SlideShare a Scribd company logo

Metamorphic Testing for Web System Security

Lionel Briand
Lionel Briand

This document summarizes a presentation on metamorphic testing for web system security given by Nazanin Bayati on September 13, 2023. Metamorphic testing uses relations between the outputs of multiple test executions to test systems when specifying expected outputs is difficult. It was applied to web systems by generating follow-up inputs based on transformations of valid interactions and checking that output relations held. The approach detected over 60% of vulnerabilities in tested systems and addressed more vulnerability types than static and dynamic analysis tools. It provides an effective and automated way to test for security issues in web systems.

Software
1 of 27
Download to read offline
University of Ottawa | University of Luxembourg University of Ottawa | University of Luxembourg 1 Nazanin Bayati - Metamorphic Testing for Web System Security 13 September 2023 Journal First – IEEE Transaction on Software Engineering Presented by: Nazanin Bayati 13 September 2023 University of Ottawa University of Luxembourg Nazanin Bayati University of Ottawa Fabrizio Pastore University of Luxembourg Lionel Briand University of Ottawa University of Luxembourg Arda Goknil SINTEF Digital, Norway Metamorphic Testing for Web System Security
2 Security vulnerabilities are subtle Discovered when testing with many inputs Specifying expected results is infeasible
University of Ottawa | University of Luxembourg University of Ottawa | University of Luxembourg 3 Nazanin Bayati - Metamorphic Testing for Web System Security 13 September 2023 Metamorphic Testing alleviates the Oracle Problem • Metamorphic Testing (MT) is based on the idea that • it may be simpler to reason about relations between outputs of multiple test executions, called Metamorphic Relations (MRs), than to specify the output of the system for a given input • In MT, system properties are captured as MRs that • specify how to automatically transform an initial set of test inputs (source inputs) into follow-up test inputs • specify the relation between the outputs obtained from source and follow-up inputs • A failure is observed when such relations are violated.
University of Ottawa | University of Luxembourg University of Ottawa | University of Luxembourg 4 Nazanin Bayati - Metamorphic Testing for Web System Security 13 September 2023 Metamorphic Security Testing • Source input: a sequence of valid interactions with the system {login(Admin), RequestURL(settings_page)} • Follow-up input: generated by altering valid interactions as an attacker would do {login(User1), RequestURL(settings_page)} • Relations: capture properties that hold when the system is not vulnerable if the user in the follow-up input cannot access the URL from her GUI then the output of the source and follow-up inputs should be different
University of Ottawa | University of Luxembourg University of Ottawa | University of Luxembourg 5 Nazanin Bayati - Metamorphic Testing for Web System Security 13 September 2023 MST-wi: Metamorphic Security Testing for Web Interfaces Web System Execute the Data Collection Framework Catalog of 76 Metamorphic Relations Select or Specify the Metamorphic Relations Execute the Metamorphic Testing Framework Test results Translate Metamorphic Relations to Java List of Metamorphic Relations Executable Metamorphic Relations in Java Source Inputs 1 2 3 4 Submit form logout Log in logout Log in
University of Ottawa | University of Luxembourg University of Ottawa | University of Luxembourg 6 Nazanin Bayati - Metamorphic Testing for Web System Security 13 September 2023 MST-wi – MR Example • Security issue: Bypass Authorization Schema
University of Ottawa | University of Luxembourg University of Ottawa | University of Luxembourg 7 Nazanin Bayati - Metamorphic Testing for Web System Security 13 September 2023 MST-wi – MR Example • Security issue: Bypass Authorization Schema
University of Ottawa | University of Luxembourg University of Ottawa | University of Luxembourg 8 Nazanin Bayati - Metamorphic Testing for Web System Security 13 September 2023 MST-wi – MR Example • Security issue: Bypass Authorization Schema
University of Ottawa | University of Luxembourg University of Ottawa | University of Luxembourg 9 Nazanin Bayati - Metamorphic Testing for Web System Security 13 September 2023 MST-wi – MR Example • Security issue: Bypass Authorization Schema
University of Ottawa | University of Luxembourg University of Ottawa | University of Luxembourg 10 Nazanin Bayati - Metamorphic Testing for Web System Security 13 September 2023 MST-wi – MR Example • Security issue: Bypass Authorization Schema
University of Ottawa | University of Luxembourg University of Ottawa | University of Luxembourg 11 Nazanin Bayati - Metamorphic Testing for Web System Security 13 September 2023 MST-wi – MR Example • Security issue: Bypass Authorization Schema
University of Ottawa | University of Luxembourg University of Ottawa | University of Luxembourg 12 Nazanin Bayati - Metamorphic Testing for Web System Security 13 September 2023 MST-wi – MR Example • Security issue: Bypass Authorization Schema Our metamorphic testing algorithm executes each MR multiple times, to ensure that every possible combination of source and follow-up inputs is exercised
University of Ottawa | University of Luxembourg University of Ottawa | University of Luxembourg 13 Nazanin Bayati - Metamorphic Testing for Web System Security 13 September 2023 MST-wi – Research Questions • RQ1. What testing activities can be automated thanks to oracle automation provided by MST-wi? • RQ2. What vulnerability types can MST-wi detect? • RQ3. What testability guidelines can we define to enable effective test automation with MST-wi? • RQ4. How does MST-wi compare to state-of-the-art SAST and DAST tools? • RQ5. Can we identify patterns for writing MST-wi relations? • RQ6. Is MST-wi effective? • RQ7. Is MST-wi efficient?
University of Ottawa | University of Luxembourg University of Ottawa | University of Luxembourg 14 Nazanin Bayati - Metamorphic Testing for Web System Security 13 September 2023 MST-wi – What vulnerability types can MST-wi detect? • We investigated the feasibility of implementing MRs that discover the vulnerability types described in the MITRE Common Weakness Enumeration (CWE) database • Considered three subsets: • CWE view for common security architectural tactics • CWE Top 25 most dangerous software errors • OWASP Top 10 Web security risks • To implement an MR, for each weakness, we first inspect its description, its demonstrative examples, the description of concrete vulnerabilities (CVE) and common attack patterns (CAPEC) associated with the weakness. • This process led to a catalog of 76 MRs.
University of Ottawa | University of Luxembourg University of Ottawa | University of Luxembourg 15 Nazanin Bayati - Metamorphic Testing for Web System Security 13 September 2023 MST-wi – What vulnerability types can MST-wi detect? Security Design Principle Vulnerability types Addressed by MST-wi Rank Audit 6 1(16%) 10th Authenticate Actors 28 12 (43%) 4th Authorize Actors 60 34 (57%) 3rd Cross Cutting 9 3 (33%) 6th Encrypt Data 38 8 (21%) 8th Identify Actors 12 3 (25%) 7th Limit Access 8 3 (38%) 5th Limit Exposure 6 0 (0%) 11th Lock Computer 1 0 (0%) 11th Manage User Session 6 4 (67%) 2nd Validate Inputs 39 31 (79%) 1st Verify Message Integrity 19 2 (20%) 9th Total 223 101 (45%) Summary of the CWE architectural security design principles and weaknesses addressed by MST-wi.
University of Ottawa | University of Luxembourg University of Ottawa | University of Luxembourg 16 Nazanin Bayati - Metamorphic Testing for Web System Security 13 September 2023 MST-wi – How does MST-wi compare to state-of-the-art SAST and DAST tools? • We compared the vulnerability types detected by MST-wi, with the vulnerability types detected by state- of-the-art SAST and DAST tool reported in a recent empirical study
