SlideShare a Scribd company logo

Automated and Effective Testing of Web Services for XML Injection Attacks

Lionel Briand
Lionel Briand

Paper presentation at ISSTA 2016

Software
1 of 37
Download to read offline
.lusoftware verification & validation VVS Automated and Effective Testing of Web Services for XML Injection Attacks Sadeeq Jan, Cu D. Nguyen, Lionel Briand Interdisciplinary Centre for Security, Reliability and Trust (SnT) University of Luxembourg ISSTA’16 The International Symposium on Software Testing and Analysis Saarland University, Saarbrücken, Germany. July 18-20, 2016
XML Injection 2 •  Bypassing authentication •  Privilege escalation •  Information disclosure •  Generating errors/system crash Impact Definition Injecting malicious content into XML files/messages to manipulate/compromise the logic of an application/ service
3 XML Injection Example Create new account <user> <username>Tom</username> <password>m1U9q10</password> <role>user</role> <mail>a@b.com</mail> </user> <user> <username>admin</username> <password>s4n3p81</password> <role>Administrator</role> <mail>sv-admin@gmail.com</mail> </user> ….. ...... <user> <username>Tom</username> <password>m1U9q10</password> <role>user</role> <mail>a@b.com</mail> </user> XML Database
XML Injection Example " (Privilege Escalation) <user> <username>Tom</username> <password>m1U9q10</password> <role>user</role> <mail>abc</mail> <role>Administrator</role> <mail>a@b.com</mail> </user> Web Form Generated XML Message abc</mail><role>Administrator<role> <mail>a@b.com 4
......... ......... <complexType name="UserType"> <all> <element name="username" type="tns:StringUserType" maxOccurs="1" minOccurs="1" /> <element name="password" type="tns:StringPassType" maxOccurs="1" minOccurs="1"/> <element name="role" type="tns:Int1000Type" maxOccurs="1" minOccurs="1"/> <element name="mail" type="tns:EmailType" maxOccurs="1" minOccurs="1" /> </all> </complexType> ......... ......... 5 <user> <username>Tom</username> <password>m1U9q10</password> <role>user</role> <mail>abc</mail> <role>Administrator</role> <mail>a@b.com</mail> </user> Well-formed but not valid XML Schema violates cardinality =1 constraint of ‘role’ element in XML Schema <element name="role" type="tns:Int1000Type" maxOccurs="1" minOccurs="1"/> XML Injection in presence of constraints
<user> <username>Tom</username> <password>m1U9q10</password> <!-- </password> <role>user</role> <mail> --> <role>Administrator</role> <mail>a@b.com</mail> </user> Web Form Generated XML Message Well-formed and valid --><role>Administrator<role><mail>a@b.com m1U9q10</password><!-- 6 XML Injection in presence of constraints
•  Generate invalid XML files/messages •  Result in large number of false positives •  No dedicated testing tool for XML Injection attacks Limitations of State-Of-The-Art Tools 7
•  A novel automated testing approach and tool (SOLMI) •  Generates valid but malicious XML files/messages •  Covers wide range of XML Injection attacks •  Evaluation of the approach on an industrial financial system Contributions of This Work 8
9 •  Type 1: Deforming •  Type 2: Random closing tags •  Type 3: Replicating •  Type 4: Replacing Taxonomy of XML Injection Attacks
<user> <username>Tom</username> <password>m1U<9q10</password> <role>user</role> <mail>a@b.com</mail> </user> Mutated XML 10 <user> <username>Tom</username> <password>m1U9q10</password> <role>user</role> <mail>a@b.com</mail> </user> Original XML Type 1: Deforming Using XML special characters (e.g., <, &, ‘) to crash the service Example:
<user> <username>Tom</username> <password></test></password> <role>user</role> <mail>a@b.com</mail> </user> Mutated XML 11 <user> <username>Tom</username> <password>m1U9q10</password> <role>user</role> <mail>a@b.com</mail> </user> Original XML Example: Type 2: Random Closing Tags Using XML closing tags to reveal the hidden XML structure (e.g. </test>)
<user> <username>Tom</username> <password>m1U9q10</password> <role>user</role> <mail>abc</mail> <role>Administrator</role> <mail>a@b.com</mail> </user> Mutated XML 12 <user> <username>Tom</username> <password>m1U9q10</password> <role>user</role> <mail>a@b.com</mail> </user> Original XML Example: Type 3: Replicating Replicating existing XML elements with malicious content
<user> <username>Tom</username> <password>m1U9q10</password> <!-- </password> <role>user</role> <mail> --> <role>Administrator</role> <mail>a@b.com</mail> </user> Mutated XML (XML is well-formed, valid, yet malicious) 13 <user> <username>Tom</username> <password>m1U9q10</password> <role>user</role> <mail>a@b.com</mail> </user> Original XML Example: Type 4: Replacing Replicating + ensuring that the resulting XML is well formed and valid
Proposed Approach 14
SOLMI Approach 15 Generalizable approach: Injection Grammar can be replaced for testing other types of vulnerabilities SUT XML Validator (e.g. Gateway/ Firewall) Schema Constraints Security Policies XML T1 T2 Tn Mutation XML Messages (Tests) Type 1 - 2 Web Services XML XML XML Constraint Solving Injection Grammar Type 3 - 4
Mutation Operators Attack Mut. Operator Description Type 1 Deforming MO_der_meta Inserts an XML meta-character into the selected element of the input XML message MO_der_att Removes a quote from the value of a selected attribute of an element Type 2 Random closing tags MO_clo Adds </test> into the content of a selected XML element of the message Type 3 Replicating MO_replica Replicates an XML element, injects it with a new content and place it at the location right after the selected element Type 4 Replacing MO_replace Replicates an XML element, obtains a new content, comments out the selected element, and injects the new one at its location 16
Injection Grammar 17 Generate attack strings for elements in XML (e.g. SQL Injection attack strings based on the grammar) SQL Injection Grammar * * D. Appelt, C. Nguyen, and L. Briand. Behind an application firewall, are we safe from sql injection attacks? In Software Testing, Verification and Validation (ICST), 2015 IEEE 8th International Conference on, pages 1–10, April 2015.
18 Test Generation Process (for Type 3-4) Select Element Tests Gen. Completed? End No Yes Extract constraints from the XML Schema Solve Constraints, generate attack string using Constraint Solver Mutate Element with the attack string XML Element Schema Constraints Attack String Ti Transform constraints to the Solver’s input language Injection Grammar Start XML Schema
19 Test Generation Process (for Type 3-4) Select Element Tests Gen. Completed? End No Yes Extract constraints from the XML Schema Solve Constraints, generate attack string using Constraint Solver Mutate Element with the attack string XML Element Schema Constraints Attack String Ti Transform constraints to the Solver’s input language Injection Grammar Start XML Schema
20 Test Generation Process (for Type 3-4) Select Element Tests Gen. Completed? End No Yes Extract constraints from the XML Schema Solve Constraints, generate attack string using Constraint Solver Mutate Element with the attack string XML Element Schema Constraints Attack String Ti Transform constraints to the Solver’s input language Injection Grammar Start XML Schema
21 Test Generation Process (for Type 3-4) Select Element Tests Gen. Completed? End No Yes Extract constraints from the XML Schema Solve Constraints, generate attack string using Constraint Solver Mutate Element with the attack string XML Element Schema Constraints Attack String Ti Transform constraints to the Solver’s input language Injection Grammar Start XML Schema
22 Test Generation Process (for Type 3-4) Select Element Tests Gen. Completed? End No Yes Extract constraints from the XML Schema Solve Constraints, generate attack string using Constraint Solver Mutate Element with the attack string XML Element Schema Constraints Attack String Ti Transform constraints to the Solver’s input language Injection Grammar Start XML Schema
23 Test Generation Process (for Type 3-4) Select Element Tests Gen. Completed? End No Yes Extract constraints from the XML Schema Solve Constraints, generate attack string using Constraint Solver Mutate Element with the attack string XML Element Schema Constraints Attack String Ti Transform constraints to the Solver’s input language Injection Grammar Start XML Schema
24 Test Generation Process (for Type 3-4) Select Element Tests Gen. Completed? End No Yes Extract constraints from the XML Schema Solve Constraints, generate attack string using Constraint Solver Mutate Element with the attack string XML Element Schema Constraints Attack String Ti Transform constraints to the Solver’s input language Injection Grammar Start XML Schema
<transaction> <UserName>Mike123</UserName> <BankCode>0111</BankCode> <RequestId>R19228381</RequestId> <CardNumber>1234567891234<CardNumber> </transaction> …..... <xs:element name=“RequestId” type="cw:stringLen1_11"/> </xs:simpleType> <xs:simpleType name="stringLen1_11"> <xs:minLength value=”4"/> <xs:maxLength value=”11"/> <pattern value="[a-zA-Z0-9s]*"/> </xs:restriction> </xs:simpleType> …..... XML File Transform Constraint to Solver’s input language Schema Constraint for element ‘RequestId’ Generated Content for the XML element (Attack Payload) OR True Examples of malicious content rejected by the solver: -  OR 1=1 à violates the regular expression -  Drop table RequestIDs à violates maximum length constraints Injection Grammar Mutation (type 4) <transaction> <UserName>Mika123</UserName> <BankCode>0111</BankCode> <!– </BankCode> <RequestId>R19228381</RequestId> <CardNumber> --> <RequestId>OR True</RequestId> <CardNumber>1234567891234<CardNumber> </transaction> Resulting XML Message (Test of Type 4) Concrete Example of Test Generation " (for Type 4) Extract associated constraints for selected element 25 String Constraint Solver
Evaluation & Results 26
Objectives & Tools for evaluation Objectives •  To evaluate the effectiveness and cost (time) of our proposed approach •  To compare our proposed approach with the state- of-the-art tools Tools •  ReadyAPI •  SOLMI 27
Subject Application 28 XML Gateway (Axway XML Gateway) that protects 44 Web Services of a credit card processing company Web Service 1 Web Service 2 Web Service N XML Schemas XML Threat Policy Backend Service Interface 1 Service Interface Service Interface N XML GatewayInternet Service Interface 1 Service Interface Service Interface N XML Gateway
29 Architecture of SOLMI Constraint Solver Hampi XML Processor Schema Processor Injection Grammar (SQL) Test Generator Mutation Strategies Test Cases SUT Test Executor Monitor/ Oracle Transformer
Results 30 MO Operator # Tests (T) % Bypassing Tests (Tp) Test Generation Time (s) ReadyAPI Malformed XML 4430 2.37 < 1 min SOLMI MO-meta 1772 0 0.64 MO-close 443 0 0.35 MO_der_att NA NA NA MO-replica 3236 0 2929.99 (49 mins) MO-replace 3236 78.86 2998.97 (50 mins)
Results 31 MO Operator # Tests (T) % Bypassing Tests (Tp) Test Generation Time (s) ReadyAPI Malformed XML 4430 2.37 < 1 min SOLMI MO-meta 1772 0 0.64 MO-close 443 0 0.35 MO_der_att NA NA NA MO-replica 3236 0 2929.99 (49 mins) MO-replace 3236 78.86 2998.97 (50 mins)
Results 32 MO Operator # Tests (T) % Bypassing Tests (Tp) Test Generation Time (s) ReadyAPI Malformed XML 4430 2.37 < 1 min SOLMI MO-meta 1772 0 0.64 MO-close 443 0 0.35 MO_der_att NA NA NA MO-replica 3236 0 2929.99 (49 mins) MO-replace 3236 78.86 2998.97 (50 mins)
Results 33 MO Operator # Tests (T) % Bypassing Tests (Tp) Test Generation Time (s) ReadyAPI Malformed XML 4430 2.37 < 1 min SOLMI MO-meta 1772 0 0.64 MO-close 443 0 0.35 MO_der_att NA NA NA MO-replica 3236 0 2929.99 (49 mins) MO-replace 3236 78.86 2998.97 (50 mins)
Results 34 MO Operator # Tests (T) % Bypassing Tests (Tp) Test Generation Time (s) ReadyAPI Malformed XML 4430 2.37 < 1 min SOLMI MO-meta 1772 0 0.64 MO-close 443 0 0.35 MO_der_att NA NA NA MO-replica 3236 0 2929.99 (49 mins) MO-replace 3236 78.86 2998.97 (50 mins)
Results 35 MO Operator # Tests (T) % Bypassing Tests (Tp) Test Generation Time (s) ReadyAPI Malformed XML 4430 2.37 < 1 min SOLMI MO-meta 1772 0 0.64 MO-close 443 0 0.35 MO_der_att NA NA NA MO-replica 3236 0 2929.99 (49 mins) MO-replace 3236 78.86 2998.97 (50 mins)
36 •  Test strategy that randomly injects XML meta- characters or closing tags (state-of-the-art tools) are unlikely to be effective •  SOLMI approach is highly effective and the test generation time is practically reasonable •  SOLMI is generalizable to other types of attacks Conclusion
Summary 37

