Search-based multi-vulnerability testing of XML injections in web applications

Jan, Sadeeq; Panichella, Annibale; Arcuri, Andrea; Briand, Lionel C.

doi:10.1007/s10664-019-09707-8

Cited by 16 publications

(18 citation statements)

References 59 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…A vulnerability scanner is a software application that assesses security vulnerabilities in networks or host systems and creates a bunch of scan results that are frequently utilized to set vulnerability evaluation particularly during the process of development [7][8][9][10]. Usually, vulnerability scanner detects vulnerabilities that are originated from vendors, system administration activities, or general activities by users.…”

Section: 2vulnerability Scannermentioning

confidence: 99%

Development of a browser extension for web application vulnerability detection, avoidance, and secure browsing (VDAS)

Buja¹,

Khairuddin²,

Deraman³

et al. 2021

IJATEE

View full text Add to dashboard Cite

Section: 2vulnerability Scannermentioning

confidence: 99%

Development of a browser extension for web application vulnerability detection, avoidance, and secure browsing (VDAS)

Buja¹,

Khairuddin²,

Deraman³

et al. 2021

IJATEE

View full text Add to dashboard Cite

“…Table I reports that 3 out of the 16 studies have applied EAs within the context of SQL injection, 6 have applied them within the context of cross-site scripting, and 7 have applied them to other areas of Web Security. Of the 7 studies applying EAs to other areas of Web Security 3 focus on spam email [25], [27], [28], 1 focuses on XML injection [29], 1 targets published vulnerabilities in a server program [30], 1 considers denial-of-service attacks [26], and 1 generates CAPTCHAs [24].…”

Section: Rq2: For What Purposes Have Eas Been Applied Within Web Security?mentioning

confidence: 99%

Evolutionary Algorithms in Web Security: Exploring Untapped Potential

Attwood

Kharel

2020

2020 12th International Symposium on Communication Systems, Networks and Digital Signal Processing (CSNDSP)

View full text Add to dashboard Cite

Many aspects of our lives are dependent upon the Web. Research that considers how we can better protect the Web and the products and services delivered using it-that is research into Web Security-is therefore of the upmost importance. Consequently, this paper considers evolutionary algorithms and their potential (which is to tap into and harness the power of natural evolution) within the field of Web Security. The paper provides a concise overview of existing studies that have used evolutionary algorithms as a tool within Web Security. More specifically, the paper considers the manner in which evolutionary algorithms have been applied, the types of problems that they have been applied to, and the way in which they have been assessed or evaluated. Furthermore, an opportunity to better harness the power of natural evolution within the field of Web Security, by applying modern evolutionary algorithms that draw inspiration from the open-ended aspect of natural evolution, is highlighted and discussed.

show abstract

“…Researchers have proposed various testing techniques to find vulnerabilities in front-end web applications [1,2,6,8,10,11,18], and their validation and sanitization routines in particular. Whitebox techniques (e.g., [6,18]) have been used in the literature to detect various types of vulnerabilities, such as SQL Injection and Cross-site Scripting.…”

Section: Introductionmentioning

confidence: 99%

“…These techniques require that the source code (or bytecode) of the web applications (both front-end and internal services) is available to the tester, that the internal working can be observed through instrumentation, and are language dependent. Instead, black-box techniques [1,2,8,10,11] identify vulnerabilities by inspecting the user-supplied inputs and the output generated by web applications. Note that there is no one-to-one mapping between user inputs and test output because input are processed and transformed by the SUT.…”

Section: Introductionmentioning

confidence: 99%

“…However, fuzzers are not very effective for complex vulnerabilities [9], i.e., vulnerabilities that cannot be exploited by injecting few meta-characters in one single input text box. Recently, Jan et al [8,10,11] applied different search-based testing algorithms suitably defined for XMLi, such as traditional genetic algorithms (GAs), many-objective GAs, local solvers and co-evolutionary algorithms. Their study showed that search-based approaches outperform random fuzzing [10] and that co-evolutionary algorithms discover more XMLi vulnerabilities than other search algorithms [11].…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

JCOMIX: a search-based tool to detect XML injection vulnerabilities in web applications

Stallenberg

Panichella

2019

Proceedings of the 2019 27th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of

Self Cite

View full text Add to dashboard Cite

Input sanitization and validation of user inputs are well-established protection mechanisms for microservice architectures against XML injection attacks (XMLi). The effectiveness of the protection mechanisms strongly depends on the quality of the sanitization and validation rule sets (e.g., regular expressions) and, therefore, security analysts have to test them thoroughly. In this demo, we introduce JCOMIX, a penetration testing tool that generates XMLi attacks (test cases) exposing XML vulnerabilities in front-end web applications. JCOMIX implements various search algorithms, including random search (traditional fuzzing), genetic algorithms (GAs), and the more recent co-operative, co-evolutionary algorithm designed explicitly for the XMLi testing (COMIX). We also show the results of an empirical study showing the effectiveness of JCOMIX in testing an open-source front-end web application. CCS CONCEPTS• Software and its engineering → Search-based software engineering; Software testing and debugging; • Security and privacy → Web application security.

show abstract

Search-based multi-vulnerability testing of XML injections in web applications

Cited by 16 publications

References 59 publications

Development of a browser extension for web application vulnerability detection, avoidance, and secure browsing (VDAS)

Development of a browser extension for web application vulnerability detection, avoidance, and secure browsing (VDAS)

Evolutionary Algorithms in Web Security: Exploring Untapped Potential

JCOMIX: a search-based tool to detect XML injection vulnerabilities in web applications

Contact Info

Product

Resources

About