University of Ottawa | University of Luxembourg University of Ottawa | University of Luxembourg 17 Nazanin Bayati - Metamorphic Testing for Web System Security 13 September 2023 MST-wi – How does MST-wi compare to state-of-the-art SAST and DAST tools? Security Design Principle Weaknesses Addresses by Weaknesses Addressed by MST but not by Weaknesses bot addresses by MST but addresses by MST Zap DA2 Sonar SA2 Zap DA2 Sonar SA2 Zap DA2 Sonar SA2 Audit 1 0 0 0 3 1 1 1 0 0 0 0 2 Authenticate Actors 12 0 2 1 9 12 11 11 7 0 1 0 4 Authorize Actors 34 2 0 1 13 32 34 34 25 0 0 1 4 Cross Cutting 3 0 0 2 0 3 3 2 3 0 0 1 0 Encrypt Data 8 2 5 8 10 8 8 7 4 2 5 7 6 Identify Actors 3 1 1 1 7 3 3 3 1 1 1 1 5 Limit Access 3 0 1 1 5 3 3 2 0 0 1 0 2 Limit Exposure 0 1 0 0 1 0 0 0 0 1 0 0 1 Lock Computer 0 0 0 0 0 0 0 0 0 0 0 0 0 Manage User Session 4 0 0 0 2 4 4 4 2 0 0 0 0 Validate Inputs 31 10 7 2 14 24 25 30 19 3 1 1 2 Verify Message Integrity 2 1 0 0 3 2 2 2 1 1 0 0 2 Total 101 17 16 16 67 92 94 96 62 8 9 11 28 84 The set of weaknesses targeted by MST-wi is larger than what can be targeted by applying all four competing approaches together.
University of Ottawa | University of Luxembourg University of Ottawa | University of Luxembourg 18 Nazanin Bayati - Metamorphic Testing for Web System Security 13 September 2023 MST-wi – Is MST-wi effective? Applied MST-wi to test well-known Web systems: • Jenkins v 2.121 • Joomla v. 3.8.7. Assessed MST-wi capability to detect known vulnerabilities: • 11 for Jenkins, 3 for Joomla. • One of them discovered by MST-wi (CVE-2018-17857) Considered two setups: • Derive source inputs with crawler only • Consider additional manually implemented functional test cases Metrics: • Sensitivity: proportion of vulnerabilities identified • Specificity: proportion of inputs not leading to false alarms
University of Ottawa | University of Luxembourg University of Ottawa | University of Luxembourg 19 Nazanin Bayati - Metamorphic Testing for Web System Security 13 September 2023 MST-wi – Is MST-wi effective? • The high specificity indicates that only a negligible fraction of follow-up inputs leads to false alarms • Since sensitivity reflects the fault detection rate (i.e., the proportion of vulnerabilities discovered), we conclude that our approach is highly effective • We can discover more than 60% of vulnerabilities in a completely automated manner, using only the crawler • And up to 85% using both crawler and manual inputs
University of Ottawa | University of Luxembourg University of Ottawa | University of Luxembourg 20 Nazanin Bayati - Metamorphic Testing for Web System Security 13 September 2023 https://github.com/MetamorphicSecurityTesting/MST
University of Ottawa | University of Luxembourg University of Ottawa | University of Luxembourg 21 Nazanin Bayati - Metamorphic Testing for Web System Security 13 September 2023 Metamorphic Testing for Web System Security Presented by: Nazanin Bayati 13 September 2023 N. Bayati Chaleshtari, F. Pastore, A. Goknil, and L. Briand, "Metamorphic Testing for Web System Security", IEEE Transactions on Software Engineering, 2023, https://ieeexplore.ieee.org/document/10089522 n.bayati@uottawa.ca University of Ottawa University of Luxembourg
University of Ottawa | University of Luxembourg University of Ottawa | University of Luxembourg 23 Nazanin Bayati - Metamorphic Testing for Web System Security 13 September 2023 MST-wi – How does MST-wi compare to state-of-the-art SAST and DAST tools? Security Design Principle Weaknesses Addresses by Weaknesses Addressed by MST but not by Weaknesses bot addresses by MST but addresses by MST Zap DA2 Sonar SA2 Zap DA2 Sonar SA2 Zap DA2 Sonar SA2 Audit 1 0 0 0 3 1 1 1 0 0 0 0 2 Authenticate Actors 12 0 2 1 9 12 11 11 7 0 1 0 4 Authorize Actors 34 2 0 1 13 32 34 34 25 0 0 1 4 Cross Cutting 3 0 0 2 0 3 3 2 3 0 0 1 0 Encrypt Data 8 2 5 8 10 8 8 7 4 2 5 7 6 Identify Actors 3 1 1 1 7 3 3 3 1 1 1 1 5 Limit Access 3 0 1 1 5 3 3 2 0 0 1 0 2 Limit Exposure 0 1 0 0 1 0 0 0 0 1 0 0 1 Lock Computer 0 0 0 0 0 0 0 0 0 0 0 0 0 Manage User Session 4 0 0 0 2 4 4 4 2 0 0 0 0 Validate Inputs 31 10 7 2 14 24 25 30 19 3 1 1 2 Verify Message Integrity 2 1 0 0 3 2 2 2 1 1 0 0 2 Total 101 17 16 16 67 92 94 96 62 8 9 11 28 56 MST can detect 56 weaknesses that any other approach cannot address.
University of Ottawa | University of Luxembourg University of Ottawa | University of Luxembourg 24 Nazanin Bayati - Metamorphic Testing for Web System Security 13 September 2023 MST-wi – How does MST-wi compare to state-of-the-art SAST and DAST tools? Security Design Principle Weaknesses Addresses by Weaknesses Addressed by MST but not by Weaknesses not addresses by MST but addresses by MST Zap DA2 Sonar SA2 Zap DA2 Sonar SA2 Zap DA2 Sonar SA2 Audit 1 0 0 0 3 1 1 1 0 0 0 0 2 Authenticate Actors 12 0 2 1 9 12 11 11 7 0 1 0 4 Authorize Actors 34 2 0 1 13 32 34 34 25 0 0 1 4 Cross Cutting 3 0 0 2 0 3 3 2 3 0 0 1 0 Encrypt Data 8 2 5 8 10 8 8 7 4 2 5 7 6 Identify Actors 3 1 1 1 7 3 3 3 1 1 1 1 5 Limit Access 3 0 1 1 5 3 3 2 0 0 1 0 2 Limit Exposure 0 1 0 0 1 0 0 0 0 1 0 0 1 Lock Computer 0 0 0 0 0 0 0 0 0 0 0 0 0 Manage User Session 4 0 0 0 2 4 4 4 2 0 0 0 0 Validate Inputs 31 10 7 2 14 24 25 30 19 3 1 1 2 Verify Message Integrity 2 1 0 0 3 2 2 2 1 1 0 0 2 Total 101 17 16 16 67 92 94 96 62 8 9 11 28 39 Combined together, DAST/SAST approaches can address only 39 weaknesses that MST-wi does not address.
University of Ottawa | University of Luxembourg University of Ottawa | University of Luxembourg 25 Nazanin Bayati - Metamorphic Testing for Web System Security 13 September 2023 MST-wi – How does MST-wi compare to state-of-the-art SAST and DAST tools? Security Design Principle Weaknesses Addresses by Weaknesses Addressed by MST but not by Weaknesses not addresses by MST but addresses by MST Zap DA2 Sonar SA2 Zap DA2 Sonar SA2 Zap DA2 Sonar SA2 Audit 1 0 0 0 3 1 1 1 0 0 0 0 2 Authenticate Actors 12 0 2 1 9 12 11 11 7 0 1 0 4 Authorize Actors 34 2 0 1 13 32 34 34 25 0 0 1 4 Cross Cutting 3 0 0 2 0 3 3 2 3 0 0 1 0 Encrypt Data 8 2 5 8 10 8 8 7 4 2 5 7 6 Identify Actors 3 1 1 1 7 3 3 3 1 1 1 1 5 Limit Access 3 0 1 1 5 3 3 2 0 0 1 0 2 Limit Exposure 0 1 0 0 1 0 0 0 0 1 0 0 1 Lock Computer 0 0 0 0 0 0 0 0 0 0 0 0 0 Manage User Session 4 0 0 0 2 4 4 4 2 0 0 0 0 Validate Inputs 31 10 7 2 14 24 25 30 19 3 1 1 2 Verify Message Integrity 2 1 0 0 3 2 2 2 1 1 0 0 2 Total 101 17 16 16 67 92 94 96 62 8 9 11 28 39 Combined together, DAST/SAST approaches can address only 39 weaknesses that MST-wi does not address. • The weaknesses that MST-wi cannot address are mostly those (i) that can only be discovered using program analysis, (ii) that are not related to user-system interactions, or (iii) that concern non-Web-based systems.
University of Ottawa | University of Luxembourg University of Ottawa | University of Luxembourg 26 Nazanin Bayati - Metamorphic Testing for Web System Security 13 September 2023 MST-wi – How does MST-wi compare to state-of-the-art SAST and DAST tools? Security Design Principle Weaknesses Addresses by Weaknesses Addressed by MST but not by Weaknesses bot addresses by MST but addresses by MST Zap DA2 Sonar SA2 Zap DA2 Sonar SA2 Zap DA2 Sonar SA2 Audit 1 0 0 0 3 1 1 1 0 0 0 0 2 Authenticate Actors 12 0 2 1 9 12 11 11 7 0 1 0 4 Authorize Actors 34 2 0 1 13 32 34 34 25 0 0 1 4 Cross Cutting 3 0 0 2 0 3 3 2 3 0 0 1 0 Encrypt Data 8 2 5 8 10 8 8 7 4 2 5 7 6 Identify Actors 3 1 1 1 7 3 3 3 1 1 1 1 5 Limit Access 3 0 1 1 5 3 3 2 0 0 1 0 2 Limit Exposure 0 1 0 0 1 0 0 0 0 1 0 0 1 Lock Computer 0 0 0 0 0 0 0 0 0 0 0 0 0 Manage User Session 4 0 0 0 2 4 4 4 2 0 0 0 0 Validate Inputs 31 10 7 2 14 24 25 30 19 3 1 1 2 Verify Message Integrity 2 1 0 0 3 2 2 2 1 1 0 0 2 Total 101 17 16 16 67 92 94 96 62 8 9 11 28 Combining MST-wi with SA2 seems to be a particularly effective combination as it enables detecting 129 weaknesses (i.e., 101 + 28), which is 92% of the 140 weaknesses that can be detected by any approach.
University of Ottawa | University of Luxembourg University of Ottawa | University of Luxembourg 29 Nazanin Bayati - Metamorphic Testing for Web System Security 13 September 2023 MST-wi: Metamorphic Security Testing for Web Interfaces Web System Execute the Data Collection Framework List of Predefined Metamorphic Relations Select and Specify the MRs Execute the Metamorphic Testing Framework Test results Transform MRs to Java List of MRs Executable MRs S(x,y) Source Inputs
University of Ottawa | University of Luxembourg University of Ottawa | University of Luxembourg 30 Nazanin Bayati - Metamorphic Testing for Web System Security 13 September 2023 MST-wi – Is MST-wi effective? • The high specificity indicates that only a negligible fraction of follow-up inputs leads to false alarms • Since sensitivity reflects the fault detection rate (i.e., the proportion of vulnerabilities discovered), we conclude that our approach is highly effective • We can discover more than 60% of vulnerabilities in a completely automated manner, using only the crawler • And up to 85% using both crawler and manual inputs

