Computing and Mathematics, University of Western Sydney, Locked Bag 1797, Penrith, 2751, New South Wales, Australia

    Quang Vinh Nguyen

Rights and permissions

Reprints and Permissions

Copyright information

© 2012 Springer-Verlag GmbH Berlin Heidelberg

About this paper

Cite this paper

Alssir, F.T., Ahmed, M. (2012). Web Security Testing Approaches: Comparison Framework. In: Gaol, F., Nguyen, Q. (eds) Proceedings of the 2011 2nd International Congress on Computer Applications and Computational Science. Advances in Intelligent and Soft Computing, vol 144. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-28314-7_23

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-28314-7_23

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-28313-0

  • Online ISBN: 978-3-642-28314-7

  • eBook Packages: EngineeringEngineering (R0)