Abstract
Testing of web applications for common vulnerabilities still represents a major challenge in the area of security testing. The objective here is not necessarily to find new vulnerabilities but to ensure that the web application handles well-known attack patterns in a reliable way. Previously developed methods based on formalizing attack patterns contribute to the underlying challenge. However, the adaptation of the attack models is not easy and requires substantial effort. In order to make modeling easier we suggest representing attacks as a sequence of known actions that have to be carried out in order to be successful. Each action has some pre conditions and some effects. Hence, we are able to represent testing in this context as a planning problem where the goal is to break the application under test. In the paper, we discuss the proposed planning based testing approach, introduce the underlying concepts and definitions, and present some experimental results obtained from an implementation.
Chapter PDF
Similar content being viewed by others
References
Armando, A., Compagna, L., Ganty, P.: Sat-based model-checking of security protocols using planning graph analysis. In: Araki, K., Gnesi, S., Mandrioli, D. (eds.) FME 2003. LNCS, vol. 2805, pp. 875–893. Springer, Heidelberg (2003)
Blome, A., Ochoa, M., Li, K., Peroli, M., Dashti, M.T.: Vera: A flexible model-based vulnerability testing tool. In: Proceedings of the Sixth International Conference on Software Testing, Verification and Validation, ICST 2013 (2013)
Bozic, J., Wotawa, F.: Model-based testing - from safety to security. In: Proceedings of the 9th Workshop on Systems Testing and Validation (STV 2012), pp. 9–16 (October 2012)
Bozic, J., Wotawa, F.: Xss pattern for attack modeling in testing. In: Proceedings of the 8th International Workshop on Automation of Software Test, AST (2013)
Bozic, J., Wotawa, F.: Security testing based on attack patterns. In: Proceedings of the 5th International Workshop on Security Testing, SECTEST 2014 (2014)
Busch, M., Chaparadza, R., Dai, Z.R., Hoffmann, A., Lacmene, L., Ngwangwen, T., Ndem, G., Ogawa, H., Serbanescu, D., Schieferdecker, I., Zander-Nowicka, J.: Model transformers for test generation from system models. In: Conquest 2006. Hanser Verlag, Berlin (2006)
Fikes, R.E., Nilsson, N.J.: STRIPS: A New Approach to the Application of Theorem Proving to Problem Solving. Artificial Intelligence 2, 189–208 (1971)
Fröhlich, P., Link, J.: Automated test case generation from dynamic models. In: Bertino, E. (ed.) ECOOP 2000. LNCS, vol. 1850, pp. 472–491. Springer, Heidelberg (2000)
Galler, S.J., Zehentner, C., Wotawa, F.: Aiana: An ai planning system for test data generation. In: 1st Workshop on Testing Object-Oriented Software Systems, pp. 30–37 (2010)
Hoffmann, J.: Extending ff to numerical state variables. In: Proceedings of the 15th European Conference on Artificial Intelligence (ECAI 2002), pp. 571–575 (2002)
Hoglund, G., McGraw, G.: Exploiting Software: How to Break Code. Addison-Wesley (2004) ISBN: 0-201-78695-8
Howe, A.E., von Mayrhauser, A., Mraz, R.T.: Test case generation as an ai planning problem. Automated Software Engineering 4, 77–106 (1997)
Leitner, A., Bloem, R.: Automatic testing through planning. Technical report, Technische Universität Graz, Austria (2005)
Leitner, A.: Strategies to automatically test eiffel programs. Master’s thesis, Technische Universität Graz, Austria (2004)
Nilsson, N.J.: Teleo-reactive programs for agent control. Journal of Artificial Intelligence Research 1, 139–158 (1994)
Scheetz, M., von Mayrhauser, A., France, R., Dahlman, E., Howe, A.E.: Generating test cases from an oo model with an ai planning system. In: Proceedings of The 10th International Symposium on Software Reliability Engineering, pp. 250–259. IEEE Computer Society, Washington, DC (1999)
Schieferdecker, I., Grossmann, J., Schneider, M.: Model-based security testing. In: Proceedings of the Model-Based Testing Workshop at ETAPS 2012, EPTCS, pp. 1–12 (2012)
Schnelte, M., Güldali, B.: Test case generation for visual contracts using ai planning. In: Informatik, Beitr.ge der 40. Jahrestagung der Gesellschaft fuer Informatik e.V (GI), pp. 369–374 (2010)
Zander, J., Dai, Z.R., Schieferdecker, I., Din, G.: From u2tp models to executable tests with ttcn-3 - an approach to model driven testing. In: Khendek, F., Dssouli, R. (eds.) TestCom 2005. LNCS, vol. 3502, pp. 289–303. Springer, Heidelberg (2005)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2014 IFIP International Federation for Information Processing
About this paper
Cite this paper
Wotawa, F., Bozic, J. (2014). Plan It! Automated Security Testing Based on Planning. In: Merayo, M.G., de Oca, E.M. (eds) Testing Software and Systems. ICTSS 2014. Lecture Notes in Computer Science, vol 8763. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-662-44857-1_4
Download citation
DOI: https://doi.org/10.1007/978-3-662-44857-1_4
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-662-44856-4
Online ISBN: 978-3-662-44857-1
eBook Packages: Computer ScienceComputer Science (R0)