Authors Sean McAllister, Engin Kirda and Christopher Kruegel in their paper "Leveraging User Interactions for In-Depth Testing of Web Applications" talk about a new scanner (automated testing tool) which they have put in place for detecting web application vulnerabilities as the reflected and stored cross site scripting.
Their claim is that the new tool deleveloped would be able to identify more defects comparatively. This is due to the fact that more number of test cases could be generated leading to more test scenario coverage for the web applications.
In the process of their evaluation, they have tested three applications with 3 other existing scanners along with their new developed one. Burp Spider, w3af spider and Acunetix Web Vulnerability are the others. They had concentrated on blogging applications, Forum application and online shopping application.
The authors feel that black box testing might not be very efficient as it lacks the capability to enter to all the requisite pages to perform the testing. While the tool they have developed has the feature to store and use the values keyed in so as to enter into the pages of the application and ensure there is no possible vulnerability injected in.
In order to ensure that they application does a deeper testing, the techniques adopted by them include guided fuzzing and stateful fuzzing.
In the case of guided fuzzing, it stores the previous valid values entered by the user and tries to reevaluate the page and compares the existence of any possible intrusion. They also use the extended fuzzing concept where-in they try to extensively use the data and dig even deeper into the application. Next is the stateful fuzzing which was built to ensure that the use cases are not repeated often as a result of the requirement of guided fuzzing in performing the testing of the applications. They call this as the undesirable side-effects.
They seem to be happy with what they have produced and talk about no extention to their current work.
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment