Model-Based Vulnerability Testing for Web Applications

Presented By:-K.Archana100101CSR027Branch:-CSE

Head of Department:-Mr. Monoj Kar

ContentsO IntroductionO MBVTO MBVT ApproachO DVWA Example with MBVT ApproachO AdvantagesO DisadvantagesO References

IntroductionO Web applications are becoming more

popular in means of modern information interaction, which leads to a growth of the demand of Web applications.

O At the same time, Web application vulnerabilities are drastically increasing.

O One of the most important software security practices that is used to mitigate the increasing number of vulnerabilities is security testing.

Continue…O One of the security testing is Model-Based

Vulnerability Testing(MBVT).

MBVTO Model-Based Vulnerability Testing

(MBVT) for Web applications, aims at improving the accuracy and precision of vulnerability testing.

O Accuracy:- capability to focus on the relevant part of the software

O Precision:- capability to avoid both false positive and false negative.

O MBVT adapted the traditional approach of Model-Based Testing (MBT) in order to generate vulnerability test cases for Web applications.

MBVT Approach

DVWA Example using MBVT ApproachO DVWA:- Damn Vulnerable Web Application

O DVWA is an open-source Web application test bed, based on PHP/MySQL.

O DVWA embeds several vulnerabilities(like SQL Injection and Blind SQL Injection, and Reflected and Stored XSS).

O In this example we will focus on RXSS vulnerabilities through form fields.

O RXSS is one of the major breach because it is highly used and its exploitation leads to severe risks.

O We will apply the four activities of MBVT approach to DVWA.

1. Formalizing Vulnerability Test Patterns into Test Purposes

O Vulnerability Test Patterns (vTP) are the initial artefacts of our approach.

O A vTP expresses the testing needs and procedures allowing the identification of a particular breach in a Web application.

A vTP of Reflected XSS

O A test purpose is a high level expression that formalizes a test intention linked to a testing objective.

O We propose test purposes as a mean to drive the automated test generation.

O Smartesting Test Purpose Language is a textual language based on regular expressions, allowing the formalization of vulnerability test intention in terms of states to be reach and operations to be called.

test Purpose formalizing the vTP on DVWA

2. Modeling:-O The modeling activity produces a model

based on the functional specifications of the application, and on the test purposes.

Class diagram of the SUT structure, for our MBVT approach

3. Test Generation:-O The main purpose of the test generation

activity is to produce test cases from both the model and the test purposes.

O This activity consists of three phases.

O The first phase transforms the model and the test purposes into elements usable by the Smartesting CertifyIt MBT tool.

O The second phase produces the abstract test cases from the test targets.

O The third phase exports the abstract test cases into the execution environment.

Generated abstract test case example

4. Adaptation and test execution:-a. Adaptation:-O During the modeling activity, all data

used by the application, are modeled in a abstract way.

O Hence, the test suite can’t be executed as it is.

O So, the generated abstract test cases are translated into executable scripts.

b. Test Execution:-O The adapted test cases are executed in

order to produce a verdict.

O There is a new terminology fitting the characteristics of a test execution:-

Attack-pass Attack-failInconclusive

O Our model defines four malicious data dedicated to Reflected XSS attacks.

O These values are defined in an abstract way, and must be adapted.

O Each of them is mapped to a concrete value, as shown in figure:

Mapping between abstract and concrete values

Advantages

O MBVT can address both technical and logical vulnerabilities.

Disadvantages

O Needed effort to design models, test patterns and adapter.

References

O www.infoq.com/articles/defending-against-web-application-vulnerabilities

O G Erdogan - 2009 - ntnu.diva-portal.orgO http://narainko.wordpress.com/

2012/08/26/understanding-false-positive-and-false-negative

O http://istina.msu.ru/media/publications/articles/5db/2e2/2755271/OWASP-AppSecEU08-Petukhov.pdf

O http://www.spacios.eu/sectest2013/pdfs/sectest2013_submission_8.pdf

Thank You