Recommended

SQL Injection attack
SQL Injection attackSQL Injection attack
SQL Injection attack
Rayudu Babu
 
Web application Security tools
Web application Security toolsWeb application Security tools
Web application Security tools
Nico Penaredondo
 
OWASP Top 10 Proactive Controls
OWASP Top 10 Proactive ControlsOWASP Top 10 Proactive Controls
OWASP Top 10 Proactive Controls
Katy Anton
 
CVSS
CVSSCVSS
CVSS
Christian Heinrich
 
Threat modelling(system + enterprise)
Threat modelling(system + enterprise)Threat modelling(system + enterprise)
Threat modelling(system + enterprise)
abhimanyubhogwan
 
Simplified Security Code Review Process
Simplified Security Code Review ProcessSimplified Security Code Review Process
Simplified Security Code Review ProcessSherif Koussa
 
Mining software vulns in SCCM / NIST's NVD
Mining software vulns in SCCM / NIST's NVDMining software vulns in SCCM / NIST's NVD
Mining software vulns in SCCM / NIST's NVD
Loren Gordon
 
SQL Injections - A Powerpoint Presentation
SQL Injections - A Powerpoint PresentationSQL Injections - A Powerpoint Presentation
SQL Injections - A Powerpoint Presentation
Rapid Purple
 

Recommended

SQL Injection attack
SQL Injection attackSQL Injection attack
SQL Injection attack
Rayudu Babu
 
Web application Security tools
Web application Security toolsWeb application Security tools
Web application Security tools
Nico Penaredondo
 
OWASP Top 10 Proactive Controls
OWASP Top 10 Proactive ControlsOWASP Top 10 Proactive Controls
OWASP Top 10 Proactive Controls
Katy Anton
 
CVSS
CVSSCVSS
CVSS
Christian Heinrich
 
Threat modelling(system + enterprise)
Threat modelling(system + enterprise)Threat modelling(system + enterprise)
Threat modelling(system + enterprise)
abhimanyubhogwan
 
Simplified Security Code Review Process
Simplified Security Code Review ProcessSimplified Security Code Review Process
Simplified Security Code Review ProcessSherif Koussa
 
Mining software vulns in SCCM / NIST's NVD
Mining software vulns in SCCM / NIST's NVDMining software vulns in SCCM / NIST's NVD
Mining software vulns in SCCM / NIST's NVD
Loren Gordon
 
SQL Injections - A Powerpoint Presentation
SQL Injections - A Powerpoint PresentationSQL Injections - A Powerpoint Presentation
SQL Injections - A Powerpoint Presentation
Rapid Purple
 
Application Logging Good Bad Ugly ... Beautiful?
Application Logging Good Bad Ugly ... Beautiful?Application Logging Good Bad Ugly ... Beautiful?
Application Logging Good Bad Ugly ... Beautiful?
Anton Chuvakin
 
Cloud Vulnerabilities and Its Threats
Cloud Vulnerabilities and Its ThreatsCloud Vulnerabilities and Its Threats
Cloud Vulnerabilities and Its Threats
Ari Apridana
 
Advanced SQL injection to operating system full control (whitepaper)
Advanced SQL injection to operating system full control (whitepaper)Advanced SQL injection to operating system full control (whitepaper)
Advanced SQL injection to operating system full control (whitepaper)
Bernardo Damele A. G.
 
Vulnerability Management Program
Vulnerability Management ProgramVulnerability Management Program
Vulnerability Management Program
Dennis Chaupis
 
Application Security: AI LLMs and ML Threats & Defenses
Application Security: AI LLMs and ML Threats & DefensesApplication Security: AI LLMs and ML Threats & Defenses
Application Security: AI LLMs and ML Threats & Defenses
Robert Grupe, CSSLP CISSP PE PMP
 
Sql injections - with example
Sql injections - with exampleSql injections - with example
Sql injections - with example
Prateek Chauhan
 
Java Deserialization Vulnerabilities - The Forgotten Bug Class (RuhrSec Edition)
Java Deserialization Vulnerabilities - The Forgotten Bug Class (RuhrSec Edition)Java Deserialization Vulnerabilities - The Forgotten Bug Class (RuhrSec Edition)
Java Deserialization Vulnerabilities - The Forgotten Bug Class (RuhrSec Edition)
CODE WHITE GmbH
 
AI & ML in Cyber Security - Why Algorithms are Dangerous
AI & ML in Cyber Security - Why Algorithms are DangerousAI & ML in Cyber Security - Why Algorithms are Dangerous
AI & ML in Cyber Security - Why Algorithms are Dangerous
Raffael Marty
 
Cyber Security Layers - Defense in Depth
Cyber Security Layers - Defense in DepthCyber Security Layers - Defense in Depth
Cyber Security Layers - Defense in Depth
Muhammad Faisal Naqvi, CISSP, CISA, AMBCI, ITIL, ISMS LA n Master
 
Splunk in 60 Minutes | Splunk Tutorial For Beginners | Splunk Training | Splu...
Splunk in 60 Minutes | Splunk Tutorial For Beginners | Splunk Training | Splu...Splunk in 60 Minutes | Splunk Tutorial For Beginners | Splunk Training | Splu...
Splunk in 60 Minutes | Splunk Tutorial For Beginners | Splunk Training | Splu...
Edureka!
 
CA_Module_1.pptx
CA_Module_1.pptxCA_Module_1.pptx
CA_Module_1.pptx
YazanSalileh
 
AEM - Binary less replication
AEM - Binary less replicationAEM - Binary less replication
AEM - Binary less replication
Ashokkumar T A
 
XPDDS17: Introduction to Intel SGX and SGX Virtualization - Kai Huang, Intel
XPDDS17: Introduction to Intel SGX and SGX Virtualization - Kai Huang, IntelXPDDS17: Introduction to Intel SGX and SGX Virtualization - Kai Huang, Intel
XPDDS17: Introduction to Intel SGX and SGX Virtualization - Kai Huang, Intel
The Linux Foundation
 
Reverse Engineering Malicious Javascript
Reverse Engineering Malicious JavascriptReverse Engineering Malicious Javascript
Reverse Engineering Malicious Javascript
Yusuf Motiwala
 
OWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesOWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesSoftware Guru
 
Securing jenkins
Securing jenkinsSecuring jenkins
Securing jenkins
CloudBees
 
Cross site scripting attacks and defenses
Cross site scripting attacks and defensesCross site scripting attacks and defenses
Cross site scripting attacks and defenses
Mohammed A. Imran
 
Cyber Security in AI (Artificial Intelligence)
Cyber Security in AI (Artificial Intelligence)Cyber Security in AI (Artificial Intelligence)
Cyber Security in AI (Artificial Intelligence)
Harsh Bhanushali
 
