MobSTer: A model‐based security testing framework for web applications. (27th September 2018)
- Record Type:
- Journal Article
- Title:
- MobSTer: A model‐based security testing framework for web applications. (27th September 2018)
- Main Title:
- MobSTer: A model‐based security testing framework for web applications
- Authors:
- Peroli, Michele
De Meo, Federico
Viganò, Luca
Guardini, Davide - Abstract:
- Summary: Web applications have become one of the preferred means for users to perform a number of crucial and security‐sensitive operations such as selling and buying goods or managing bank accounts, official documents, personal health records, and smart houses. The pervasive adoption of such web applications calls for an extensive security analysis in order to avoid attacks. Penetration testing is the most common approach for testing the security of web applications, but model‐based security testing has been steadily maturing into a viable alternative and/or complementary approach. Penetration testing is very efficient, but the experience of the security analyst is crucial; model‐based security testing relies on formal methods, but the security analyst has to first create a suitable model of the web application. In this paper, we introduce MobSTer, a formal and flexible model‐based security testing framework that contributes to filling the gap between these two security testing approaches. The main idea underlying this framework is that the use of model‐checking techniques can automate the search for possible vulnerable entry points in the web application, ie, it permits an analyst to perform security testing without missing important checks. Moreover, the framework also allows for reuse: The analyst can collect her expertise into the framework and (re)use it during future tests on possibly different web applications. We have implemented MobSTer as a prototype and appliedSummary: Web applications have become one of the preferred means for users to perform a number of crucial and security‐sensitive operations such as selling and buying goods or managing bank accounts, official documents, personal health records, and smart houses. The pervasive adoption of such web applications calls for an extensive security analysis in order to avoid attacks. Penetration testing is the most common approach for testing the security of web applications, but model‐based security testing has been steadily maturing into a viable alternative and/or complementary approach. Penetration testing is very efficient, but the experience of the security analyst is crucial; model‐based security testing relies on formal methods, but the security analyst has to first create a suitable model of the web application. In this paper, we introduce MobSTer, a formal and flexible model‐based security testing framework that contributes to filling the gap between these two security testing approaches. The main idea underlying this framework is that the use of model‐checking techniques can automate the search for possible vulnerable entry points in the web application, ie, it permits an analyst to perform security testing without missing important checks. Moreover, the framework also allows for reuse: The analyst can collect her expertise into the framework and (re)use it during future tests on possibly different web applications. We have implemented MobSTer as a prototype and applied it to test a number of case studies to assess its strength and concretely evaluate it with respect to four state‐of‐the‐art tools normally used by penetration testers. Abstract : We introduce MobSTer, a formal and flexible model‐based framework that supports a security analyst in carrying out security testing of web applications. The framework also allows for reuse: The analyst can collect her expertise into the framework and (re)use it during future tests on possibly different web applications. We have applied our prototypical implementation of MobSTer to a number of case studies to assess its strength and evaluate it with respect to state‐of‐the‐art tools normally used by penetration testers. … (more)
- Is Part Of:
- Software testing, verification & reliability. Volume 28:Number 8(2018)
- Journal:
- Software testing, verification & reliability
- Issue:
- Volume 28:Number 8(2018)
- Issue Display:
- Volume 28, Issue 8 (2018)
- Year:
- 2018
- Volume:
- 28
- Issue:
- 8
- Issue Sort Value:
- 2018-0028-0008-0000
- Page Start:
- n/a
- Page End:
- n/a
- Publication Date:
- 2018-09-27
- Subjects:
- model‐based testing -- model‐checking -- security testing -- web applications
Computer software -- Testing -- Periodicals
Computer software -- Verification -- Periodicals
Computer software -- Reliability -- Periodicals
005.14 - Journal URLs:
- http://onlinelibrary.wiley.com/ ↗
- DOI:
- 10.1002/stvr.1685 ↗
- Languages:
- English
- ISSNs:
- 0960-0833
- Deposit Type:
- Legaldeposit
- View Content:
- Available online (eLD content is only available in our Reading Rooms) ↗
- Physical Locations:
- British Library DSC - 8321.457500
British Library DSC - BLDSS-3PM
British Library STI - ELD Digital store - Ingest File:
- 8789.xml