Ontology-driven Security Testing of Web Applications

Josip Bozic*, Yihao Li, Franz Wotawa

*Corresponding author for this work

Research output: Chapter in Book/Report/Conference proceedingConference paperpeer-review


Vulnerabilities in existing software systems represent
a great challenge for security assurance, where well known
attacks like cross-site scripting (XSS) or SQL injections (SQLI)
still represent a common threat for today’s web applications. Failure
to cover these issues in verification might result in unforeseen
consequences for users of such software systems. For this reason,
we have to come up with a rigorous testing approach should
that should combine knowledge about common attacks and the
system under test. Ontologies, which is a concept originating
from philosophy and also considered in AI research, provide
means for formalizing such knowledge from which we want to
obtain test cases in an automated fashion. In this paper, we follow
this idea and present a security testing approach that relies on
ontologies of attacks and the system under test. In particular,
the used ontology depicts information from the domain of web
applications as well as their communication protocol. Actually,
such a model represents an attack ontology that serves as the
initial step in a test generation process. In turn, the inferred
output is used in order to test a SUT for vulnerabilities. The test
case generation process converts ontologies into input models for
combinatorial testing (CT), from which we obtain abstract test
cases that can be automatically mapped to concrete ones. Besides
outlining the foundations behind this approach, we also show its
applicability considering case studies from the domain of web
Original languageEnglish
Title of host publicationProceedings - 2020 IEEE International Conference on Artificial Intelligence Testing, AITest 2020
PublisherIEEE Publications
Number of pages8
ISBN (Electronic)978-1-7281-6984-2
Publication statusPublished - Aug 2020
EventIEEE International Conference on Artificial Intelligence Testing: AITest 2020 - Keble College, Oxford University, Virtuell, United Kingdom
Duration: 3 Aug 20206 Aug 2020


ConferenceIEEE International Conference on Artificial Intelligence Testing
Abbreviated titleAITest 2020
Country/TerritoryUnited Kingdom


  • combinatorial testing
  • model-based testing
  • Ontology-based testing
  • security testing
  • testing web applications

ASJC Scopus subject areas

  • Artificial Intelligence
  • Safety, Risk, Reliability and Quality
  • Computer Science Applications
  • Modelling and Simulation


Dive into the research topics of 'Ontology-driven Security Testing of Web Applications'. Together they form a unique fingerprint.

Cite this