Sql injection with sqlmap
Sql injection with sqlmapSql injection with sqlmap
Sql injection with sqlmap
Herman Duarte
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applications
Niyas Nazar
 
IRJET- Machine Learning based Network Security
IRJET- Machine Learning based Network SecurityIRJET- Machine Learning based Network Security
IRJET- Machine Learning based Network Security
IRJET Journal
 
A PHASED APPROACH TO INTRUSION DETECTION IN NETWORK
A PHASED APPROACH TO INTRUSION DETECTION IN NETWORKA PHASED APPROACH TO INTRUSION DETECTION IN NETWORK
A PHASED APPROACH TO INTRUSION DETECTION IN NETWORK
IRJET Journal
 

More Related Content

What's hot

Application Logging Good Bad Ugly ... Beautiful?
Application Logging Good Bad Ugly ... Beautiful?Application Logging Good Bad Ugly ... Beautiful?
Application Logging Good Bad Ugly ... Beautiful?
Anton Chuvakin
 
Cloud Vulnerabilities and Its Threats
Cloud Vulnerabilities and Its ThreatsCloud Vulnerabilities and Its Threats
Cloud Vulnerabilities and Its Threats
Ari Apridana
 
Advanced SQL injection to operating system full control (whitepaper)
Advanced SQL injection to operating system full control (whitepaper)Advanced SQL injection to operating system full control (whitepaper)
Advanced SQL injection to operating system full control (whitepaper)
Bernardo Damele A. G.
 
Vulnerability Management Program
Vulnerability Management ProgramVulnerability Management Program
Vulnerability Management Program
Dennis Chaupis
 
Application Security: AI LLMs and ML Threats & Defenses
Application Security: AI LLMs and ML Threats & DefensesApplication Security: AI LLMs and ML Threats & Defenses
Application Security: AI LLMs and ML Threats & Defenses
Robert Grupe, CSSLP CISSP PE PMP
 
Sql injections - with example
Sql injections - with exampleSql injections - with example
Sql injections - with example
Prateek Chauhan
 
Java Deserialization Vulnerabilities - The Forgotten Bug Class (RuhrSec Edition)
Java Deserialization Vulnerabilities - The Forgotten Bug Class (RuhrSec Edition)Java Deserialization Vulnerabilities - The Forgotten Bug Class (RuhrSec Edition)
Java Deserialization Vulnerabilities - The Forgotten Bug Class (RuhrSec Edition)
CODE WHITE GmbH
 
AI & ML in Cyber Security - Why Algorithms are Dangerous
AI & ML in Cyber Security - Why Algorithms are DangerousAI & ML in Cyber Security - Why Algorithms are Dangerous
AI & ML in Cyber Security - Why Algorithms are Dangerous
Raffael Marty
 
Cyber Security Layers - Defense in Depth
Cyber Security Layers - Defense in DepthCyber Security Layers - Defense in Depth
Cyber Security Layers - Defense in Depth
Muhammad Faisal Naqvi, CISSP, CISA, AMBCI, ITIL, ISMS LA n Master
 
Splunk in 60 Minutes | Splunk Tutorial For Beginners | Splunk Training | Splu...
Splunk in 60 Minutes | Splunk Tutorial For Beginners | Splunk Training | Splu...Splunk in 60 Minutes | Splunk Tutorial For Beginners | Splunk Training | Splu...
Splunk in 60 Minutes | Splunk Tutorial For Beginners | Splunk Training | Splu...
Edureka!
 
CA_Module_1.pptx
CA_Module_1.pptxCA_Module_1.pptx
CA_Module_1.pptx
YazanSalileh
 
AEM - Binary less replication
AEM - Binary less replicationAEM - Binary less replication
AEM - Binary less replication
Ashokkumar T A
 
XPDDS17: Introduction to Intel SGX and SGX Virtualization - Kai Huang, Intel
XPDDS17: Introduction to Intel SGX and SGX Virtualization - Kai Huang, IntelXPDDS17: Introduction to Intel SGX and SGX Virtualization - Kai Huang, Intel
XPDDS17: Introduction to Intel SGX and SGX Virtualization - Kai Huang, Intel
The Linux Foundation
 
Reverse Engineering Malicious Javascript
Reverse Engineering Malicious JavascriptReverse Engineering Malicious Javascript
Reverse Engineering Malicious Javascript
Yusuf Motiwala
 
OWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesOWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesSoftware Guru
 
Securing jenkins
Securing jenkinsSecuring jenkins
Securing jenkins
CloudBees
 
Cross site scripting attacks and defenses
Cross site scripting attacks and defensesCross site scripting attacks and defenses
Cross site scripting attacks and defenses
Mohammed A. Imran
 
Cyber Security in AI (Artificial Intelligence)
Cyber Security in AI (Artificial Intelligence)Cyber Security in AI (Artificial Intelligence)
Cyber Security in AI (Artificial Intelligence)
Harsh Bhanushali
 
Sql injection with sqlmap
Sql injection with sqlmapSql injection with sqlmap
Sql injection with sqlmap
Herman Duarte
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applications
Niyas Nazar
 

What's hot (20)

Application Logging Good Bad Ugly ... Beautiful?
Application Logging Good Bad Ugly ... Beautiful?Application Logging Good Bad Ugly ... Beautiful?
Application Logging Good Bad Ugly ... Beautiful?
 
Cloud Vulnerabilities and Its Threats
Cloud Vulnerabilities and Its ThreatsCloud Vulnerabilities and Its Threats
Cloud Vulnerabilities and Its Threats
 
Advanced SQL injection to operating system full control (whitepaper)
Advanced SQL injection to operating system full control (whitepaper)Advanced SQL injection to operating system full control (whitepaper)
Advanced SQL injection to operating system full control (whitepaper)
 
Vulnerability Management Program
Vulnerability Management ProgramVulnerability Management Program
Vulnerability Management Program
 
Application Security: AI LLMs and ML Threats & Defenses
Application Security: AI LLMs and ML Threats & DefensesApplication Security: AI LLMs and ML Threats & Defenses
Application Security: AI LLMs and ML Threats & Defenses
 
Sql injections - with example
Sql injections - with exampleSql injections - with example
Sql injections - with example
 
Java Deserialization Vulnerabilities - The Forgotten Bug Class (RuhrSec Edition)
Java Deserialization Vulnerabilities - The Forgotten Bug Class (RuhrSec Edition)Java Deserialization Vulnerabilities - The Forgotten Bug Class (RuhrSec Edition)
Java Deserialization Vulnerabilities - The Forgotten Bug Class (RuhrSec Edition)
 
AI & ML in Cyber Security - Why Algorithms are Dangerous
AI & ML in Cyber Security - Why Algorithms are DangerousAI & ML in Cyber Security - Why Algorithms are Dangerous
AI & ML in Cyber Security - Why Algorithms are Dangerous
 
Cyber Security Layers - Defense in Depth
Cyber Security Layers - Defense in DepthCyber Security Layers - Defense in Depth
Cyber Security Layers - Defense in Depth
 
Splunk in 60 Minutes | Splunk Tutorial For Beginners | Splunk Training | Splu...
Splunk in 60 Minutes | Splunk Tutorial For Beginners | Splunk Training | Splu...Splunk in 60 Minutes | Splunk Tutorial For Beginners | Splunk Training | Splu...
Splunk in 60 Minutes | Splunk Tutorial For Beginners | Splunk Training | Splu...
 
