Presentation is loading. Please wait.

Presentation is loading. Please wait.

Module: Software Engineering of Web Applications

Published byValentine Hicks Modified over 6 years ago

Similar presentations

Presentation on theme: "Module: Software Engineering of Web Applications"— Presentation transcript:

1 Module: Software Engineering of Web Applications
user-input-validation testing of web applications

2 UIV User-input-validation (UIV) is the first barricade that protects a web application from application-level attacks such as buffer overflow, code-injection attack, hidden-field manipulation, and cross-site scripting. Attackers can launch these attacks by sending malicious inputs to a web application. UIV protects a web application against these attacks by rejecting malicious inputs. improving the quality of UIV is a key means of enhancing a web application’s security. These slides are designed to accompany module: Software Engineering of Web Applications

3 Problem Unfortunately, web-application developers usually forget to implement UIV, or implement defective UIV. As shown in a recent survey (Open Web Application Security Project, 2013), among the top 10 vulnerabilities of web applications, six vulnerabilities are induced by defective UIV. There is a strong need of an effective way to help improve the quality of UIV, thereby increasing web applications’ security. These slides are designed to accompany module: Software Engineering of Web Applications

4 UIV testing UIV testing is a common way in practice to improve the quality of UIV. There exist tools (Nikto2, 2008; Wikto, 2008; Acunetix Web Vulnerability Scanner, 2008; Fiddler, 2009; Burp Proxy, 2009; Tamperie, 2009) that test UIV of web applications. These existing tools can be classified into two major categories: crawler-based (Nikto2, 2008; Wikto, 2008; Acunetix Web Vulnerability Scanner, 2008) and proxy-based (Fiddler, 2009; Burp Proxy, 2009; Tamperie, 2009) UIV testing tools. These slides are designed to accompany module: Software Engineering of Web Applications

5 Crawler-based UIV testing tools
Crawler-based UIV testing tools retrieve HTML pages automatically, and submit predefined test inputs to the server through these HTML pages. However, using only predefined test inputs may not be suitable to be used for a particular input field. These slides are designed to accompany module: Software Engineering of Web Applications

6 Example For example, consider that an input field in a web application may require a year value to be between 1999 and 2003. To test this input field, we shall enter possible boundary values such as 1998 or 2004. These boundary values may not exist in the predefined test inputs; hence, it may not be possible to check whether the web application can deal with the boundary values properly. These slides are designed to accompany module: Software Engineering of Web Applications

7 As a result, crawler-based testing tools cannot detect these semantics-related UIV defects.
semantic-related UIV defects to refer to defects that are induced due to the lack of checking the semantics of inputs, and semantic-related test inputs are test inputs that can detect semantic-related UIV defects. These slides are designed to accompany module: Software Engineering of Web Applications

8 proxy-based UIV testing tools
Different from crawler-based UIV testing tools, proxy-based UIV testing tools allow developers to edit HTML requests directly. These tools basically provide a manual testing approach, which keeps the maximum flexibility without providing any help on test input generation. These manual steps are tedious, and the creation of test inputs heavily depends on developers’ knowledge and experience. These slides are designed to accompany module: Software Engineering of Web Applications

9 Weber (2005), a senior security consultant, used Cross-Site Scripting (XSS) as an example to show how to test web applications for such vulnerabilities in practice using the proxy based UIV testing technique. First, a developer finds some proxy tools that can intercept HTTP requests. Second, the developer maps the site and its functionality by discussing with other developers and project managers. These slides are designed to accompany module: Software Engineering of Web Applications

10 Third, the developer identifies and lists input fields.
Fourth, the developer writes test inputs manually. Finally, the developer starts testing with the proxy tools and adjusts test inputs These slides are designed to accompany module: Software Engineering of Web Applications

Download ppt "Module: Software Engineering of Web Applications"

Similar presentations

SecuBat: An Automated Web Vulnerability Detection Framework

SecuBat: An Automated Web Vulnerability Detection Framework
Lecture 6/2/12. Forms and PHP The PHP $_GET and $_POST variables are used to retrieve information from forms, like user input When dealing with HTML forms.