Recommended

XPath Injection
XPath InjectionXPath Injection
XPath InjectionRoberto Suggi Liverani
 
Hacking XPATH 2.0
Hacking XPATH 2.0Hacking XPATH 2.0
Hacking XPATH 2.0michelemanzotti
 
[3.3] Detection & exploitation of Xpath/Xquery Injections - Boris Savkov
[3.3] Detection & exploitation of Xpath/Xquery Injections - Boris Savkov[3.3] Detection & exploitation of Xpath/Xquery Injections - Boris Savkov
[3.3] Detection & exploitation of Xpath/Xquery Injections - Boris SavkovOWASP Russia
 
XML & XPath Injections
XML & XPath InjectionsXML & XPath Injections
XML & XPath InjectionsAMol NAik
 
Natural Language Query to SQL conversion using Machine Learning Approach
Natural Language Query to SQL conversion using Machine Learning ApproachNatural Language Query to SQL conversion using Machine Learning Approach
Natural Language Query to SQL conversion using Machine Learning ApproachMinhazul Arefin
 
Java interface
Java interfaceJava interface
Java interfaceMd. Tanvir Hossain
 
Methods in Java
Methods in JavaMethods in Java
Methods in JavaJussi Pohjolainen
 
22 multi threading iv
22 multi threading iv22 multi threading iv
22 multi threading ivRavindra Rathore
 

Recommended

XPath Injection
XPath InjectionXPath Injection
XPath InjectionRoberto Suggi Liverani
 
Hacking XPATH 2.0
Hacking XPATH 2.0Hacking XPATH 2.0
Hacking XPATH 2.0michelemanzotti
 
[3.3] Detection & exploitation of Xpath/Xquery Injections - Boris Savkov
[3.3] Detection & exploitation of Xpath/Xquery Injections - Boris Savkov[3.3] Detection & exploitation of Xpath/Xquery Injections - Boris Savkov
[3.3] Detection & exploitation of Xpath/Xquery Injections - Boris SavkovOWASP Russia
 
XML & XPath Injections
XML & XPath InjectionsXML & XPath Injections
XML & XPath InjectionsAMol NAik
 
Natural Language Query to SQL conversion using Machine Learning Approach
Natural Language Query to SQL conversion using Machine Learning ApproachNatural Language Query to SQL conversion using Machine Learning Approach
Natural Language Query to SQL conversion using Machine Learning ApproachMinhazul Arefin
 
Java interface
Java interfaceJava interface
Java interfaceMd. Tanvir Hossain
 
Methods in Java
Methods in JavaMethods in Java
Methods in JavaJussi Pohjolainen
 
22 multi threading iv
22 multi threading iv22 multi threading iv
22 multi threading ivRavindra Rathore
 
Unit 4 exceptions and threads
Unit 4 exceptions and threadsUnit 4 exceptions and threads
Unit 4 exceptions and threadsDevaKumari Vijay
 
Java Generics - by Example
Java Generics - by ExampleJava Generics - by Example
Java Generics - by ExampleGanesh Samarthyam
 
Introduction to Java Programming Part 2
Introduction to Java Programming Part 2Introduction to Java Programming Part 2
Introduction to Java Programming Part 2university of education,Lahore
 
Java interface
Java interfaceJava interface
Java interfaceGaneshKumarKanthiah
 
Chapter 4 - Defining Your Own Classes - Part I
Chapter 4 - Defining Your Own Classes - Part IChapter 4 - Defining Your Own Classes - Part I
Chapter 4 - Defining Your Own Classes - Part IEduardo Bergavera
 
Linq
LinqLinq
LinqPranay Rana
 
Xml session
Xml sessionXml session
Xml sessionFarag Zakaria
 
On Parameterised Types and Java Generics
On Parameterised Types and Java GenericsOn Parameterised Types and Java Generics
On Parameterised Types and Java GenericsYann-Gaël Guéhéneuc
 
Introduction [1] - Software Testing Techniques (CIS640)
Introduction [1] - Software Testing Techniques (CIS640)Introduction [1] - Software Testing Techniques (CIS640)
Introduction [1] - Software Testing Techniques (CIS640)Venkatesh Prasad Ranganath
 
Chapter 2 - Getting Started with Java
Chapter 2 - Getting Started with JavaChapter 2 - Getting Started with Java
Chapter 2 - Getting Started with JavaEduardo Bergavera
 