CA_Module_1.pptx
CA_Module_1.pptxCA_Module_1.pptx
CA_Module_1.pptx
 
AEM - Binary less replication
AEM - Binary less replicationAEM - Binary less replication
AEM - Binary less replication
 
XPDDS17: Introduction to Intel SGX and SGX Virtualization - Kai Huang, Intel
XPDDS17: Introduction to Intel SGX and SGX Virtualization - Kai Huang, IntelXPDDS17: Introduction to Intel SGX and SGX Virtualization - Kai Huang, Intel
XPDDS17: Introduction to Intel SGX and SGX Virtualization - Kai Huang, Intel
 
Reverse Engineering Malicious Javascript
Reverse Engineering Malicious JavascriptReverse Engineering Malicious Javascript
Reverse Engineering Malicious Javascript
 
OWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesOWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application Vulnerabilities
 
Securing jenkins
Securing jenkinsSecuring jenkins
Securing jenkins
 
Cross site scripting attacks and defenses
Cross site scripting attacks and defensesCross site scripting attacks and defenses
Cross site scripting attacks and defenses
 
Cyber Security in AI (Artificial Intelligence)
Cyber Security in AI (Artificial Intelligence)Cyber Security in AI (Artificial Intelligence)
Cyber Security in AI (Artificial Intelligence)
 
Sql injection with sqlmap
Sql injection with sqlmapSql injection with sqlmap
Sql injection with sqlmap
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applications
 

Similar to Metamorphic Testing for Web System Security

IRJET- Machine Learning based Network Security
IRJET- Machine Learning based Network SecurityIRJET- Machine Learning based Network Security
IRJET- Machine Learning based Network Security
IRJET Journal
 
A PHASED APPROACH TO INTRUSION DETECTION IN NETWORK
A PHASED APPROACH TO INTRUSION DETECTION IN NETWORKA PHASED APPROACH TO INTRUSION DETECTION IN NETWORK
A PHASED APPROACH TO INTRUSION DETECTION IN NETWORK
IRJET Journal
 
A Study on Vulnerability Management
A Study on Vulnerability ManagementA Study on Vulnerability Management
A Study on Vulnerability Management
IRJET Journal
 
An anomalous behavior detection model in cloud computing
An anomalous behavior detection model in cloud computingAn anomalous behavior detection model in cloud computing
An anomalous behavior detection model in cloud computing
redpel dot com
 
IRJET- An Intrusion Detection Framework based on Binary Classifiers Optimized...
IRJET- An Intrusion Detection Framework based on Binary Classifiers Optimized...IRJET- An Intrusion Detection Framework based on Binary Classifiers Optimized...
IRJET- An Intrusion Detection Framework based on Binary Classifiers Optimized...
IRJET Journal
 
BOTNET DETECTION USING VARIOUS MACHINE LEARNING ALGORITHMS: A REVIEW
BOTNET DETECTION USING VARIOUS MACHINE LEARNING ALGORITHMS: A REVIEWBOTNET DETECTION USING VARIOUS MACHINE LEARNING ALGORITHMS: A REVIEW
BOTNET DETECTION USING VARIOUS MACHINE LEARNING ALGORITHMS: A REVIEW
IRJET Journal
 
Network security java ieee projects 2012 @ Seabirds ( Trichy, Pudukkottai, Ta...
Network security java ieee projects 2012 @ Seabirds ( Trichy, Pudukkottai, Ta...Network security java ieee projects 2012 @ Seabirds ( Trichy, Pudukkottai, Ta...
Network security java ieee projects 2012 @ Seabirds ( Trichy, Pudukkottai, Ta...
SBGC
 
IEEE Projects 2012-2013 Network Security
IEEE Projects 2012-2013 Network SecurityIEEE Projects 2012-2013 Network Security
IEEE Projects 2012-2013 Network Security
SBGC
 
BLOCKHUNTER.pptx
BLOCKHUNTER.pptxBLOCKHUNTER.pptx
BLOCKHUNTER.pptx
BhanuCharan9
 
VULNERABILITY ( CYBER SECURITY )
VULNERABILITY ( CYBER SECURITY )VULNERABILITY ( CYBER SECURITY )
VULNERABILITY ( CYBER SECURITY )
Kashyap Mandaliya
 
Elevating Connectivity Exploring - Telecom Security Monitoring Solutions.pdf
Elevating Connectivity Exploring - Telecom Security Monitoring Solutions.pdfElevating Connectivity Exploring - Telecom Security Monitoring Solutions.pdf
Elevating Connectivity Exploring - Telecom Security Monitoring Solutions.pdf
SecurityGen1
 
IRJET- 3 Juncture based Issuer Driven Pull Out System using Distributed Servers
IRJET- 3 Juncture based Issuer Driven Pull Out System using Distributed ServersIRJET- 3 Juncture based Issuer Driven Pull Out System using Distributed Servers
IRJET- 3 Juncture based Issuer Driven Pull Out System using Distributed Servers
IRJET Journal
 
Vulnerability assessment & Penetration testing Basics
Vulnerability assessment & Penetration testing Basics Vulnerability assessment & Penetration testing Basics
Vulnerability assessment & Penetration testing Basics
Mohammed Adam
 
IRJET- Gray-Hole Attack Minimization based on contradiction for ad-hoc networks
IRJET- Gray-Hole Attack Minimization based on contradiction for ad-hoc networksIRJET- Gray-Hole Attack Minimization based on contradiction for ad-hoc networks
IRJET- Gray-Hole Attack Minimization based on contradiction for ad-hoc networks
IRJET Journal
 
Analyze and Detect Packet Loss for Data Transmission in WSN
Analyze and Detect Packet Loss for Data Transmission in WSNAnalyze and Detect Packet Loss for Data Transmission in WSN
Analyze and Detect Packet Loss for Data Transmission in WSN
IJERA Editor
 
Deploying Network Taps for Improved Security
Deploying Network Taps for Improved SecurityDeploying Network Taps for Improved Security
Deploying Network Taps for Improved Security
Datacomsystemsinc
 
Network testing and debugging
Network testing and debuggingNetwork testing and debugging
Network testing and debugging
SADEED AMEEN
 
Detecting Victim Systems In Client Networks Using Coarse Grained Botnet Algor...
Detecting Victim Systems In Client Networks Using Coarse Grained Botnet Algor...Detecting Victim Systems In Client Networks Using Coarse Grained Botnet Algor...
Detecting Victim Systems In Client Networks Using Coarse Grained Botnet Algor...
IRJET Journal
 
Vulnerability Management System
Vulnerability Management SystemVulnerability Management System
Vulnerability Management System
IRJET Journal
 

Similar to Metamorphic Testing for Web System Security (20)

IRJET- Machine Learning based Network Security
IRJET- Machine Learning based Network SecurityIRJET- Machine Learning based Network Security
IRJET- Machine Learning based Network Security
 
A PHASED APPROACH TO INTRUSION DETECTION IN NETWORK
A PHASED APPROACH TO INTRUSION DETECTION IN NETWORKA PHASED APPROACH TO INTRUSION DETECTION IN NETWORK
A PHASED APPROACH TO INTRUSION DETECTION IN NETWORK
 
spamzombieppt
spamzombiepptspamzombieppt
spamzombieppt
 
A Study on Vulnerability Management
A Study on Vulnerability ManagementA Study on Vulnerability Management
A Study on Vulnerability Management
 
An anomalous behavior detection model in cloud computing
An anomalous behavior detection model in cloud computingAn anomalous behavior detection model in cloud computing
An anomalous behavior detection model in cloud computing
 
IRJET- An Intrusion Detection Framework based on Binary Classifiers Optimized...
IRJET- An Intrusion Detection Framework based on Binary Classifiers Optimized...IRJET- An Intrusion Detection Framework based on Binary Classifiers Optimized...
IRJET- An Intrusion Detection Framework based on Binary Classifiers Optimized...
 
BOTNET DETECTION USING VARIOUS MACHINE LEARNING ALGORITHMS: A REVIEW
BOTNET DETECTION USING VARIOUS MACHINE LEARNING ALGORITHMS: A REVIEWBOTNET DETECTION USING VARIOUS MACHINE LEARNING ALGORITHMS: A REVIEW
BOTNET DETECTION USING VARIOUS MACHINE LEARNING ALGORITHMS: A REVIEW
 
Network security java ieee projects 2012 @ Seabirds ( Trichy, Pudukkottai, Ta...
Network security java ieee projects 2012 @ Seabirds ( Trichy, Pudukkottai, Ta...Network security java ieee projects 2012 @ Seabirds ( Trichy, Pudukkottai, Ta...
Network security java ieee projects 2012 @ Seabirds ( Trichy, Pudukkottai, Ta...
 