Lecture 6/2/12. Forms and PHP The PHP $_GET and $_POST variables are used to retrieve information from forms, like user input When dealing with HTML forms.
 The Citrix Application Firewall prevents security breaches, data loss, and possible unauthorized modifications to Web sites that access sensitive business.

 The Citrix Application Firewall prevents security breaches, data loss, and possible unauthorized modifications to Web sites that access sensitive business.
Hands on Demonstration for Testing Security in Web Applications

Hands on Demonstration for Testing Security in Web Applications
Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.

Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.
WebGoat & WebScarab “What is computer security for $1000 Alex?”

WebGoat & WebScarab “What is computer security for $1000 Alex?”
Cross Site Scripting a.k.a. XSS Szymon Siewior. Disclaimer Everything that will be shown, was created for strictly educational purposes. You may reuse.

Cross Site Scripting a.k.a. XSS Szymon Siewior. Disclaimer Everything that will be shown, was created for strictly educational purposes. You may reuse.
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.

Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.

Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.
Leveraging User Interactions for In-Depth Testing of Web Applications Sean McAllister, Engin Kirda, and Christopher Kruegel RAID ’08 1 Seoyeon Kang November.

Leveraging User Interactions for In-Depth Testing of Web Applications Sean McAllister, Engin Kirda, and Christopher Kruegel RAID ’08 1 Seoyeon Kang November.
Leveraging User Interactions for In-Depth Testing of Web Application Sean McAllister Secure System Lab, Technical University Vienna, Austria Engin Kirda.

Leveraging User Interactions for In-Depth Testing of Web Application Sean McAllister Secure System Lab, Technical University Vienna, Austria Engin Kirda.
Presenter Deddie Tjahjono.  Introduction  Website Application Layer  Why Web Application Security  Web Apps Security Scanner  About  Feature  How.

Presenter Deddie Tjahjono.  Introduction  Website Application Layer  Why Web Application Security  Web Apps Security Scanner  About  Feature  How.
Nikto LUCA ALEXANDRA ADELA. Nikto  Web server assessment tool  Written by Chris Solo and David Lodge  Released on December 27, 2001  Stable release:

Nikto LUCA ALEXANDRA ADELA. Nikto  Web server assessment tool  Written by Chris Solo and David Lodge  Released on December 27, 2001  Stable release:
By: Razieh Rezaei Saleh.  Security Evaluation The examination of a system to determine its degree of compliance with a stated security model, security.

By: Razieh Rezaei Saleh.  Security Evaluation The examination of a system to determine its degree of compliance with a stated security model, security.
Is Your Website Hackable? Check with Acunetix Web Vulnerability Scanner. Acunetix Web Vulnerability Scanner V9.

Is Your Website Hackable? Check with Acunetix Web Vulnerability Scanner. Acunetix Web Vulnerability Scanner V9.
A Framework for Automated Web Application Security Evaluation

A Framework for Automated Web Application Security Evaluation
1-Vulnerabilities 2-Hackers 3-Categories of attacks 4-What a malicious hacker do? 5-Security mechanisms 6-HTTP Web Servers 7-Web applications attacks.

1-Vulnerabilities 2-Hackers 3-Categories of attacks 4-What a malicious hacker do? 5-Security mechanisms 6-HTTP Web Servers 7-Web applications attacks.
Computer Security and Penetration Testing

Computer Security and Penetration Testing
Chapter 2. Core Defense Mechanisms. Fundamental security problem All user input is untrusted.

Chapter 2. Core Defense Mechanisms. Fundamental security problem All user input is untrusted.
Security+ Guide to Network Security Fundamentals, Fourth Edition

Security+ Guide to Network Security Fundamentals, Fourth Edition

Similar presentations

Ads by Google