CS5393-Korat_Mittal_Akshay_ProjReport
CS5393-Korat_Mittal_Akshay_ProjReportCS5393-Korat_Mittal_Akshay_ProjReport
CS5393-Korat_Mittal_Akshay_ProjReportAkshay Mittal
 
Beyond PITS, Functional Principles for Software Architecture
Beyond PITS, Functional Principles for Software ArchitectureBeyond PITS, Functional Principles for Software Architecture
Beyond PITS, Functional Principles for Software ArchitectureJayaram Sankaranarayanan
 
Java Generics
Java GenericsJava Generics
Java GenericsDeeptiJava
 
Validation and Inference of Schema-Level Workflow Data-Dependency Annotations
Validation and Inference of Schema-Level Workflow Data-Dependency AnnotationsValidation and Inference of Schema-Level Workflow Data-Dependency Annotations
Validation and Inference of Schema-Level Workflow Data-Dependency AnnotationsBertram Ludäscher
 
Java Generics Introduction - Syntax Advantages and Pitfalls
Java Generics Introduction - Syntax Advantages and PitfallsJava Generics Introduction - Syntax Advantages and Pitfalls
Java Generics Introduction - Syntax Advantages and PitfallsRakesh Waghela
 
The Ring programming language version 1.2 book - Part 53 of 84
The Ring programming language version 1.2 book - Part 53 of 84The Ring programming language version 1.2 book - Part 53 of 84
The Ring programming language version 1.2 book - Part 53 of 84Mahmoud Samir Fayed
 
Method overloading and constructor overloading in java
Method overloading and constructor overloading in javaMethod overloading and constructor overloading in java
Method overloading and constructor overloading in javabaabtra.com - No. 1 supplier of quality freshers
 
Generics in java
Generics in javaGenerics in java
Generics in javasuraj pandey
 
Lecture - 5 Control Statement
Lecture - 5 Control StatementLecture - 5 Control Statement
Lecture - 5 Control Statementmanish kumar
 
Java interfaces
Java interfacesJava interfaces
Java interfacesRaja Sekhar
 
Blending Automated and Manual Testing
Blending Automated and Manual TestingBlending Automated and Manual Testing
Blending Automated and Manual TestingDenim Group
 
Fuzzing 101 Webinar on Zero Day Management
Fuzzing 101 Webinar on Zero Day ManagementFuzzing 101 Webinar on Zero Day Management
Fuzzing 101 Webinar on Zero Day ManagementCodenomicon
 

More Related Content

What's hot

Unit 4 exceptions and threads
Unit 4 exceptions and threadsUnit 4 exceptions and threads
Unit 4 exceptions and threadsDevaKumari Vijay
 
Chapter 4 - Defining Your Own Classes - Part I
Chapter 4 - Defining Your Own Classes - Part IChapter 4 - Defining Your Own Classes - Part I
Chapter 4 - Defining Your Own Classes - Part IEduardo Bergavera
 
On Parameterised Types and Java Generics
On Parameterised Types and Java GenericsOn Parameterised Types and Java Generics
On Parameterised Types and Java GenericsYann-Gaël Guéhéneuc
 
Introduction [1] - Software Testing Techniques (CIS640)
Introduction [1] - Software Testing Techniques (CIS640)Introduction [1] - Software Testing Techniques (CIS640)
Introduction [1] - Software Testing Techniques (CIS640)Venkatesh Prasad Ranganath
 
Chapter 2 - Getting Started with Java
Chapter 2 - Getting Started with JavaChapter 2 - Getting Started with Java
Chapter 2 - Getting Started with JavaEduardo Bergavera
 
CS5393-Korat_Mittal_Akshay_ProjReport
CS5393-Korat_Mittal_Akshay_ProjReportCS5393-Korat_Mittal_Akshay_ProjReport
CS5393-Korat_Mittal_Akshay_ProjReportAkshay Mittal
 
Beyond PITS, Functional Principles for Software Architecture
Beyond PITS, Functional Principles for Software ArchitectureBeyond PITS, Functional Principles for Software Architecture
Beyond PITS, Functional Principles for Software ArchitectureJayaram Sankaranarayanan
 
Validation and Inference of Schema-Level Workflow Data-Dependency Annotations
Validation and Inference of Schema-Level Workflow Data-Dependency AnnotationsValidation and Inference of Schema-Level Workflow Data-Dependency Annotations
Validation and Inference of Schema-Level Workflow Data-Dependency AnnotationsBertram Ludäscher
 
Java Generics Introduction - Syntax Advantages and Pitfalls
Java Generics Introduction - Syntax Advantages and PitfallsJava Generics Introduction - Syntax Advantages and Pitfalls
Java Generics Introduction - Syntax Advantages and PitfallsRakesh Waghela
 
The Ring programming language version 1.2 book - Part 53 of 84
The Ring programming language version 1.2 book - Part 53 of 84The Ring programming language version 1.2 book - Part 53 of 84
The Ring programming language version 1.2 book - Part 53 of 84Mahmoud Samir Fayed
 
Lecture - 5 Control Statement
Lecture - 5 Control StatementLecture - 5 Control Statement
Lecture - 5 Control Statementmanish kumar
 

What's hot (20)

Unit 4 exceptions and threads
Unit 4 exceptions and threadsUnit 4 exceptions and threads
Unit 4 exceptions and threads
 
Java Generics - by Example
Java Generics - by ExampleJava Generics - by Example
Java Generics - by Example
 
Introduction to Java Programming Part 2
Introduction to Java Programming Part 2Introduction to Java Programming Part 2
Introduction to Java Programming Part 2
 
Java interface
Java interfaceJava interface
Java interface
 
Chapter 4 - Defining Your Own Classes - Part I
Chapter 4 - Defining Your Own Classes - Part IChapter 4 - Defining Your Own Classes - Part I
Chapter 4 - Defining Your Own Classes - Part I
 
Linq
LinqLinq
Linq
 
Xml session
Xml sessionXml session
Xml session
 
On Parameterised Types and Java Generics
On Parameterised Types and Java GenericsOn Parameterised Types and Java Generics
On Parameterised Types and Java Generics
 
Introduction [1] - Software Testing Techniques (CIS640)
Introduction [1] - Software Testing Techniques (CIS640)Introduction [1] - Software Testing Techniques (CIS640)
Introduction [1] - Software Testing Techniques (CIS640)
 
Chapter 2 - Getting Started with Java
Chapter 2 - Getting Started with JavaChapter 2 - Getting Started with Java
Chapter 2 - Getting Started with Java
 
CS5393-Korat_Mittal_Akshay_ProjReport
CS5393-Korat_Mittal_Akshay_ProjReportCS5393-Korat_Mittal_Akshay_ProjReport
CS5393-Korat_Mittal_Akshay_ProjReport
 
Beyond PITS, Functional Principles for Software Architecture
Beyond PITS, Functional Principles for Software ArchitectureBeyond PITS, Functional Principles for Software Architecture
Beyond PITS, Functional Principles for Software Architecture
 
Java Generics
Java GenericsJava Generics
Java Generics
 
Validation and Inference of Schema-Level Workflow Data-Dependency Annotations
Validation and Inference of Schema-Level Workflow Data-Dependency AnnotationsValidation and Inference of Schema-Level Workflow Data-Dependency Annotations
Validation and Inference of Schema-Level Workflow Data-Dependency Annotations
 
Java Generics Introduction - Syntax Advantages and Pitfalls
Java Generics Introduction - Syntax Advantages and PitfallsJava Generics Introduction - Syntax Advantages and Pitfalls
Java Generics Introduction - Syntax Advantages and Pitfalls
 
The Ring programming language version 1.2 book - Part 53 of 84
The Ring programming language version 1.2 book - Part 53 of 84The Ring programming language version 1.2 book - Part 53 of 84
The Ring programming language version 1.2 book - Part 53 of 84
 
Method overloading and constructor overloading in java
Method overloading and constructor overloading in javaMethod overloading and constructor overloading in java
Method overloading and constructor overloading in java
 
Generics in java
Generics in javaGenerics in java
Generics in java
 
Lecture - 5 Control Statement
Lecture - 5 Control StatementLecture - 5 Control Statement
Lecture - 5 Control Statement
 
Java interfaces
Java interfacesJava interfaces
Java interfaces
 

Viewers also liked

Blending Automated and Manual Testing
Blending Automated and Manual TestingBlending Automated and Manual Testing
Blending Automated and Manual TestingDenim Group
 
