A generic web application testing and attack data generation method

Hsiao Yu Shih; Han Lin Lu; Chao Chun Yeh; Hsu Chun Hsiao; Shih-Kun Huang

doi:10.1007/978-3-319-76451-1_22

A generic web application testing and attack data generation method

Hsiao Yu Shih, Han Lin Lu, Chao Chun Yeh, Hsu Chun Hsiao, Shih-Kun Huang^*

^*Corresponding author for this work

Center for Information Technology Services

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

4 Scopus citations

Abstract

With the advances of diversified online services, there is an increasing demand for web applications. However, most web applications contain critical bugs affecting their security, allowing unauthorized access and remote code execution. It is challenging for programmers to identify potential vulnerabilities in their applications before releasing the service due to the lack of resources and security knowledge, and thus such hidden defects may remain unnoticed for a long time until being reported by users or third-party risk exposure. In this paper, we develop an automated detection method to support timely and flexible discovery of a wide variety of vulnerability types in web applications. The key insight of our work is adding a lightweight detecting sensor that differentiates attack types before performing symbolic execution. Based on the technique of symbolic execution, our work generates testing and attack data by tracking the address of program instruction and checking the arguments of dangerous functions. Compared to prior analysis tools that also use symbolic execution, our work flexibly supports the detection of more types of web attacks and improve system flexibility for users thanks to the detecting sensor. We have evaluated our solution by applying this detecting process to several known vulnerabilities on open-source web applications and CTF (Capture The Flag) problems, and detected various types of web attacks successfully.

Original language	English
Title of host publication	Security with Intelligent Computing and Big-data Services
Editors	Shiuh-Jeng Wang, Sheng-Lung Peng, Valentina Emilia Balas, Ming Zhao
Publisher	Springer Verlag
Pages	232-247
Number of pages	16
ISBN (Print)	9783319764504
DOIs	https://doi.org/10.1007/978-3-319-76451-1_22
State	Published - 2018
Event	International Conference on Security with Intelligent Computing and Big-data Services, SICBS 2017 - Hualien City, Taiwan Duration: 15 Dec 2017 → 17 Dec 2017

Publication series

Name	Advances in Intelligent Systems and Computing
Volume	733
ISSN (Print)	2194-5357

Conference

Conference	International Conference on Security with Intelligent Computing and Big-data Services, SICBS 2017
Country/Territory	Taiwan
City	Hualien City
Period	15/12/17 → 17/12/17

Keywords

Capture The Flag
Software vulnerability
Symbolic execution
Web application testing

Access to Document

10.1007/978-3-319-76451-1_22

Cite this

Shih, H. Y., Lu, H. L., Yeh, C. C., Hsiao, H. C., & Huang, S.-K. (2018). A generic web application testing and attack data generation method. In S.-J. Wang, S.-L. Peng, V. E. Balas, & M. Zhao (Eds.), Security with Intelligent Computing and Big-data Services (pp. 232-247). (Advances in Intelligent Systems and Computing; Vol. 733). Springer Verlag. https://doi.org/10.1007/978-3-319-76451-1_22

@inproceedings{1b555d6c17314ce98e4089c857dec129,

title = "A generic web application testing and attack data generation method",

abstract = "With the advances of diversified online services, there is an increasing demand for web applications. However, most web applications contain critical bugs affecting their security, allowing unauthorized access and remote code execution. It is challenging for programmers to identify potential vulnerabilities in their applications before releasing the service due to the lack of resources and security knowledge, and thus such hidden defects may remain unnoticed for a long time until being reported by users or third-party risk exposure. In this paper, we develop an automated detection method to support timely and flexible discovery of a wide variety of vulnerability types in web applications. The key insight of our work is adding a lightweight detecting sensor that differentiates attack types before performing symbolic execution. Based on the technique of symbolic execution, our work generates testing and attack data by tracking the address of program instruction and checking the arguments of dangerous functions. Compared to prior analysis tools that also use symbolic execution, our work flexibly supports the detection of more types of web attacks and improve system flexibility for users thanks to the detecting sensor. We have evaluated our solution by applying this detecting process to several known vulnerabilities on open-source web applications and CTF (Capture The Flag) problems, and detected various types of web attacks successfully.",

keywords = "Capture The Flag, Software vulnerability, Symbolic execution, Web application testing",

author = "Shih, {Hsiao Yu} and Lu, {Han Lin} and Yeh, {Chao Chun} and Hsiao, {Hsu Chun} and Shih-Kun Huang",

note = "Publisher Copyright: {\textcopyright} Springer International Publishing AG, part of Springer Nature 2018.; International Conference on Security with Intelligent Computing and Big-data Services, SICBS 2017 ; Conference date: 15-12-2017 Through 17-12-2017",