IEEE Projects 2012-2013 Network Security
IEEE Projects 2012-2013 Network SecurityIEEE Projects 2012-2013 Network Security
IEEE Projects 2012-2013 Network Security
 
BLOCKHUNTER.pptx
BLOCKHUNTER.pptxBLOCKHUNTER.pptx
BLOCKHUNTER.pptx
 
VULNERABILITY ( CYBER SECURITY )
VULNERABILITY ( CYBER SECURITY )VULNERABILITY ( CYBER SECURITY )
VULNERABILITY ( CYBER SECURITY )
 
Elevating Connectivity Exploring - Telecom Security Monitoring Solutions.pdf
Elevating Connectivity Exploring - Telecom Security Monitoring Solutions.pdfElevating Connectivity Exploring - Telecom Security Monitoring Solutions.pdf
Elevating Connectivity Exploring - Telecom Security Monitoring Solutions.pdf
 
IRJET- 3 Juncture based Issuer Driven Pull Out System using Distributed Servers
IRJET- 3 Juncture based Issuer Driven Pull Out System using Distributed ServersIRJET- 3 Juncture based Issuer Driven Pull Out System using Distributed Servers
IRJET- 3 Juncture based Issuer Driven Pull Out System using Distributed Servers
 
Vulnerability assessment & Penetration testing Basics
Vulnerability assessment & Penetration testing Basics Vulnerability assessment & Penetration testing Basics
Vulnerability assessment & Penetration testing Basics
 
IRJET- Gray-Hole Attack Minimization based on contradiction for ad-hoc networks
IRJET- Gray-Hole Attack Minimization based on contradiction for ad-hoc networksIRJET- Gray-Hole Attack Minimization based on contradiction for ad-hoc networks
IRJET- Gray-Hole Attack Minimization based on contradiction for ad-hoc networks
 
Analyze and Detect Packet Loss for Data Transmission in WSN
Analyze and Detect Packet Loss for Data Transmission in WSNAnalyze and Detect Packet Loss for Data Transmission in WSN
Analyze and Detect Packet Loss for Data Transmission in WSN
 
Deploying Network Taps for Improved Security
Deploying Network Taps for Improved SecurityDeploying Network Taps for Improved Security
Deploying Network Taps for Improved Security
 
Network testing and debugging
Network testing and debuggingNetwork testing and debugging
Network testing and debugging
 
Detecting Victim Systems In Client Networks Using Coarse Grained Botnet Algor...
Detecting Victim Systems In Client Networks Using Coarse Grained Botnet Algor...Detecting Victim Systems In Client Networks Using Coarse Grained Botnet Algor...
Detecting Victim Systems In Client Networks Using Coarse Grained Botnet Algor...
 
Vulnerability Management System
Vulnerability Management SystemVulnerability Management System
Vulnerability Management System
 

More from Lionel Briand

Precise and Complete Requirements? An Elusive Goal
Precise and Complete Requirements? An Elusive GoalPrecise and Complete Requirements? An Elusive Goal
Precise and Complete Requirements? An Elusive Goal
Lionel Briand
 
Large Language Models for Test Case Evolution and Repair
Large Language Models for Test Case Evolution and RepairLarge Language Models for Test Case Evolution and Repair
Large Language Models for Test Case Evolution and Repair
Lionel Briand
 
Simulator-based Explanation and Debugging of Hazard-triggering Events in DNN-...
Simulator-based Explanation and Debugging of Hazard-triggering Events in DNN-...Simulator-based Explanation and Debugging of Hazard-triggering Events in DNN-...
Simulator-based Explanation and Debugging of Hazard-triggering Events in DNN-...
Lionel Briand
 
Fuzzing for CPS Mutation Testing
Fuzzing for CPS Mutation TestingFuzzing for CPS Mutation Testing
Fuzzing for CPS Mutation Testing
Lionel Briand
 
Data-driven Mutation Analysis for Cyber-Physical Systems
Data-driven Mutation Analysis for Cyber-Physical SystemsData-driven Mutation Analysis for Cyber-Physical Systems
Data-driven Mutation Analysis for Cyber-Physical Systems
Lionel Briand
 
Many-Objective Reinforcement Learning for Online Testing of DNN-Enabled Systems
Many-Objective Reinforcement Learning for Online Testing of DNN-Enabled SystemsMany-Objective Reinforcement Learning for Online Testing of DNN-Enabled Systems
Many-Objective Reinforcement Learning for Online Testing of DNN-Enabled Systems
Lionel Briand
 
ATM: Black-box Test Case Minimization based on Test Code Similarity and Evolu...
ATM: Black-box Test Case Minimization based on Test Code Similarity and Evolu...ATM: Black-box Test Case Minimization based on Test Code Similarity and Evolu...
ATM: Black-box Test Case Minimization based on Test Code Similarity and Evolu...
Lionel Briand
 
Black-box Safety Analysis and Retraining of DNNs based on Feature Extraction ...
Black-box Safety Analysis and Retraining of DNNs based on Feature Extraction ...Black-box Safety Analysis and Retraining of DNNs based on Feature Extraction ...
Black-box Safety Analysis and Retraining of DNNs based on Feature Extraction ...
Lionel Briand
 
PRINS: Scalable Model Inference for Component-based System Logs
PRINS: Scalable Model Inference for Component-based System LogsPRINS: Scalable Model Inference for Component-based System Logs
PRINS: Scalable Model Inference for Component-based System Logs
Lionel Briand
 
Revisiting the Notion of Diversity in Software Testing
Revisiting the Notion of Diversity in Software TestingRevisiting the Notion of Diversity in Software Testing
Revisiting the Notion of Diversity in Software Testing
Lionel Briand
 
Applications of Search-based Software Testing to Trustworthy Artificial Intel...
Applications of Search-based Software Testing to Trustworthy Artificial Intel...Applications of Search-based Software Testing to Trustworthy Artificial Intel...
Applications of Search-based Software Testing to Trustworthy Artificial Intel...
Lionel Briand
 
Autonomous Systems: How to Address the Dilemma between Autonomy and Safety
Autonomous Systems: How to Address the Dilemma between Autonomy and SafetyAutonomous Systems: How to Address the Dilemma between Autonomy and Safety
Autonomous Systems: How to Address the Dilemma between Autonomy and Safety
Lionel Briand
 
Mathematicians, Social Scientists, or Engineers? The Split Minds of Software ...
Mathematicians, Social Scientists, or Engineers? The Split Minds of Software ...Mathematicians, Social Scientists, or Engineers? The Split Minds of Software ...
Mathematicians, Social Scientists, or Engineers? The Split Minds of Software ...
Lionel Briand
 
Reinforcement Learning for Test Case Prioritization
Reinforcement Learning for Test Case PrioritizationReinforcement Learning for Test Case Prioritization
Reinforcement Learning for Test Case Prioritization
Lionel Briand
 
Mutation Analysis for Cyber-Physical Systems: Scalable Solutions and Results ...
Mutation Analysis for Cyber-Physical Systems: Scalable Solutions and Results ...Mutation Analysis for Cyber-Physical Systems: Scalable Solutions and Results ...
Mutation Analysis for Cyber-Physical Systems: Scalable Solutions and Results ...
Lionel Briand
 
On Systematically Building a Controlled Natural Language for Functional Requi...
On Systematically Building a Controlled Natural Language for Functional Requi...On Systematically Building a Controlled Natural Language for Functional Requi...
On Systematically Building a Controlled Natural Language for Functional Requi...
Lionel Briand
 
Efficient Online Testing for DNN-Enabled Systems using Surrogate-Assisted and...
Efficient Online Testing for DNN-Enabled Systems using Surrogate-Assisted and...Efficient Online Testing for DNN-Enabled Systems using Surrogate-Assisted and...
Efficient Online Testing for DNN-Enabled Systems using Surrogate-Assisted and...
Lionel Briand
 
Guidelines for Assessing the Accuracy of Log Message Template Identification ...
Guidelines for Assessing the Accuracy of Log Message Template Identification ...Guidelines for Assessing the Accuracy of Log Message Template Identification ...
Guidelines for Assessing the Accuracy of Log Message Template Identification ...
Lionel Briand
 
A Theoretical Framework for Understanding the Relationship between Log Parsin...
A Theoretical Framework for Understanding the Relationship between Log Parsin...A Theoretical Framework for Understanding the Relationship between Log Parsin...
A Theoretical Framework for Understanding the Relationship between Log Parsin...
Lionel Briand
 
Requirements in Cyber-Physical Systems: Specifications and Applications
Requirements in Cyber-Physical Systems: Specifications and ApplicationsRequirements in Cyber-Physical Systems: Specifications and Applications
Requirements in Cyber-Physical Systems: Specifications and Applications
Lionel Briand
 

More from Lionel Briand (20)

Precise and Complete Requirements? An Elusive Goal
Precise and Complete Requirements? An Elusive GoalPrecise and Complete Requirements? An Elusive Goal
Precise and Complete Requirements? An Elusive Goal
 
Large Language Models for Test Case Evolution and Repair
Large Language Models for Test Case Evolution and RepairLarge Language Models for Test Case Evolution and Repair
Large Language Models for Test Case Evolution and Repair
 
Simulator-based Explanation and Debugging of Hazard-triggering Events in DNN-...
Simulator-based Explanation and Debugging of Hazard-triggering Events in DNN-...Simulator-based Explanation and Debugging of Hazard-triggering Events in DNN-...
Simulator-based Explanation and Debugging of Hazard-triggering Events in DNN-...
 