Fuzzing 101 Webinar on Zero Day Management
Fuzzing 101 Webinar on Zero Day ManagementFuzzing 101 Webinar on Zero Day Management
Fuzzing 101 Webinar on Zero Day ManagementCodenomicon
 
Automated Attack Surface Approximation [FSE - SRC 2015]
Automated Attack Surface Approximation [FSE - SRC 2015]Automated Attack Surface Approximation [FSE - SRC 2015]
Automated Attack Surface Approximation [FSE - SRC 2015]Chris Theisen
 
Software Security Education at Scale
Software Security Education at ScaleSoftware Security Education at Scale
Software Security Education at ScaleChris Theisen
 
Unmasking Anonymous: An Eyewitness Account of a Hacktivist Attack
Unmasking Anonymous: An Eyewitness Account of a Hacktivist AttackUnmasking Anonymous: An Eyewitness Account of a Hacktivist Attack
Unmasking Anonymous: An Eyewitness Account of a Hacktivist AttackImperva
 
Sania: Syntactic and Semantic Analysis for Automated Testing against SQL Inje...
Sania: Syntactic and Semantic Analysis for Automated Testing against SQL Inje...Sania: Syntactic and Semantic Analysis for Automated Testing against SQL Inje...
Sania: Syntactic and Semantic Analysis for Automated Testing against SQL Inje...Yuji Kosuga
 
Autonomous Hacking: The New Frontiers of Attack and Defense
Autonomous Hacking: The New Frontiers of Attack and DefenseAutonomous Hacking: The New Frontiers of Attack and Defense
Autonomous Hacking: The New Frontiers of Attack and DefensePriyanka Aash
 
A DevOps Guide to Web Application Security
A DevOps Guide to Web Application SecurityA DevOps Guide to Web Application Security
A DevOps Guide to Web Application SecurityImperva Incapsula
 
Attacks Against Captcha Systems - DefCamp 2012
Attacks Against Captcha Systems - DefCamp 2012Attacks Against Captcha Systems - DefCamp 2012
Attacks Against Captcha Systems - DefCamp 2012DefCamp
 
Jon Gorenflo - Burp Collaborator
Jon Gorenflo - Burp CollaboratorJon Gorenflo - Burp Collaborator
Jon Gorenflo - Burp Collaboratorcentralohioissa
 
DefCamp 2013 - In vehicle CAN network security
DefCamp 2013 - In vehicle CAN network securityDefCamp 2013 - In vehicle CAN network security
DefCamp 2013 - In vehicle CAN network securityDefCamp
 
Sql injection bypassing hand book blackrose
Sql injection bypassing hand book blackroseSql injection bypassing hand book blackrose
Sql injection bypassing hand book blackroseNoaman Aziz
 
Cross Domain Hijacking - File Upload Vulnerability
Cross Domain Hijacking - File Upload VulnerabilityCross Domain Hijacking - File Upload Vulnerability
Cross Domain Hijacking - File Upload VulnerabilityRonan Dunne, CEH, SSCP
 
Waf bypassing Techniques
Waf bypassing TechniquesWaf bypassing Techniques
Waf bypassing TechniquesAvinash Thapa
 
XML Attack Surface - Pierre Ernst (OWASP Ottawa)
XML Attack Surface - Pierre Ernst (OWASP Ottawa)XML Attack Surface - Pierre Ernst (OWASP Ottawa)
XML Attack Surface - Pierre Ernst (OWASP Ottawa)OWASP Ottawa
 

Viewers also liked (20)

Blending Automated and Manual Testing
Blending Automated and Manual TestingBlending Automated and Manual Testing
Blending Automated and Manual Testing
 
Fuzzing 101 Webinar on Zero Day Management
Fuzzing 101 Webinar on Zero Day ManagementFuzzing 101 Webinar on Zero Day Management
Fuzzing 101 Webinar on Zero Day Management
 
Automated Attack Surface Approximation [FSE - SRC 2015]
Automated Attack Surface Approximation [FSE - SRC 2015]Automated Attack Surface Approximation [FSE - SRC 2015]
Automated Attack Surface Approximation [FSE - SRC 2015]
 
Software Security Education at Scale
Software Security Education at ScaleSoftware Security Education at Scale
Software Security Education at Scale
 
Unmasking Anonymous: An Eyewitness Account of a Hacktivist Attack
Unmasking Anonymous: An Eyewitness Account of a Hacktivist AttackUnmasking Anonymous: An Eyewitness Account of a Hacktivist Attack
Unmasking Anonymous: An Eyewitness Account of a Hacktivist Attack
 
Sania: Syntactic and Semantic Analysis for Automated Testing against SQL Inje...
Sania: Syntactic and Semantic Analysis for Automated Testing against SQL Inje...Sania: Syntactic and Semantic Analysis for Automated Testing against SQL Inje...
Sania: Syntactic and Semantic Analysis for Automated Testing against SQL Inje...
 
Autonomous Hacking: The New Frontiers of Attack and Defense
Autonomous Hacking: The New Frontiers of Attack and DefenseAutonomous Hacking: The New Frontiers of Attack and Defense
Autonomous Hacking: The New Frontiers of Attack and Defense
 
A DevOps Guide to Web Application Security
A DevOps Guide to Web Application SecurityA DevOps Guide to Web Application Security
A DevOps Guide to Web Application Security
 
Attacks Against Captcha Systems - DefCamp 2012
Attacks Against Captcha Systems - DefCamp 2012Attacks Against Captcha Systems - DefCamp 2012
Attacks Against Captcha Systems - DefCamp 2012
 
Jon Gorenflo - Burp Collaborator
Jon Gorenflo - Burp CollaboratorJon Gorenflo - Burp Collaborator
Jon Gorenflo - Burp Collaborator
 
DefCamp 2013 - In vehicle CAN network security
DefCamp 2013 - In vehicle CAN network securityDefCamp 2013 - In vehicle CAN network security
DefCamp 2013 - In vehicle CAN network security
 
Web-App Remote Code Execution Via Scripting Engines
Web-App Remote Code Execution Via Scripting EnginesWeb-App Remote Code Execution Via Scripting Engines
Web-App Remote Code Execution Via Scripting Engines
 
Apache Multiview Vulnerability
Apache Multiview VulnerabilityApache Multiview Vulnerability
Apache Multiview Vulnerability
 
Blind xss
Blind xssBlind xss
Blind xss
 
File upload vulnerabilities & mitigation
File upload vulnerabilities & mitigationFile upload vulnerabilities & mitigation
File upload vulnerabilities & mitigation
 
Sql injection bypassing hand book blackrose
Sql injection bypassing hand book blackroseSql injection bypassing hand book blackrose
Sql injection bypassing hand book blackrose
 
Cross Domain Hijacking - File Upload Vulnerability
Cross Domain Hijacking - File Upload VulnerabilityCross Domain Hijacking - File Upload Vulnerability
Cross Domain Hijacking - File Upload Vulnerability
 
Waf bypassing Techniques
Waf bypassing TechniquesWaf bypassing Techniques
Waf bypassing Techniques
 
XML Attack Surface - Pierre Ernst (OWASP Ottawa)
XML Attack Surface - Pierre Ernst (OWASP Ottawa)XML Attack Surface - Pierre Ernst (OWASP Ottawa)
XML Attack Surface - Pierre Ernst (OWASP Ottawa)
 
SSRF workshop
SSRF workshop SSRF workshop
SSRF workshop
 

Similar to Automated and Effective Testing of Web Services for XML Injection Attacks

A Search-based Testing Approach for XML Injection Vulnerabilities in Web Appl...
A Search-based Testing Approach for XML Injection Vulnerabilities in Web Appl...A Search-based Testing Approach for XML Injection Vulnerabilities in Web Appl...
A Search-based Testing Approach for XML Injection Vulnerabilities in Web Appl...Lionel Briand
 
Simple xml in .net
Simple xml in .netSimple xml in .net
Simple xml in .netVi Vo Hung
 
Mazda Use of Third Generation Xml Tools
Mazda Use of Third Generation Xml ToolsMazda Use of Third Generation Xml Tools
Mazda Use of Third Generation Xml ToolsCardinaleWay Mazda
 
eXtensible Markup Language (XML)
eXtensible Markup Language (XML)eXtensible Markup Language (XML)
eXtensible Markup Language (XML)Serhii Kartashov
 
Secure Dot Net Programming
Secure Dot Net ProgrammingSecure Dot Net Programming
Secure Dot Net ProgrammingAdam Getchell
 
Implementing the Genetic Algorithm in XSLT: PoC
Implementing the Genetic Algorithm in XSLT: PoCImplementing the Genetic Algorithm in XSLT: PoC
Implementing the Genetic Algorithm in XSLT: PoCjimfuller2009
 
