Computer Science ›› 2017, Vol. 44 ›› Issue (5): 141-145.doi: 10.11896/j.issn.1002-137X.2017.05.025

Previous Articles     Next Articles

Hybrid Protocol Deformation Based Web Security Fuzzy Testing and Utility Evaluation Approach

TU Ling, MA Yue, CHENG Cheng and ZHOU Yan-hui   

  • Online:2018-11-13 Published:2018-11-13

Abstract: In the Web application security fuzzy testing,there are some problems such as low coverage of test cases,in-effective verification of test cases utilities and lack of quantitative evaluation of vulnerability detection results.In this paper,we proposed a method of generating dynamic features combination and protocol deformation test cases for typical Web security vulnerabilities.The rules of input feature combination and protocol deformation rules are devised,and the algorithm based on pollution propagation strategy and effectiveness validation method are established.Experiments show that the proposed method enhances the diversity and coverage of test cases,and reduces the false negative rate and false positive rate of vulnerability detection in the complex situation of web filtering environment.

Key words: Security testing,Protocol deformation,Pollution propagation strategy,Testing efffectiveness

[1] LUO Y X.Static Code Analysis and Defense for Software Secu-rity Defects [D].Bejing:Institute of Software,Chinese Academy of Sciences,2007.(in Chinese) 罗宇翔.面向软件安全缺陷的静态代码分析及防御[D].北京:中国科学院软件研究所,2007.
[2] KULENOVIC M,DONKO D.A survey of static code analysis methods for security vulnerabilities detection[C]∥International Convention on Information and Communication Technology,Electronics and Microelectronics.2014:1381-1386.
[3] WASSERMANN G,SU Z.Static detection of cross-site scripting vulnerabilities[C]∥ACM/IEEE 30th International Conference on Software Engineering,2008(ICSE’08).IEEE,2008:171-180.
[4] BALZAROTTI D,COVA M,FELMETSGER V,et al.Saner:Composing static and dynamic analysis to validate sanitization in web applications[C]∥IEEE Symposium on Security and Privacy,2008(SP 2008).IEEE,2008:387-401.
[5] PIETRASZEK T,BERGHE C V.Defending against injection attacks through context-sensitive string evaluation[C]∥Recent Advances in Intrusion Detection.Springer Berlin Heidelberg,2005:124-145.
[6] HALFOND W G J,ORSO A,MANOLIOS P.WASP:Protecting Web applications using positive tainting and syntax-aware eva-luation[J].IEEE Transactions on Software Engineering,2008,34(1):65-81.
[7] BALZAROTTI D,COVA M,FELMETSGER V,et al.Saner:Composing static and dynamic analysis to validate sanitization in web applications[C]∥IEEE Symposium on Security and Privacy,2008(SP 2008).IEEE,2008:387-401.
[8] PAN G B,ZHOU Y H.Finding XSS Vulnerabilities Based on Static Analysis and Dynamic Testing [J].Computer Science,2012,9(B06):51-53.(in Chinese) 潘古兵,周彦晖.基于静态分析和动态检测的XSS漏洞发现[J].计算机科学,2012,39(B06):51-53.
[9] WIN W,HTUN H H.A simple and efficient framework for detection of sql injection attack[J].IJCCER,2013,1(2):26-30.
[10] WANG J,PHAN R C W,WHITELY J N,et al.Augmented attack tree modeling of SQL injection attacks[C]∥2010 The 2nd IEEE International Conference on Information Management and Engineering (ICIME).IEEE,2010:182-186.
[11] WEI C T.Research on Key Technology of SQL Injection and XSS Attack Automated Detection[D].Beijing:Beijing University of Posts and Telecommunications,2015.(in Chinese) 韦存堂.SQL注入与XSS攻击自动化检测关键技术研究[D].北京:北京邮电大学,2015.
[12] LI Z,XU X,LIAO L J,et al.Using Templates Combination to Generate Testing Vectors Dynamically in Detecting Web Applications Vulnerabilities[J].Application Research of Computers,2015,2(10):3004-3008.(in Chinese) 李政,许欣,廖乐健,等.使用模板组合动态生成测试用例的Web应用漏洞发掘方法[J].计算机应用研究,2015,32(10):3004-3008.
[13] JIANG H,XU Z Y,WANG X.XSS Attack Defense Method Based on Behavior [J].Computer Engineering and Design,2014,5(6):1911-1914.(in Chinese) 蒋华,徐中原,王鑫.基于行为的XSS攻击防范方法[J].计算机工程与设计,2014,35(6):1911-1914.
[14] DUCHENE F,RAWAT S,RICHIER J L,et al.LigRE:Rever-se-engineering of control and data flow models for black-box XSS detection[C]∥2013 20th Working Conference on Reverse Engineering (WCRE).IEEE,2013:252-261.
[15] DUCHENE F,GROZ R,RAWAT S,et al.XSS vulnerability detection using model inference assisted evolutionary fuzzing[C]∥SECTEST 2012-3rd International Workshop on Security Testing (affiliated with ICST).IEEE Computer Society,2012:815-817.
[16] CAO L B,CAO T J.Research on Cross-site Scripting Vulnerability Detection Method Based on Dynamic Testing [J].Computer Application and Software,2015,2(8):272-275.(in Chinese) 曹黎波,曹天杰.基于动态测试的XSS漏洞检测方法研究[J].计算机应用与软件,2015,32(8):272-275.
[17] WANG Q,BAI M.Research about Using Tool of SqlMap GET injection and Principle Analyzing on Linux Platform [J].Computer Security,2013(6):74-76.(in Chinese) 王琦,白淼.渗透工具SqlMap GET注入使用及原理分析[J].计算机安全,2013(6):73-76.
[18] LV Z Y,HUANG S,HUI Z W.Improvement of Defect Detection Mode for Function Return Value Based on FindBugs[J].Journal of PLA University of Science and Technology (Nature Science Edition),2015,16(6):518-523.(in Chinese) 吕增援,黄松,惠战伟.基于FindBugs的函数返回值缺陷检测模式的改进[J].解放军理工大学学报(自然科学版),2015,16(6):518-523.
[19] CHENG C,ZHOU Y H.Finding XSS Vulnerabilities Based on Fuzzing Test and Genetic Algorithm [J].Computer Science, 2016,3(6A):328-333.(in Chinese) 程诚,周彦晖.基于模糊测试和遗传算法的XSS漏洞挖掘[J].计算机科学,2016,3(6A):328-333.
[20] TANG H P,HUANG S G,ZHANG L.Detection Algorithm for Leak Detection in Pollution Propagation Analysis [J].Journal of Chinese Computer System,2010(11):2227-2230.(in Chinese) 唐和平,黄曙光,张亮.污染传播分析的漏洞利用检测算法[J].小型微型计算机系统,2010(11):2227-2230.
[21] LIU L C,FAN W J.From the Viewpoint of Software Software Process to Approach the Reusable Requirement Analysis-Pas-singly Review Analysis Between CMM and ISO9000[J].Journal of Chongqing University of Technology(Natural Science),2012,6(1):53-60.(in Chinese) 刘兆存,范玮佳.软件过程中可复用需求分析[J].重庆理工大学学报(自然科学版),2012,6(1):53-60.

No related articles found!
Viewed
Full text


Abstract

Cited

  Shared   
  Discussed   
No Suggested Reading articles found!