Fuzzing for CPS Mutation Testing
Fuzzing for CPS Mutation TestingFuzzing for CPS Mutation Testing
Fuzzing for CPS Mutation Testing
 
Data-driven Mutation Analysis for Cyber-Physical Systems
Data-driven Mutation Analysis for Cyber-Physical SystemsData-driven Mutation Analysis for Cyber-Physical Systems
Data-driven Mutation Analysis for Cyber-Physical Systems
 
Many-Objective Reinforcement Learning for Online Testing of DNN-Enabled Systems
Many-Objective Reinforcement Learning for Online Testing of DNN-Enabled SystemsMany-Objective Reinforcement Learning for Online Testing of DNN-Enabled Systems
Many-Objective Reinforcement Learning for Online Testing of DNN-Enabled Systems
 
ATM: Black-box Test Case Minimization based on Test Code Similarity and Evolu...
ATM: Black-box Test Case Minimization based on Test Code Similarity and Evolu...ATM: Black-box Test Case Minimization based on Test Code Similarity and Evolu...
ATM: Black-box Test Case Minimization based on Test Code Similarity and Evolu...
 
Black-box Safety Analysis and Retraining of DNNs based on Feature Extraction ...
Black-box Safety Analysis and Retraining of DNNs based on Feature Extraction ...Black-box Safety Analysis and Retraining of DNNs based on Feature Extraction ...
Black-box Safety Analysis and Retraining of DNNs based on Feature Extraction ...
 
PRINS: Scalable Model Inference for Component-based System Logs
PRINS: Scalable Model Inference for Component-based System LogsPRINS: Scalable Model Inference for Component-based System Logs
PRINS: Scalable Model Inference for Component-based System Logs
 
Revisiting the Notion of Diversity in Software Testing
Revisiting the Notion of Diversity in Software TestingRevisiting the Notion of Diversity in Software Testing
Revisiting the Notion of Diversity in Software Testing
 
Applications of Search-based Software Testing to Trustworthy Artificial Intel...
Applications of Search-based Software Testing to Trustworthy Artificial Intel...Applications of Search-based Software Testing to Trustworthy Artificial Intel...
Applications of Search-based Software Testing to Trustworthy Artificial Intel...
 
Autonomous Systems: How to Address the Dilemma between Autonomy and Safety
Autonomous Systems: How to Address the Dilemma between Autonomy and SafetyAutonomous Systems: How to Address the Dilemma between Autonomy and Safety
Autonomous Systems: How to Address the Dilemma between Autonomy and Safety
 
Mathematicians, Social Scientists, or Engineers? The Split Minds of Software ...
Mathematicians, Social Scientists, or Engineers? The Split Minds of Software ...Mathematicians, Social Scientists, or Engineers? The Split Minds of Software ...
Mathematicians, Social Scientists, or Engineers? The Split Minds of Software ...
 
Reinforcement Learning for Test Case Prioritization
Reinforcement Learning for Test Case PrioritizationReinforcement Learning for Test Case Prioritization
Reinforcement Learning for Test Case Prioritization
 
Mutation Analysis for Cyber-Physical Systems: Scalable Solutions and Results ...
Mutation Analysis for Cyber-Physical Systems: Scalable Solutions and Results ...Mutation Analysis for Cyber-Physical Systems: Scalable Solutions and Results ...
Mutation Analysis for Cyber-Physical Systems: Scalable Solutions and Results ...
 
On Systematically Building a Controlled Natural Language for Functional Requi...
On Systematically Building a Controlled Natural Language for Functional Requi...On Systematically Building a Controlled Natural Language for Functional Requi...
On Systematically Building a Controlled Natural Language for Functional Requi...
 
Efficient Online Testing for DNN-Enabled Systems using Surrogate-Assisted and...
Efficient Online Testing for DNN-Enabled Systems using Surrogate-Assisted and...Efficient Online Testing for DNN-Enabled Systems using Surrogate-Assisted and...
Efficient Online Testing for DNN-Enabled Systems using Surrogate-Assisted and...
 
Guidelines for Assessing the Accuracy of Log Message Template Identification ...
Guidelines for Assessing the Accuracy of Log Message Template Identification ...Guidelines for Assessing the Accuracy of Log Message Template Identification ...
Guidelines for Assessing the Accuracy of Log Message Template Identification ...
 
A Theoretical Framework for Understanding the Relationship between Log Parsin...
A Theoretical Framework for Understanding the Relationship between Log Parsin...A Theoretical Framework for Understanding the Relationship between Log Parsin...
A Theoretical Framework for Understanding the Relationship between Log Parsin...
 
Requirements in Cyber-Physical Systems: Specifications and Applications
Requirements in Cyber-Physical Systems: Specifications and ApplicationsRequirements in Cyber-Physical Systems: Specifications and Applications
Requirements in Cyber-Physical Systems: Specifications and Applications
 

Recently uploaded

2024 RoOUG Security model for the cloud.pptx
2024 RoOUG Security model for the cloud.pptx2024 RoOUG Security model for the cloud.pptx
2024 RoOUG Security model for the cloud.pptx
Georgi Kodinov
 
Field Employee Tracking System| MiTrack App| Best Employee Tracking Solution|...
Field Employee Tracking System| MiTrack App| Best Employee Tracking Solution|...Field Employee Tracking System| MiTrack App| Best Employee Tracking Solution|...
Field Employee Tracking System| MiTrack App| Best Employee Tracking Solution|...
informapgpstrackings
 
SOCRadar Research Team: Latest Activities of IntelBroker
SOCRadar Research Team: Latest Activities of IntelBrokerSOCRadar Research Team: Latest Activities of IntelBroker
SOCRadar Research Team: Latest Activities of IntelBroker
SOCRadar
 
Lecture 1 Introduction to games development
Lecture 1 Introduction to games developmentLecture 1 Introduction to games development
Lecture 1 Introduction to games development
abdulrafaychaudhry
 
Large Language Models and the End of Programming
Large Language Models and the End of ProgrammingLarge Language Models and the End of Programming
Large Language Models and the End of Programming
Matt Welsh
 
How to Position Your Globus Data Portal for Success Ten Good Practices
How to Position Your Globus Data Portal for Success Ten Good PracticesHow to Position Your Globus Data Portal for Success Ten Good Practices
How to Position Your Globus Data Portal for Success Ten Good Practices
Globus
 
Webinar: Salesforce Document Management 2.0 - Smarter, Faster, Better
Webinar: Salesforce Document Management 2.0 - Smarter, Faster, BetterWebinar: Salesforce Document Management 2.0 - Smarter, Faster, Better
Webinar: Salesforce Document Management 2.0 - Smarter, Faster, Better
XfilesPro
 
First Steps with Globus Compute Multi-User Endpoints
First Steps with Globus Compute Multi-User EndpointsFirst Steps with Globus Compute Multi-User Endpoints
First Steps with Globus Compute Multi-User Endpoints
Globus
 
Software Testing Exam imp Ques Notes.pdf
Software Testing Exam imp Ques Notes.pdfSoftware Testing Exam imp Ques Notes.pdf
Software Testing Exam imp Ques Notes.pdf
MayankTawar1
 
Beyond Event Sourcing - Embracing CRUD for Wix Platform - Java.IL
Beyond Event Sourcing - Embracing CRUD for Wix Platform - Java.ILBeyond Event Sourcing - Embracing CRUD for Wix Platform - Java.IL
Beyond Event Sourcing - Embracing CRUD for Wix Platform - Java.IL
Natan Silnitsky
 
Globus Connect Server Deep Dive - GlobusWorld 2024
Globus Connect Server Deep Dive - GlobusWorld 2024Globus Connect Server Deep Dive - GlobusWorld 2024
Globus Connect Server Deep Dive - GlobusWorld 2024
Globus
 
GlobusWorld 2024 Opening Keynote session
GlobusWorld 2024 Opening Keynote sessionGlobusWorld 2024 Opening Keynote session
GlobusWorld 2024 Opening Keynote session
Globus
 
Cyaniclab : Software Development Agency Portfolio.pdf
Cyaniclab : Software Development Agency Portfolio.pdfCyaniclab : Software Development Agency Portfolio.pdf
Cyaniclab : Software Development Agency Portfolio.pdf
Cyanic lab
 
De mooiste recreatieve routes ontdekken met RouteYou en FME
De mooiste recreatieve routes ontdekken met RouteYou en FMEDe mooiste recreatieve routes ontdekken met RouteYou en FME
De mooiste recreatieve routes ontdekken met RouteYou en FME
Jelle | Nordend
 
Globus Compute wth IRI Workflows - GlobusWorld 2024
Globus Compute wth IRI Workflows - GlobusWorld 2024Globus Compute wth IRI Workflows - GlobusWorld 2024
Globus Compute wth IRI Workflows - GlobusWorld 2024
Globus
 