ORACLE SOA SUIT BASIC XML FORMATS
ORACLE SOA SUIT BASIC XML FORMATS ORACLE SOA SUIT BASIC XML FORMATS
ORACLE SOA SUIT BASIC XML FORMATS xavier john
 
Generating characterization tests for legacy code
Generating characterization tests for legacy codeGenerating characterization tests for legacy code
Generating characterization tests for legacy codeJonas Follesø
 
XML - EXtensible Markup Language
XML - EXtensible Markup LanguageXML - EXtensible Markup Language
XML - EXtensible Markup LanguageReem Alattas
 
Becoming a coder in 60 minutes - Mews Commander PMS
Becoming a coder in 60 minutes - Mews Commander PMSBecoming a coder in 60 minutes - Mews Commander PMS
Becoming a coder in 60 minutes - Mews Commander PMSJiří Helmich
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application SecurityChris x-MS
 

Similar to Automated and Effective Testing of Web Services for XML Injection Attacks (20)

A Search-based Testing Approach for XML Injection Vulnerabilities in Web Appl...
A Search-based Testing Approach for XML Injection Vulnerabilities in Web Appl...A Search-based Testing Approach for XML Injection Vulnerabilities in Web Appl...
A Search-based Testing Approach for XML Injection Vulnerabilities in Web Appl...
 
xml rpc
xml rpcxml rpc
xml rpc
 
XML Schemas
XML SchemasXML Schemas
XML Schemas
 
Simple xml in .net
Simple xml in .netSimple xml in .net
Simple xml in .net
 
Mazda Use of Third Generation Xml Tools
Mazda Use of Third Generation Xml ToolsMazda Use of Third Generation Xml Tools
Mazda Use of Third Generation Xml Tools
 
Schematron
SchematronSchematron
Schematron
 
eXtensible Markup Language (XML)
eXtensible Markup Language (XML)eXtensible Markup Language (XML)
eXtensible Markup Language (XML)
 
Java 17
Java 17Java 17
Java 17
 
PostgreSQL and XML
PostgreSQL and XMLPostgreSQL and XML
PostgreSQL and XML
 
tutorial21
tutorial21tutorial21
tutorial21
 
tutorial21
tutorial21tutorial21
tutorial21
 
Secure Dot Net Programming
Secure Dot Net ProgrammingSecure Dot Net Programming
Secure Dot Net Programming
 
Implementing the Genetic Algorithm in XSLT: PoC
Implementing the Genetic Algorithm in XSLT: PoCImplementing the Genetic Algorithm in XSLT: PoC
Implementing the Genetic Algorithm in XSLT: PoC
 
Soa suite doc
Soa suite docSoa suite doc
Soa suite doc
 
ORACLE SOA SUIT BASIC XML FORMATS
ORACLE SOA SUIT BASIC XML FORMATS ORACLE SOA SUIT BASIC XML FORMATS
ORACLE SOA SUIT BASIC XML FORMATS
 
Generating characterization tests for legacy code
Generating characterization tests for legacy codeGenerating characterization tests for legacy code
Generating characterization tests for legacy code
 
XML - EXtensible Markup Language
XML - EXtensible Markup LanguageXML - EXtensible Markup Language
XML - EXtensible Markup Language
 
Becoming a coder in 60 minutes - Mews Commander PMS
Becoming a coder in 60 minutes - Mews Commander PMSBecoming a coder in 60 minutes - Mews Commander PMS
Becoming a coder in 60 minutes - Mews Commander PMS
 
Séminaire Web Services
Séminaire Web ServicesSéminaire Web Services
Séminaire Web Services
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application Security
 

More from Lionel Briand

Precise and Complete Requirements? An Elusive Goal
Precise and Complete Requirements? An Elusive GoalPrecise and Complete Requirements? An Elusive Goal
Precise and Complete Requirements? An Elusive GoalLionel Briand
 
Large Language Models for Test Case Evolution and Repair
Large Language Models for Test Case Evolution and RepairLarge Language Models for Test Case Evolution and Repair
Large Language Models for Test Case Evolution and RepairLionel Briand
 
Metamorphic Testing for Web System Security
Metamorphic Testing for Web System SecurityMetamorphic Testing for Web System Security
Metamorphic Testing for Web System SecurityLionel Briand
 
Simulator-based Explanation and Debugging of Hazard-triggering Events in DNN-...
Simulator-based Explanation and Debugging of Hazard-triggering Events in DNN-...Simulator-based Explanation and Debugging of Hazard-triggering Events in DNN-...
Simulator-based Explanation and Debugging of Hazard-triggering Events in DNN-...Lionel Briand
 
Fuzzing for CPS Mutation Testing
Fuzzing for CPS Mutation TestingFuzzing for CPS Mutation Testing
Fuzzing for CPS Mutation TestingLionel Briand
 
Data-driven Mutation Analysis for Cyber-Physical Systems
Data-driven Mutation Analysis for Cyber-Physical SystemsData-driven Mutation Analysis for Cyber-Physical Systems
Data-driven Mutation Analysis for Cyber-Physical SystemsLionel Briand
 
Many-Objective Reinforcement Learning for Online Testing of DNN-Enabled Systems
Many-Objective Reinforcement Learning for Online Testing of DNN-Enabled SystemsMany-Objective Reinforcement Learning for Online Testing of DNN-Enabled Systems
Many-Objective Reinforcement Learning for Online Testing of DNN-Enabled SystemsLionel Briand
 
ATM: Black-box Test Case Minimization based on Test Code Similarity and Evolu...
ATM: Black-box Test Case Minimization based on Test Code Similarity and Evolu...ATM: Black-box Test Case Minimization based on Test Code Similarity and Evolu...
ATM: Black-box Test Case Minimization based on Test Code Similarity and Evolu...Lionel Briand
 
Black-box Safety Analysis and Retraining of DNNs based on Feature Extraction ...
Black-box Safety Analysis and Retraining of DNNs based on Feature Extraction ...Black-box Safety Analysis and Retraining of DNNs based on Feature Extraction ...
Black-box Safety Analysis and Retraining of DNNs based on Feature Extraction ...Lionel Briand
 
PRINS: Scalable Model Inference for Component-based System Logs
PRINS: Scalable Model Inference for Component-based System LogsPRINS: Scalable Model Inference for Component-based System Logs
PRINS: Scalable Model Inference for Component-based System LogsLionel Briand
 
Revisiting the Notion of Diversity in Software Testing
Revisiting the Notion of Diversity in Software TestingRevisiting the Notion of Diversity in Software Testing
Revisiting the Notion of Diversity in Software TestingLionel Briand
 
Applications of Search-based Software Testing to Trustworthy Artificial Intel...
Applications of Search-based Software Testing to Trustworthy Artificial Intel...Applications of Search-based Software Testing to Trustworthy Artificial Intel...
Applications of Search-based Software Testing to Trustworthy Artificial Intel...Lionel Briand
 
Autonomous Systems: How to Address the Dilemma between Autonomy and Safety
Autonomous Systems: How to Address the Dilemma between Autonomy and SafetyAutonomous Systems: How to Address the Dilemma between Autonomy and Safety
Autonomous Systems: How to Address the Dilemma between Autonomy and SafetyLionel Briand
 
Mathematicians, Social Scientists, or Engineers? The Split Minds of Software ...
Mathematicians, Social Scientists, or Engineers? The Split Minds of Software ...Mathematicians, Social Scientists, or Engineers? The Split Minds of Software ...
Mathematicians, Social Scientists, or Engineers? The Split Minds of Software ...Lionel Briand
 
Reinforcement Learning for Test Case Prioritization
Reinforcement Learning for Test Case PrioritizationReinforcement Learning for Test Case Prioritization
Reinforcement Learning for Test Case PrioritizationLionel Briand
 
Mutation Analysis for Cyber-Physical Systems: Scalable Solutions and Results ...
Mutation Analysis for Cyber-Physical Systems: Scalable Solutions and Results ...Mutation Analysis for Cyber-Physical Systems: Scalable Solutions and Results ...
Mutation Analysis for Cyber-Physical Systems: Scalable Solutions and Results ...Lionel Briand
 
On Systematically Building a Controlled Natural Language for Functional Requi...
On Systematically Building a Controlled Natural Language for Functional Requi...On Systematically Building a Controlled Natural Language for Functional Requi...
On Systematically Building a Controlled Natural Language for Functional Requi...Lionel Briand
 
Efficient Online Testing for DNN-Enabled Systems using Surrogate-Assisted and...
Efficient Online Testing for DNN-Enabled Systems using Surrogate-Assisted and...Efficient Online Testing for DNN-Enabled Systems using Surrogate-Assisted and...
Efficient Online Testing for DNN-Enabled Systems using Surrogate-Assisted and...Lionel Briand
 
