In-depth security testing of Web applications / by Sean Mc Allister
VerfasserMcAllister, Sean
Begutachter / BegutachterinKrügel , Christopher ; Kirda, Engin
Umfang71 Bl. : Ill., graph. Darst.
HochschulschriftWien, Techn. Univ., Mag.-Arb., 2008
Zsfassung in dt. Sprache
Schlagwörter (DE)Computersicherheit / Internet / Testen
Schlagwörter (EN)security / internet / testing
URNurn:nbn:at:at-ubtuw:1-22837 Persistent Identifier (URN)
 Das Werk ist frei verfügbar
In-depth security testing of Web applications [0.51 mb]
Zusammenfassung (Deutsch)

Over the last years, the complexity of web applications has grown significantly, challenging desktop programs in terms of functionality and design. Along with the rising popularity of web applications, the number of exploitable bugs has also increased. Web application flaws, such as cross-site scripting or SQL injection bugs, now account for more than two thirds of the reported security vulnerabilities.

Black-box testing techniques are a common approach to improve software quality and detect bugs before deployment. There exist a number of vulnerability scanners, or fuzzers, that expose web applications to a barrage of malformed inputs in the hope to identify input validation errors. Unfortunately, these scanners often fail to test a substantial fraction of a web application's logic, especially when this logic is invoked from pages that can only be reached after filling out complex forms that aggressively check the correctness of the provided values. Also, there are cases in which certain functionality (e.g., credit card payment) is enabled only after the user has executed a number of previous steps (e.g., add items to cart and checkout) in the correct order.

In this thesis I will introduce a number of techniques that make it possible to increase the overall coverage of these tools. One technique leverages information from existing use cases. This information enables the scanner to correctly fill out forms and exercise parts of the functionality that other tools cannot reach. The test generation process also abstracts from the available use cases, allowing the scanner to further expand the search, analyze more pages and, as a result, create more persistent database objects.

The ability to create database objects is important to expose stored XSS vulnerabilities. This use-case-driven testing technique has been implemented and used to analyze a number of web applications.

Building on the guided crawling of applications the need arises to not only reach more depth within the test subject, but also to discover unknown functionality. Possible solutions to this problem are also presented and evaluated.

Zusammenfassung (Englisch)

Die Komplexität von webbasierten Applikationen hat in den vergangenen Jahren stetig zugenommen, oft ziehen sie in Bezug auf Funktionalität und Design mit herkömmlichen Desktopapplikationen gleich. Gemeinsam mit der steigenden Popularität wurden auch sicherheitsrelevante Fehler in diesen Applikationen alltäglich, so sehr, dass mittlerweile sogar mehr als zwei Drittel aller gemeldeten Sicherheits\-lücken diese Programmgattung betreffen.

Black-Box Tests sind ein gängiges Mittel um die Qualität von Software zu verbessern und Fehler darin aufzuspüren. Für webbasierte Applikationen existieren viele Programme, die das Entdecken von sicherheitsrelevanten Fehlern automatisieren und vereinfachen sollen. So genannte extit />Weiters ist es möglich von diesen vorgegebenen Informationen zu abstrahieren und so automatisiert weitere Testfälle zu erzeugen und auszuführen.