Evaluation of the IPO-Family Algorithms for Test Case Generation in Web Security Testing

Josip Bozic, Bernhard Garn, Dimitris E. Simos, Franz Wotawa

Research output: Chapter in Book/Report/Conference proceedingConference paperpeer-review

Abstract

Security testing of web applications remains a major problem of software engineering. In order to reveal vulnerabilities, testing approaches use different strategies for detection of certain kinds of inputs that might lead to a security breach. Such approaches depend on the corresponding test case generation technique that are executed against the system under test. In this work we examine how two of the most popular algorithms for combinatorial test case generation, namely the IPOG and IPOG-F algorithms, perform in web security testing. For generating comprehensive and sophisticated testing inputs we have used input parameter modelling which includes also constraints between the different parameter values. To handle the test execution, we make use of a recently introduced methodology which is based on model-based testing. Our evaluation indicates that both algorithms generate test inputs that succeed in revealing security leaks in web applications with IPOG-F giving overall slightly better results w.r.t. the test quality of the generated inputs. In addition, using constraints during the modelling of the attack grammars results in an increase on the number of test inputs that cause security breaches. Last but not least, a detailed analysis of our evaluation results confirms that combinatorial testing is an efficient test case generation method for web security testing as the security leaks are mainly due to the interaction of a few parameters. This statement is further supported by some combinatorial coverage measurement experiments on the successful test inputs.
Original languageEnglish
Title of host publication2015 IEEE Eighth International Conference on Software Testing, Verification and Validation Workshops (ICSTW
PublisherIEEE Publications
Number of pages10
ISBN (Print)978-1-4799-1885-0
DOIs
Publication statusPublished - 2015
Event8th International Conference on Software Testing, Verification and Validation Workshops: ICSTW 2015 - Graz, Austria
Duration: 13 Apr 201513 Apr 2015

Conference

Conference8th International Conference on Software Testing, Verification and Validation Workshops
Abbreviated titleICSTW 2015
Country/TerritoryAustria
CityGraz
Period13/04/1513/04/15

Fields of Expertise

  • Information, Communication & Computing

Fingerprint

Dive into the research topics of 'Evaluation of the IPO-Family Algorithms for Test Case Generation in Web Security Testing'. Together they form a unique fingerprint.

Cite this