Guidelines for Assessing the Accuracy of Log Message Template Identification ...
Guidelines for Assessing the Accuracy of Log Message Template Identification ...Guidelines for Assessing the Accuracy of Log Message Template Identification ...
Guidelines for Assessing the Accuracy of Log Message Template Identification ...Lionel Briand
 
A Theoretical Framework for Understanding the Relationship between Log Parsin...
A Theoretical Framework for Understanding the Relationship between Log Parsin...A Theoretical Framework for Understanding the Relationship between Log Parsin...
A Theoretical Framework for Understanding the Relationship between Log Parsin...Lionel Briand
 

More from Lionel Briand (20)

Precise and Complete Requirements? An Elusive Goal
Precise and Complete Requirements? An Elusive GoalPrecise and Complete Requirements? An Elusive Goal
Precise and Complete Requirements? An Elusive Goal
 
Large Language Models for Test Case Evolution and Repair
Large Language Models for Test Case Evolution and RepairLarge Language Models for Test Case Evolution and Repair
Large Language Models for Test Case Evolution and Repair
 
Metamorphic Testing for Web System Security
Metamorphic Testing for Web System SecurityMetamorphic Testing for Web System Security
Metamorphic Testing for Web System Security
 
Simulator-based Explanation and Debugging of Hazard-triggering Events in DNN-...
Simulator-based Explanation and Debugging of Hazard-triggering Events in DNN-...Simulator-based Explanation and Debugging of Hazard-triggering Events in DNN-...
Simulator-based Explanation and Debugging of Hazard-triggering Events in DNN-...
 
Fuzzing for CPS Mutation Testing
Fuzzing for CPS Mutation TestingFuzzing for CPS Mutation Testing
Fuzzing for CPS Mutation Testing
 
Data-driven Mutation Analysis for Cyber-Physical Systems
Data-driven Mutation Analysis for Cyber-Physical SystemsData-driven Mutation Analysis for Cyber-Physical Systems
Data-driven Mutation Analysis for Cyber-Physical Systems
 
Many-Objective Reinforcement Learning for Online Testing of DNN-Enabled Systems
Many-Objective Reinforcement Learning for Online Testing of DNN-Enabled SystemsMany-Objective Reinforcement Learning for Online Testing of DNN-Enabled Systems
Many-Objective Reinforcement Learning for Online Testing of DNN-Enabled Systems
 
ATM: Black-box Test Case Minimization based on Test Code Similarity and Evolu...
ATM: Black-box Test Case Minimization based on Test Code Similarity and Evolu...ATM: Black-box Test Case Minimization based on Test Code Similarity and Evolu...
ATM: Black-box Test Case Minimization based on Test Code Similarity and Evolu...
 
Black-box Safety Analysis and Retraining of DNNs based on Feature Extraction ...
Black-box Safety Analysis and Retraining of DNNs based on Feature Extraction ...Black-box Safety Analysis and Retraining of DNNs based on Feature Extraction ...
Black-box Safety Analysis and Retraining of DNNs based on Feature Extraction ...
 
PRINS: Scalable Model Inference for Component-based System Logs
PRINS: Scalable Model Inference for Component-based System LogsPRINS: Scalable Model Inference for Component-based System Logs
PRINS: Scalable Model Inference for Component-based System Logs
 
Revisiting the Notion of Diversity in Software Testing
Revisiting the Notion of Diversity in Software TestingRevisiting the Notion of Diversity in Software Testing
Revisiting the Notion of Diversity in Software Testing
 
Applications of Search-based Software Testing to Trustworthy Artificial Intel...
Applications of Search-based Software Testing to Trustworthy Artificial Intel...Applications of Search-based Software Testing to Trustworthy Artificial Intel...
Applications of Search-based Software Testing to Trustworthy Artificial Intel...
 
Autonomous Systems: How to Address the Dilemma between Autonomy and Safety
Autonomous Systems: How to Address the Dilemma between Autonomy and SafetyAutonomous Systems: How to Address the Dilemma between Autonomy and Safety
Autonomous Systems: How to Address the Dilemma between Autonomy and Safety
 
Mathematicians, Social Scientists, or Engineers? The Split Minds of Software ...
Mathematicians, Social Scientists, or Engineers? The Split Minds of Software ...Mathematicians, Social Scientists, or Engineers? The Split Minds of Software ...
Mathematicians, Social Scientists, or Engineers? The Split Minds of Software ...
 
Reinforcement Learning for Test Case Prioritization
Reinforcement Learning for Test Case PrioritizationReinforcement Learning for Test Case Prioritization
Reinforcement Learning for Test Case Prioritization
 
Mutation Analysis for Cyber-Physical Systems: Scalable Solutions and Results ...
Mutation Analysis for Cyber-Physical Systems: Scalable Solutions and Results ...Mutation Analysis for Cyber-Physical Systems: Scalable Solutions and Results ...
Mutation Analysis for Cyber-Physical Systems: Scalable Solutions and Results ...
 
On Systematically Building a Controlled Natural Language for Functional Requi...
On Systematically Building a Controlled Natural Language for Functional Requi...On Systematically Building a Controlled Natural Language for Functional Requi...
On Systematically Building a Controlled Natural Language for Functional Requi...
 
Efficient Online Testing for DNN-Enabled Systems using Surrogate-Assisted and...
Efficient Online Testing for DNN-Enabled Systems using Surrogate-Assisted and...Efficient Online Testing for DNN-Enabled Systems using Surrogate-Assisted and...
Efficient Online Testing for DNN-Enabled Systems using Surrogate-Assisted and...
 
Guidelines for Assessing the Accuracy of Log Message Template Identification ...
Guidelines for Assessing the Accuracy of Log Message Template Identification ...Guidelines for Assessing the Accuracy of Log Message Template Identification ...
Guidelines for Assessing the Accuracy of Log Message Template Identification ...
 
A Theoretical Framework for Understanding the Relationship between Log Parsin...
A Theoretical Framework for Understanding the Relationship between Log Parsin...A Theoretical Framework for Understanding the Relationship between Log Parsin...
A Theoretical Framework for Understanding the Relationship between Log Parsin...
 

Recently uploaded

Right Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsRight Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsJhone kinadey
 
VTU technical seminar 8Th Sem on Scikit-learn
VTU technical seminar 8Th Sem on Scikit-learnVTU technical seminar 8Th Sem on Scikit-learn
VTU technical seminar 8Th Sem on Scikit-learnAmarnathKambale
 
Direct Style Effect Systems - The Print[A] Example - A Comprehension Aid
Direct Style Effect Systems - The Print[A] Example - A Comprehension AidDirect Style Effect Systems - The Print[A] Example - A Comprehension Aid
Direct Style Effect Systems - The Print[A] Example - A Comprehension AidPhilip Schwarz
 
%in kempton park+277-882-255-28 abortion pills for sale in kempton park
%in kempton park+277-882-255-28 abortion pills for sale in kempton park %in kempton park+277-882-255-28 abortion pills for sale in kempton park
%in kempton park+277-882-255-28 abortion pills for sale in kempton park masabamasaba
 
tonesoftg
tonesoftgtonesoftg
tonesoftglanshi9
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️Delhi Call girls
 
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Steffen Staab
 
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...masabamasaba
 
Architecture decision records - How not to get lost in the past
Architecture decision records - How not to get lost in the pastArchitecture decision records - How not to get lost in the past
Architecture decision records - How not to get lost in the pastPapp Krisztián
 
Harnessing ChatGPT - Elevating Productivity in Today's Agile Environment
Harnessing ChatGPT - Elevating Productivity in Today's Agile EnvironmentHarnessing ChatGPT - Elevating Productivity in Today's Agile Environment
Harnessing ChatGPT - Elevating Productivity in Today's Agile EnvironmentVictorSzoltysek
 
%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain
%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain
%in Bahrain+277-882-255-28 abortion pills for sale in Bahrainmasabamasaba
 
%in tembisa+277-882-255-28 abortion pills for sale in tembisa
%in tembisa+277-882-255-28 abortion pills for sale in tembisa%in tembisa+277-882-255-28 abortion pills for sale in tembisa
%in tembisa+277-882-255-28 abortion pills for sale in tembisamasabamasaba
 
Introducing Microsoft’s new Enterprise Work Management (EWM) Solution
Introducing Microsoft’s new Enterprise Work Management (EWM) SolutionIntroducing Microsoft’s new Enterprise Work Management (EWM) Solution
Introducing Microsoft’s new Enterprise Work Management (EWM) SolutionOnePlan Solutions
 
