基于消息变异的Web服务脆弱性测试系统的设计与实现

计算机科学 ›› 2013, Vol. 40 ›› Issue (7): 143-146.

基于消息变异的Web服务脆弱性测试系统的设计与实现

陈加梅,陈锦富,詹永照,王环环,李青

江苏大学计算机科学与通信工程学院镇江212013;江苏大学计算机科学与通信工程学院镇江212013;江苏大学计算机科学与通信工程学院镇江212013;江苏大学计算机科学与通信工程学院镇江212013;江苏大学计算机科学与通信工程学院镇江212013

出版日期:2018-11-16 发布日期:2018-11-16
基金资助:
本文受国家自然科学基金项目(61202110,61063013),教育部博士点专项基金项目(20103227120005),江苏省自然科学基金项目(BK2012284)资助

Design and Implementation of Web Service Vulnerability Testing System Based on SOAP Messages Mutation

CHEN Jia-mei,CHEN Jin-fu,ZHAN Yong-zhao,WANG Huan-huan and LI Qing

Online:2018-11-16 Published:2018-11-16

摘要/Abstract

摘要： 研制自动化的Web服务脆弱性测试工具对基于Web服务的软件工程有重大影响,并能提高软件的安全性和可靠性,是当前软件行业一个有意义的研究课题。针对广泛使用的Web服务,设计和实现了一个测试Web服务脆弱性的原型系统WSVTS (Web Service Vulnerability Testing System)。根据SOAP消息参数的个数和类型,实现了两种基于SOAP消息变异的Web服务脆弱性测试方法,分别是最坏差异输入变异方法(The Worst-input Mutation Approach)和杂乱数据变异方法(Fuzz Data-input Mutation Approach)。测试系统融合这两种测试方法,实现了两种测试用例生成算法,分别是最远邻测试用例生成算法TCFN(Test Cases generation based on Farthest Neighbor)和杂乱数据输入变异算法FDMA(Fuzz Data-input Mutation Algorithm),然后,将算法产生的测试用例作用于SOAP请求消息,从客户端观察应答消息,来分析Web服务的脆弱性。

关键词: Web服务,SOAP消息,脆弱性测试,测试用例,变异算子,原型系统中图法分类号TP311.5文献标识码A

Abstract: The automatic tool of testing Web service vulnerability brings great effect on Web service-based software engineering,and they can effectively ensure the security and reliability of Web service-based software.According to Web service which is used widely,a prototype system WSVTS(Web Service Vulnerability Testing System) was designed and implemented．Two mutation approaches of testing Web service vulnerability based on the input domain of SOAP message,namely the worst-input mutation approach and fuzz data-input mutation approach,were implemented．Based on the two approaches,two test cases generation algorithms which are Test Cases generation based on Farthest Neighbor (TCFN) and Fuzz Data-input Mutation Algorithm (FDMA) were also implemented.Then,the test cases generated by the algorithms were executed in the SOAP requesting message.The vulnerability of the Web services can be detected by the response message of the client.

Key words: Web service,SOAP messages,Vulnerability testing,Test cases,Mutation operators,Prototype system

陈加梅,陈锦富,詹永照,王环环,李青. 基于消息变异的Web服务脆弱性测试系统的设计与实现[J]. 计算机科学, 2013, 40(7): 143-146. https://doi.org/

CHEN Jia-mei,CHEN Jin-fu,ZHAN Yong-zhao,WANG Huan-huan and LI Qing. Design and Implementation of Web Service Vulnerability Testing System Based on SOAP Messages Mutation[J]. Computer Science, 2013, 40(7): 143-146. https://doi.org/

参考文献

[1] 陈锦富,卢炎生,谢晓东,等.一个组件安全自动化测试平台的设计与实现[J].计算机科学,2008,5(12):229-233
[2] Lourival F,de Almeida J,Vergilio S R．Exploring Perturbation Based Testing for Web Services[C]∥ICWS 2006．IEEE Computer Society,Los Alamitos,2006:717-726
[3] The Eviware SOAPUI 官方网站[EB/OL].http://www.SO-APUI.org/2007
[4] Sourceforge Org[EB/OL].http://sourceforge.net/forum/
[5] 罗作民,朱燕,程明.Web服务测试工具SOAPUI及其分析[J].计算机应用和软件,2010,7(5):155-157
[6] Chen T Y,Eddy G,et al．Adaptive Random Testing ThroughDynamic Partitioning[C]∥Proceedings of the Fourth International Conference on Quality Software．2004:79-86
[7] Chen T Y,Leung H,Mak I K．Adaptive Random Testing[J]．LNCS,2004,3321:320-329
[8] 李博涵,郝忠孝.反向最远邻的有效过滤和查询算法[J].小型微型计算机系统,2009,0(10):1948-1951
[9] Kim H C,Choi Y H ,Lee D H ．Efficient File Fuzz Testing Using Automated Analysis of Binary File Format[J]．Journal of Systems Architecture,2011,57(3):259-268
[10] Chan K P,Chen T Y ,Towey D．Normalized Restricted Random Testing [C]∥Springer-Verlag 2003,2655:368-381
[11] 陈锦富,卢炎生,谢晓东.一种采用接口错误注入的构件安全性测试方法[J].小型微型计算机系统,2010,31(6):1090-1096

Metrics

Viewed

Full text

Abstract

Cited

Shared

Discussed