year = "2018",

doi = "10.1007/978-3-319-76451-1_22",

language = "English",

isbn = "9783319764504",

series = "Advances in Intelligent Systems and Computing",

publisher = "Springer Verlag",

pages = "232--247",

editor = "Shiuh-Jeng Wang and Sheng-Lung Peng and Balas, {Valentina Emilia} and Ming Zhao",

booktitle = "Security with Intelligent Computing and Big-data Services",

address = "德國",

}

Shih, HY, Lu, HL, Yeh, CC, Hsiao, HC & Huang, S-K 2018, A generic web application testing and attack data generation method. in S-J Wang, S-L Peng, VE Balas & M Zhao (eds), Security with Intelligent Computing and Big-data Services. Advances in Intelligent Systems and Computing, vol. 733, Springer Verlag, pp. 232-247, International Conference on Security with Intelligent Computing and Big-data Services, SICBS 2017, Hualien City, Taiwan, 15/12/17. https://doi.org/10.1007/978-3-319-76451-1_22

A generic web application testing and attack data generation method. / Shih, Hsiao Yu; Lu, Han Lin; Yeh, Chao Chun et al.
Security with Intelligent Computing and Big-data Services. ed. / Shiuh-Jeng Wang; Sheng-Lung Peng; Valentina Emilia Balas; Ming Zhao. Springer Verlag, 2018. p. 232-247 (Advances in Intelligent Systems and Computing; Vol. 733).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

TY - GEN

T1 - A generic web application testing and attack data generation method

AU - Shih, Hsiao Yu

AU - Lu, Han Lin

AU - Yeh, Chao Chun

AU - Hsiao, Hsu Chun

AU - Huang, Shih-Kun

N1 - Publisher Copyright: © Springer International Publishing AG, part of Springer Nature 2018.

PY - 2018

Y1 - 2018

N2 - With the advances of diversified online services, there is an increasing demand for web applications. However, most web applications contain critical bugs affecting their security, allowing unauthorized access and remote code execution. It is challenging for programmers to identify potential vulnerabilities in their applications before releasing the service due to the lack of resources and security knowledge, and thus such hidden defects may remain unnoticed for a long time until being reported by users or third-party risk exposure. In this paper, we develop an automated detection method to support timely and flexible discovery of a wide variety of vulnerability types in web applications. The key insight of our work is adding a lightweight detecting sensor that differentiates attack types before performing symbolic execution. Based on the technique of symbolic execution, our work generates testing and attack data by tracking the address of program instruction and checking the arguments of dangerous functions. Compared to prior analysis tools that also use symbolic execution, our work flexibly supports the detection of more types of web attacks and improve system flexibility for users thanks to the detecting sensor. We have evaluated our solution by applying this detecting process to several known vulnerabilities on open-source web applications and CTF (Capture The Flag) problems, and detected various types of web attacks successfully.

AB - With the advances of diversified online services, there is an increasing demand for web applications. However, most web applications contain critical bugs affecting their security, allowing unauthorized access and remote code execution. It is challenging for programmers to identify potential vulnerabilities in their applications before releasing the service due to the lack of resources and security knowledge, and thus such hidden defects may remain unnoticed for a long time until being reported by users or third-party risk exposure. In this paper, we develop an automated detection method to support timely and flexible discovery of a wide variety of vulnerability types in web applications. The key insight of our work is adding a lightweight detecting sensor that differentiates attack types before performing symbolic execution. Based on the technique of symbolic execution, our work generates testing and attack data by tracking the address of program instruction and checking the arguments of dangerous functions. Compared to prior analysis tools that also use symbolic execution, our work flexibly supports the detection of more types of web attacks and improve system flexibility for users thanks to the detecting sensor. We have evaluated our solution by applying this detecting process to several known vulnerabilities on open-source web applications and CTF (Capture The Flag) problems, and detected various types of web attacks successfully.

KW - Capture The Flag

KW - Software vulnerability

KW - Symbolic execution

KW - Web application testing

UR - http://www.scopus.com/inward/record.url?scp=85045339050&partnerID=8YFLogxK

U2 - 10.1007/978-3-319-76451-1_22

DO - 10.1007/978-3-319-76451-1_22

M3 - Conference contribution

AN - SCOPUS:85045339050

SN - 9783319764504

T3 - Advances in Intelligent Systems and Computing

SP - 232

EP - 247

BT - Security with Intelligent Computing and Big-data Services

A2 - Wang, Shiuh-Jeng

A2 - Peng, Sheng-Lung

A2 - Balas, Valentina Emilia

A2 - Zhao, Ming

PB - Springer Verlag

T2 - International Conference on Security with Intelligent Computing and Big-data Services, SICBS 2017

Y2 - 15 December 2017 through 17 December 2017

ER -

A generic web application testing and attack data generation method

Abstract

Publication series

Conference

Keywords

Access to Document

Other files and links

Fingerprint

Cite this