WSO2CON2024 - It's time to go Platformless
WSO2CON2024 - It's time to go PlatformlessWSO2CON2024 - It's time to go Platformless
WSO2CON2024 - It's time to go PlatformlessWSO2
 
AI & Machine Learning Presentation Template
AI & Machine Learning Presentation TemplateAI & Machine Learning Presentation Template
AI & Machine Learning Presentation TemplatePresentation.STUDIO
 
%in Harare+277-882-255-28 abortion pills for sale in Harare
%in Harare+277-882-255-28 abortion pills for sale in Harare%in Harare+277-882-255-28 abortion pills for sale in Harare
%in Harare+277-882-255-28 abortion pills for sale in Hararemasabamasaba
 
AI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
AI Mastery 201: Elevating Your Workflow with Advanced LLM TechniquesAI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
AI Mastery 201: Elevating Your Workflow with Advanced LLM TechniquesVictorSzoltysek
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️Delhi Call girls
 

Recently uploaded (20)

Right Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsRight Money Management App For Your Financial Goals
Right Money Management App For Your Financial Goals
 
VTU technical seminar 8Th Sem on Scikit-learn
VTU technical seminar 8Th Sem on Scikit-learnVTU technical seminar 8Th Sem on Scikit-learn
VTU technical seminar 8Th Sem on Scikit-learn
 
Direct Style Effect Systems - The Print[A] Example - A Comprehension Aid
Direct Style Effect Systems - The Print[A] Example - A Comprehension AidDirect Style Effect Systems - The Print[A] Example - A Comprehension Aid
Direct Style Effect Systems - The Print[A] Example - A Comprehension Aid
 
%in kempton park+277-882-255-28 abortion pills for sale in kempton park
%in kempton park+277-882-255-28 abortion pills for sale in kempton park %in kempton park+277-882-255-28 abortion pills for sale in kempton park
%in kempton park+277-882-255-28 abortion pills for sale in kempton park
 
tonesoftg
tonesoftgtonesoftg
tonesoftg
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
 
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
 
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
 
Architecture decision records - How not to get lost in the past
Architecture decision records - How not to get lost in the pastArchitecture decision records - How not to get lost in the past
Architecture decision records - How not to get lost in the past
 
Harnessing ChatGPT - Elevating Productivity in Today's Agile Environment
Harnessing ChatGPT - Elevating Productivity in Today's Agile EnvironmentHarnessing ChatGPT - Elevating Productivity in Today's Agile Environment
Harnessing ChatGPT - Elevating Productivity in Today's Agile Environment
 
%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain
%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain
%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain
 
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICECHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
 
%in tembisa+277-882-255-28 abortion pills for sale in tembisa
%in tembisa+277-882-255-28 abortion pills for sale in tembisa%in tembisa+277-882-255-28 abortion pills for sale in tembisa
%in tembisa+277-882-255-28 abortion pills for sale in tembisa
 
Introducing Microsoft’s new Enterprise Work Management (EWM) Solution
Introducing Microsoft’s new Enterprise Work Management (EWM) SolutionIntroducing Microsoft’s new Enterprise Work Management (EWM) Solution
Introducing Microsoft’s new Enterprise Work Management (EWM) Solution
 
WSO2CON2024 - It's time to go Platformless
WSO2CON2024 - It's time to go PlatformlessWSO2CON2024 - It's time to go Platformless
WSO2CON2024 - It's time to go Platformless
 
AI & Machine Learning Presentation Template
AI & Machine Learning Presentation TemplateAI & Machine Learning Presentation Template
AI & Machine Learning Presentation Template
 
%in Harare+277-882-255-28 abortion pills for sale in Harare
%in Harare+277-882-255-28 abortion pills for sale in Harare%in Harare+277-882-255-28 abortion pills for sale in Harare
%in Harare+277-882-255-28 abortion pills for sale in Harare
 
AI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
AI Mastery 201: Elevating Your Workflow with Advanced LLM TechniquesAI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
AI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
 
Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...
Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...
Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...
 

