Abstract
Despite sophisticated defense mechanisms security testing still plays an important role in software engineering.
Because of their latency, security flaws in web applications always bear the risk of being exploited sometimes in the future.
In order to avoid potential damage, appropriate prevention measures should be incorporated in time and in the best case already during the software development cycle. In this paper,
we contribute to this this goal and present the PURITY tool for testing web applications. PURITY executes test cases against a given website. It detects whether the website is vulnerable
against some of the most common vulnerabilities, i.e., SQL injections and cross-site scripting. The goal is to resemble a malicious activity by following typical sequences of actions
potentially leading to a vulnerable state. The test execution proceeds automatically. In contrast to other penetration testing tools, PURITY relies on planning. Concrete test cases are
obtained from a plan, which in turn is generated from specific initial values and given actions. The latter are intended to mimic actions usually performed by an attacker. In addition,
PURITY also allows a tester to configure input parameters and also tests a website in a manual manner.
Because of their latency, security flaws in web applications always bear the risk of being exploited sometimes in the future.
In order to avoid potential damage, appropriate prevention measures should be incorporated in time and in the best case already during the software development cycle. In this paper,
we contribute to this this goal and present the PURITY tool for testing web applications. PURITY executes test cases against a given website. It detects whether the website is vulnerable
against some of the most common vulnerabilities, i.e., SQL injections and cross-site scripting. The goal is to resemble a malicious activity by following typical sequences of actions
potentially leading to a vulnerable state. The test execution proceeds automatically. In contrast to other penetration testing tools, PURITY relies on planning. Concrete test cases are
obtained from a plan, which in turn is generated from specific initial values and given actions. The latter are intended to mimic actions usually performed by an attacker. In addition,
PURITY also allows a tester to configure input parameters and also tests a website in a manual manner.
| Original language | English |
|---|---|
| Title of host publication | 2015 IEEE International Conference on Software Quality, Reliability and Security - Companion Workshop on Trustworthy Computing |
| Publisher | . |
| DOIs | |
| Publication status | Accepted/In press - 2015 |
| Event | 2015 IEEE International Conference on Software Quality, Reliability and Security - Companion: Workshop on Trustworthy Computing - Vancouver, Kanada Duration: 3 Aug 2015 → 3 Aug 2015 |
Conference
| Conference | 2015 IEEE International Conference on Software Quality, Reliability and Security - Companion |
|---|---|
| City | Vancouver, Kanada |
| Period | 3/08/15 → 3/08/15 |
Fields of Expertise
- Information, Communication & Computing