A generic web application testing and attack data generation method

Hsiao Yu Shih, Han Lin Lu, Chao Chun Yeh, Hsu Chun Hsiao, Shih-Kun Huang*

*Corresponding author for this work

Research output: Chapter in Book/Report/Conference proceedingConference contribution

1 Scopus citations

Abstract

With the advances of diversified online services, there is an increasing demand for web applications. However, most web applications contain critical bugs affecting their security, allowing unauthorized access and remote code execution. It is challenging for programmers to identify potential vulnerabilities in their applications before releasing the service due to the lack of resources and security knowledge, and thus such hidden defects may remain unnoticed for a long time until being reported by users or third-party risk exposure. In this paper, we develop an automated detection method to support timely and flexible discovery of a wide variety of vulnerability types in web applications. The key insight of our work is adding a lightweight detecting sensor that differentiates attack types before performing symbolic execution. Based on the technique of symbolic execution, our work generates testing and attack data by tracking the address of program instruction and checking the arguments of dangerous functions. Compared to prior analysis tools that also use symbolic execution, our work flexibly supports the detection of more types of web attacks and improve system flexibility for users thanks to the detecting sensor. We have evaluated our solution by applying this detecting process to several known vulnerabilities on open-source web applications and CTF (Capture The Flag) problems, and detected various types of web attacks successfully.

Original languageEnglish
Title of host publicationSecurity with Intelligent Computing and Big-data Services
EditorsShiuh-Jeng Wang, Sheng-Lung Peng, Valentina Emilia Balas, Ming Zhao
PublisherSpringer Verlag
Pages232-247
Number of pages16
ISBN (Print)9783319764504
DOIs
StatePublished - 1 Jan 2018
EventInternational Conference on Security with Intelligent Computing and Big-data Services, SICBS 2017 - Hualien City, Taiwan
Duration: 15 Dec 201717 Dec 2017

Publication series

NameAdvances in Intelligent Systems and Computing
Volume733
ISSN (Print)2194-5357

Conference

ConferenceInternational Conference on Security with Intelligent Computing and Big-data Services, SICBS 2017
CountryTaiwan
CityHualien City
Period15/12/1717/12/17

Keywords

  • Capture The Flag
  • Software vulnerability
  • Symbolic execution
  • Web application testing

Fingerprint Dive into the research topics of 'A generic web application testing and attack data generation method'. Together they form a unique fingerprint.

  • Cite this

    Shih, H. Y., Lu, H. L., Yeh, C. C., Hsiao, H. C., & Huang, S-K. (2018). A generic web application testing and attack data generation method. In S-J. Wang, S-L. Peng, V. E. Balas, & M. Zhao (Eds.), Security with Intelligent Computing and Big-data Services (pp. 232-247). (Advances in Intelligent Systems and Computing; Vol. 733). Springer Verlag. https://doi.org/10.1007/978-3-319-76451-1_22