Automated and Effective Testing of Web Services for XML Injection Attacks

  • 1. .lusoftware verification & validation VVS Automated and Effective Testing of Web Services for XML Injection Attacks Sadeeq Jan, Cu D. Nguyen, Lionel Briand Interdisciplinary Centre for Security, Reliability and Trust (SnT) University of Luxembourg ISSTA’16 The International Symposium on Software Testing and Analysis Saarland University, Saarbrücken, Germany. July 18-20, 2016
  • 2. XML Injection 2 •  Bypassing authentication •  Privilege escalation •  Information disclosure •  Generating errors/system crash Impact Definition Injecting malicious content into XML files/messages to manipulate/compromise the logic of an application/ service
  • 3. 3 XML Injection Example Create new account <user> <username>Tom</username> <password>m1U9q10</password> <role>user</role> <mail>a@b.com</mail> </user> <user> <username>admin</username> <password>s4n3p81</password> <role>Administrator</role> <mail>sv-admin@gmail.com</mail> </user> ….. ...... <user> <username>Tom</username> <password>m1U9q10</password> <role>user</role> <mail>a@b.com</mail> </user> XML Database
  • 4. XML Injection Example " (Privilege Escalation) <user> <username>Tom</username> <password>m1U9q10</password> <role>user</role> <mail>abc</mail> <role>Administrator</role> <mail>a@b.com</mail> </user> Web Form Generated XML Message abc</mail><role>Administrator<role> <mail>a@b.com 4
  • 5. ......... ......... <complexType name="UserType"> <all> <element name="username" type="tns:StringUserType" maxOccurs="1" minOccurs="1" /> <element name="password" type="tns:StringPassType" maxOccurs="1" minOccurs="1"/> <element name="role" type="tns:Int1000Type" maxOccurs="1" minOccurs="1"/> <element name="mail" type="tns:EmailType" maxOccurs="1" minOccurs="1" /> </all> </complexType> ......... ......... 5 <user> <username>Tom</username> <password>m1U9q10</password> <role>user</role> <mail>abc</mail> <role>Administrator</role> <mail>a@b.com</mail> </user> Well-formed but not valid XML Schema violates cardinality =1 constraint of ‘role’ element in XML Schema <element name="role" type="tns:Int1000Type" maxOccurs="1" minOccurs="1"/> XML Injection in presence of constraints
  • 6. <user> <username>Tom</username> <password>m1U9q10</password> <!-- </password> <role>user</role> <mail> --> <role>Administrator</role> <mail>a@b.com</mail> </user> Web Form Generated XML Message Well-formed and valid --><role>Administrator<role><mail>a@b.com m1U9q10</password><!-- 6 XML Injection in presence of constraints
  • 7. •  Generate invalid XML files/messages •  Result in large number of false positives •  No dedicated testing tool for XML Injection attacks Limitations of State-Of-The-Art Tools 7
  • 8. •  A novel automated testing approach and tool (SOLMI) •  Generates valid but malicious XML files/messages •  Covers wide range of XML Injection attacks •  Evaluation of the approach on an industrial financial system Contributions of This Work 8
  • 9. 9 •  Type 1: Deforming •  Type 2: Random closing tags •  Type 3: Replicating •  Type 4: Replacing Taxonomy of XML Injection Attacks
  • 10. <user> <username>Tom</username> <password>m1U<9q10</password> <role>user</role> <mail>a@b.com</mail> </user> Mutated XML 10 <user> <username>Tom</username> <password>m1U9q10</password> <role>user</role> <mail>a@b.com</mail> </user> Original XML Type 1: Deforming Using XML special characters (e.g., <, &, ‘) to crash the service Example:
  • 11. <user> <username>Tom</username> <password></test></password> <role>user</role> <mail>a@b.com</mail> </user> Mutated XML 11 <user> <username>Tom</username> <password>m1U9q10</password> <role>user</role> <mail>a@b.com</mail> </user> Original XML Example: Type 2: Random Closing Tags Using XML closing tags to reveal the hidden XML structure (e.g. </test>)
  • 12. <user> <username>Tom</username> <password>m1U9q10</password> <role>user</role> <mail>abc</mail> <role>Administrator</role> <mail>a@b.com</mail> </user> Mutated XML 12 <user> <username>Tom</username> <password>m1U9q10</password> <role>user</role> <mail>a@b.com</mail> </user> Original XML Example: Type 3: Replicating Replicating existing XML elements with malicious content
  • 13. <user> <username>Tom</username> <password>m1U9q10</password> <!-- </password> <role>user</role> <mail> --> <role>Administrator</role> <mail>a@b.com</mail> </user> Mutated XML (XML is well-formed, valid, yet malicious) 13 <user> <username>Tom</username> <password>m1U9q10</password> <role>user</role> <mail>a@b.com</mail> </user> Original XML Example: Type 4: Replacing Replicating + ensuring that the resulting XML is well formed and valid
  • 15. SOLMI Approach 15 Generalizable approach: Injection Grammar can be replaced for testing other types of vulnerabilities SUT XML Validator (e.g. Gateway/ Firewall) Schema Constraints Security Policies XML T1 T2 Tn Mutation XML Messages (Tests) Type 1 - 2 Web Services XML XML XML Constraint Solving Injection Grammar Type 3 - 4
  • 16. Mutation Operators Attack Mut. Operator Description Type 1 Deforming MO_der_meta Inserts an XML meta-character into the selected element of the input XML message MO_der_att Removes a quote from the value of a selected attribute of an element Type 2 Random closing tags MO_clo Adds </test> into the content of a selected XML element of the message Type 3 Replicating MO_replica Replicates an XML element, injects it with a new content and place it at the location right after the selected element Type 4 Replacing MO_replace Replicates an XML element, obtains a new content, comments out the selected element, and injects the new one at its location 16
  • 17. Injection Grammar 17 Generate attack strings for elements in XML (e.g. SQL Injection attack strings based on the grammar) SQL Injection Grammar * * D. Appelt, C. Nguyen, and L. Briand. Behind an application firewall, are we safe from sql injection attacks? In Software Testing, Verification and Validation (ICST), 2015 IEEE 8th International Conference on, pages 1–10, April 2015.
  • 18. 18 Test Generation Process (for Type 3-4) Select Element Tests Gen. Completed? End No Yes Extract constraints from the XML Schema Solve Constraints, generate attack string using Constraint Solver Mutate Element with the attack string XML Element Schema Constraints Attack String Ti Transform constraints to the Solver’s input language Injection Grammar Start XML Schema
  • 19. 19 Test Generation Process (for Type 3-4) Select Element Tests Gen. Completed? End No Yes Extract constraints from the XML Schema Solve Constraints, generate attack string using Constraint Solver Mutate Element with the attack string XML Element Schema Constraints Attack String Ti Transform constraints to the Solver’s input language Injection Grammar Start XML Schema
  • 20. 20 Test Generation Process (for Type 3-4) Select Element Tests Gen. Completed? End No Yes Extract constraints from the XML Schema Solve Constraints, generate attack string using Constraint Solver Mutate Element with the attack string XML Element Schema Constraints Attack String Ti Transform constraints to the Solver’s input language Injection Grammar Start XML Schema
  • 21. 21 Test Generation Process (for Type 3-4) Select Element Tests Gen. Completed? End No Yes Extract constraints from the XML Schema Solve Constraints, generate attack string using Constraint Solver Mutate Element with the attack string XML Element Schema Constraints Attack String Ti Transform constraints to the Solver’s input language Injection Grammar Start XML Schema
  • 22. 22 Test Generation Process (for Type 3-4) Select Element Tests Gen. Completed? End No Yes Extract constraints from the XML Schema Solve Constraints, generate attack string using Constraint Solver Mutate Element with the attack string XML Element Schema Constraints Attack String Ti Transform constraints to the Solver’s input language Injection Grammar Start XML Schema
  • 23. 23 Test Generation Process (for Type 3-4) Select Element Tests Gen. Completed? End No Yes Extract constraints from the XML Schema Solve Constraints, generate attack string using Constraint Solver Mutate Element with the attack string XML Element Schema Constraints Attack String Ti Transform constraints to the Solver’s input language Injection Grammar Start XML Schema
  • 24. 24 Test Generation Process (for Type 3-4) Select Element Tests Gen. Completed? End No Yes Extract constraints from the XML Schema Solve Constraints, generate attack string using Constraint Solver Mutate Element with the attack string XML Element Schema Constraints Attack String Ti Transform constraints to the Solver’s input language Injection Grammar Start XML Schema
  • 25. <transaction> <UserName>Mike123</UserName> <BankCode>0111</BankCode> <RequestId>R19228381</RequestId> <CardNumber>1234567891234<CardNumber> </transaction> …..... <xs:element name=“RequestId” type="cw:stringLen1_11"/> </xs:simpleType> <xs:simpleType name="stringLen1_11"> <xs:minLength value=”4"/> <xs:maxLength value=”11"/> <pattern value="[a-zA-Z0-9s]*"/> </xs:restriction> </xs:simpleType> …..... XML File Transform Constraint to Solver’s input language Schema Constraint for element ‘RequestId’ Generated Content for the XML element (Attack Payload) OR True Examples of malicious content rejected by the solver: -  OR 1=1 à violates the regular expression -  Drop table RequestIDs à violates maximum length constraints Injection Grammar Mutation (type 4) <transaction> <UserName>Mika123</UserName> <BankCode>0111</BankCode> <!– </BankCode> <RequestId>R19228381</RequestId> <CardNumber> --> <RequestId>OR True</RequestId> <CardNumber>1234567891234<CardNumber> </transaction> Resulting XML Message (Test of Type 4) Concrete Example of Test Generation " (for Type 4) Extract associated constraints for selected element 25 String Constraint Solver
  • 27. Objectives & Tools for evaluation Objectives •  To evaluate the effectiveness and cost (time) of our proposed approach •  To compare our proposed approach with the state- of-the-art tools Tools •  ReadyAPI •  SOLMI 27
  • 28. Subject Application 28 XML Gateway (Axway XML Gateway) that protects 44 Web Services of a credit card processing company Web Service 1 Web Service 2 Web Service N XML Schemas XML Threat Policy Backend Service Interface 1 Service Interface Service Interface N XML GatewayInternet Service Interface 1 Service Interface Service Interface N XML Gateway
  • 29. 29 Architecture of SOLMI Constraint Solver Hampi XML Processor Schema Processor Injection Grammar (SQL) Test Generator Mutation Strategies Test Cases SUT Test Executor Monitor/ Oracle Transformer
  • 30. Results 30 MO Operator # Tests (T) % Bypassing Tests (Tp) Test Generation Time (s) ReadyAPI Malformed XML 4430 2.37 < 1 min SOLMI MO-meta 1772 0 0.64 MO-close 443 0 0.35 MO_der_att NA NA NA MO-replica 3236 0 2929.99 (49 mins) MO-replace 3236 78.86 2998.97 (50 mins)
  • 31. Results 31 MO Operator # Tests (T) % Bypassing Tests (Tp) Test Generation Time (s) ReadyAPI Malformed XML 4430 2.37 < 1 min SOLMI MO-meta 1772 0 0.64 MO-close 443 0 0.35 MO_der_att NA NA NA MO-replica 3236 0 2929.99 (49 mins) MO-replace 3236 78.86 2998.97 (50 mins)
  • 32. Results 32 MO Operator # Tests (T) % Bypassing Tests (Tp) Test Generation Time (s) ReadyAPI Malformed XML 4430 2.37 < 1 min SOLMI MO-meta 1772 0 0.64 MO-close 443 0 0.35 MO_der_att NA NA NA MO-replica 3236 0 2929.99 (49 mins) MO-replace 3236 78.86 2998.97 (50 mins)
  • 33. Results 33 MO Operator # Tests (T) % Bypassing Tests (Tp) Test Generation Time (s) ReadyAPI Malformed XML 4430 2.37 < 1 min SOLMI MO-meta 1772 0 0.64 MO-close 443 0 0.35 MO_der_att NA NA NA MO-replica 3236 0 2929.99 (49 mins) MO-replace 3236 78.86 2998.97 (50 mins)
  • 34. Results 34 MO Operator # Tests (T) % Bypassing Tests (Tp) Test Generation Time (s) ReadyAPI Malformed XML 4430 2.37 < 1 min SOLMI MO-meta 1772 0 0.64 MO-close 443 0 0.35 MO_der_att NA NA NA MO-replica 3236 0 2929.99 (49 mins) MO-replace 3236 78.86 2998.97 (50 mins)
  • 35. Results 35 MO Operator # Tests (T) % Bypassing Tests (Tp) Test Generation Time (s) ReadyAPI Malformed XML 4430 2.37 < 1 min SOLMI MO-meta 1772 0 0.64 MO-close 443 0 0.35 MO_der_att NA NA NA MO-replica 3236 0 2929.99 (49 mins) MO-replace 3236 78.86 2998.97 (50 mins)
  • 36. 36 •  Test strategy that randomly injects XML meta- characters or closing tags (state-of-the-art tools) are unlikely to be effective •  SOLMI approach is highly effective and the test generation time is practically reasonable •  SOLMI is generalizable to other types of attacks Conclusion