Over the last years, the complexity of web applications has grown significantly, challenging desktop programs in terms of functionality and design. Along with the rising popularity of web applications, the number of exploitable bugs has also increased. Web application flaws, such as cross-site scripting or SQL injection bugs, now account for more than two thirds of the reported security vulnerabilities.
Black-box testing techniques are a common approach to improve software quality and detect bugs before deployment. There exist a number of vulnerability scanners, or fuzzers, that expose web applications to a barrage of malformed inputs in the hope to identify input validation errors. Unfortunately, these scanners often fail to test a substantial fraction of a web application's logic, especially when this logic is invoked from pages that can only be reached after filling out complex forms that aggressively check the correctness of the provided values. Also, there are cases in which certain functionality (e.g., credit card payment) is enabled only after the user has executed a number of previous steps (e.g., add items to cart and checkout) in the correct order.
In this thesis I will introduce a number of techniques that make it possible to increase the overall coverage of these tools. One technique leverages information from existing use cases. This information enables the scanner to correctly fill out forms and exercise parts of the functionality that other tools cannot reach. The test generation process also abstracts from the available use cases, allowing the scanner to further expand the search, analyze more pages and, as a result, create more persistent database objects.
The ability to create database objects is important to expose stored XSS vulnerabilities. This use-case-driven testing technique has been implemented and used to analyze a number of web applications.
Building on the guided crawling of applications the need arises to not only reach more depth within the test subject, but also to discover unknown functionality. Possible solutions to this problem are also presented and evaluated.