Automatic Generation of Tests to Exploit XML Injection Vulnerabilities in Web Applications

Journal article (2019)

Authors

Sadeeq Jan University of Luxembourg, University of Engineering and Technology, Peshawar
A. Panichella University of Luxembourg
Andrea Arcuri University of Luxembourg, Westerdals Oslo School of Arts, Communication and Technology
Lionel Briand University of Luxembourg
Faculty
Electrical Engineering, Mathematics and Computer Science
Testing XML Simple object access protocol Service-oriented architecture
More Info
expand_more

Published Date

2019

Language

English

Reuse Rights

Other than for strictly personal use, it is not permitted to download, forward or distribute the text or part of it, without the consent of the author(s) and/or copyright holder(s), unless the work is under an open content license such as Creative Commons.

Faculty

Electrical Engineering, Mathematics and Computer Science

Abstract

Modern enterprise systems can be composed of many web services (e.g., SOAP and RESTful). Users of such systems might not have direct access to those services, and rather interact with them through a single entry point which provides a GUI (e.g., a web page or a mobile app). Although the interactions with such entry point might be secure, a hacker could trick such systems to send malicious inputs to those internal web services. A typical example is XML injection targeting SOAP communications. Previous work has shown that it is possible to automatically generate such kind of attacks using search-based techniques. In this paper, we improve upon previous results by providing more efficient techniques to generate such attacks. In particular, we investigate four different algorithms and two different fitness functions. A large empirical study, involving also two industrial systems, shows that our technique is effective at automatically generating XML injection attacks.

Files

Main.pdf
(.pdf | 0.833 Mb)