How Recreation Management Software Can Streamline Your Operations.pptx
How Recreation Management Software Can Streamline Your Operations.pptxHow Recreation Management Software Can Streamline Your Operations.pptx
How Recreation Management Software Can Streamline Your Operations.pptx
wottaspaceseo
 
Into the Box 2024 - Keynote Day 2 Slides.pdf
Into the Box 2024 - Keynote Day 2 Slides.pdfInto the Box 2024 - Keynote Day 2 Slides.pdf
Into the Box 2024 - Keynote Day 2 Slides.pdf
Ortus Solutions, Corp
 
Advanced Flow Concepts Every Developer Should Know
Advanced Flow Concepts Every Developer Should KnowAdvanced Flow Concepts Every Developer Should Know
Advanced Flow Concepts Every Developer Should Know
Peter Caitens
 
A Comprehensive Look at Generative AI in Retail App Testing.pdf
A Comprehensive Look at Generative AI in Retail App Testing.pdfA Comprehensive Look at Generative AI in Retail App Testing.pdf
A Comprehensive Look at Generative AI in Retail App Testing.pdf
kalichargn70th171
 
How Does XfilesPro Ensure Security While Sharing Documents in Salesforce?
How Does XfilesPro Ensure Security While Sharing Documents in Salesforce?How Does XfilesPro Ensure Security While Sharing Documents in Salesforce?
How Does XfilesPro Ensure Security While Sharing Documents in Salesforce?
XfilesPro
 

Recently uploaded (20)

2024 RoOUG Security model for the cloud.pptx
2024 RoOUG Security model for the cloud.pptx2024 RoOUG Security model for the cloud.pptx
2024 RoOUG Security model for the cloud.pptx
 
Field Employee Tracking System| MiTrack App| Best Employee Tracking Solution|...
Field Employee Tracking System| MiTrack App| Best Employee Tracking Solution|...Field Employee Tracking System| MiTrack App| Best Employee Tracking Solution|...
Field Employee Tracking System| MiTrack App| Best Employee Tracking Solution|...
 
SOCRadar Research Team: Latest Activities of IntelBroker
SOCRadar Research Team: Latest Activities of IntelBrokerSOCRadar Research Team: Latest Activities of IntelBroker
SOCRadar Research Team: Latest Activities of IntelBroker
 
Lecture 1 Introduction to games development
Lecture 1 Introduction to games developmentLecture 1 Introduction to games development
Lecture 1 Introduction to games development
 
Large Language Models and the End of Programming
Large Language Models and the End of ProgrammingLarge Language Models and the End of Programming
Large Language Models and the End of Programming
 
How to Position Your Globus Data Portal for Success Ten Good Practices
How to Position Your Globus Data Portal for Success Ten Good PracticesHow to Position Your Globus Data Portal for Success Ten Good Practices
How to Position Your Globus Data Portal for Success Ten Good Practices
 
Webinar: Salesforce Document Management 2.0 - Smarter, Faster, Better
Webinar: Salesforce Document Management 2.0 - Smarter, Faster, BetterWebinar: Salesforce Document Management 2.0 - Smarter, Faster, Better
Webinar: Salesforce Document Management 2.0 - Smarter, Faster, Better
 
First Steps with Globus Compute Multi-User Endpoints
First Steps with Globus Compute Multi-User EndpointsFirst Steps with Globus Compute Multi-User Endpoints
First Steps with Globus Compute Multi-User Endpoints
 
Software Testing Exam imp Ques Notes.pdf
Software Testing Exam imp Ques Notes.pdfSoftware Testing Exam imp Ques Notes.pdf
Software Testing Exam imp Ques Notes.pdf
 
Beyond Event Sourcing - Embracing CRUD for Wix Platform - Java.IL
Beyond Event Sourcing - Embracing CRUD for Wix Platform - Java.ILBeyond Event Sourcing - Embracing CRUD for Wix Platform - Java.IL
Beyond Event Sourcing - Embracing CRUD for Wix Platform - Java.IL
 
Globus Connect Server Deep Dive - GlobusWorld 2024
Globus Connect Server Deep Dive - GlobusWorld 2024Globus Connect Server Deep Dive - GlobusWorld 2024
Globus Connect Server Deep Dive - GlobusWorld 2024
 
GlobusWorld 2024 Opening Keynote session
GlobusWorld 2024 Opening Keynote sessionGlobusWorld 2024 Opening Keynote session
GlobusWorld 2024 Opening Keynote session
 
Cyaniclab : Software Development Agency Portfolio.pdf
Cyaniclab : Software Development Agency Portfolio.pdfCyaniclab : Software Development Agency Portfolio.pdf
Cyaniclab : Software Development Agency Portfolio.pdf
 
De mooiste recreatieve routes ontdekken met RouteYou en FME
De mooiste recreatieve routes ontdekken met RouteYou en FMEDe mooiste recreatieve routes ontdekken met RouteYou en FME
De mooiste recreatieve routes ontdekken met RouteYou en FME
 
Globus Compute wth IRI Workflows - GlobusWorld 2024
Globus Compute wth IRI Workflows - GlobusWorld 2024Globus Compute wth IRI Workflows - GlobusWorld 2024
Globus Compute wth IRI Workflows - GlobusWorld 2024
 
How Recreation Management Software Can Streamline Your Operations.pptx
How Recreation Management Software Can Streamline Your Operations.pptxHow Recreation Management Software Can Streamline Your Operations.pptx
How Recreation Management Software Can Streamline Your Operations.pptx
 
Into the Box 2024 - Keynote Day 2 Slides.pdf
Into the Box 2024 - Keynote Day 2 Slides.pdfInto the Box 2024 - Keynote Day 2 Slides.pdf
Into the Box 2024 - Keynote Day 2 Slides.pdf
 
Advanced Flow Concepts Every Developer Should Know
Advanced Flow Concepts Every Developer Should KnowAdvanced Flow Concepts Every Developer Should Know
Advanced Flow Concepts Every Developer Should Know
 
A Comprehensive Look at Generative AI in Retail App Testing.pdf
A Comprehensive Look at Generative AI in Retail App Testing.pdfA Comprehensive Look at Generative AI in Retail App Testing.pdf
A Comprehensive Look at Generative AI in Retail App Testing.pdf
 
How Does XfilesPro Ensure Security While Sharing Documents in Salesforce?
How Does XfilesPro Ensure Security While Sharing Documents in Salesforce?How Does XfilesPro Ensure Security While Sharing Documents in Salesforce?
How Does XfilesPro Ensure Security While Sharing Documents in Salesforce?
 

Metamorphic Testing for Web System Security

  • 1. University of Ottawa | University of Luxembourg University of Ottawa | University of Luxembourg 1 Nazanin Bayati - Metamorphic Testing for Web System Security 13 September 2023 Journal First – IEEE Transaction on Software Engineering Presented by: Nazanin Bayati 13 September 2023 University of Ottawa University of Luxembourg Nazanin Bayati University of Ottawa Fabrizio Pastore University of Luxembourg Lionel Briand University of Ottawa University of Luxembourg Arda Goknil SINTEF Digital, Norway Metamorphic Testing for Web System Security
  • 2. 2 Security vulnerabilities are subtle Discovered when testing with many inputs Specifying expected results is infeasible
  • 3. University of Ottawa | University of Luxembourg University of Ottawa | University of Luxembourg 3 Nazanin Bayati - Metamorphic Testing for Web System Security 13 September 2023 Metamorphic Testing alleviates the Oracle Problem • Metamorphic Testing (MT) is based on the idea that • it may be simpler to reason about relations between outputs of multiple test executions, called Metamorphic Relations (MRs), than to specify the output of the system for a given input • In MT, system properties are captured as MRs that • specify how to automatically transform an initial set of test inputs (source inputs) into follow-up test inputs • specify the relation between the outputs obtained from source and follow-up inputs • A failure is observed when such relations are violated.
  • 4. University of Ottawa | University of Luxembourg University of Ottawa | University of Luxembourg 4 Nazanin Bayati - Metamorphic Testing for Web System Security 13 September 2023 Metamorphic Security Testing • Source input: a sequence of valid interactions with the system {login(Admin), RequestURL(settings_page)} • Follow-up input: generated by altering valid interactions as an attacker would do {login(User1), RequestURL(settings_page)} • Relations: capture properties that hold when the system is not vulnerable if the user in the follow-up input cannot access the URL from her GUI then the output of the source and follow-up inputs should be different
  • 5. University of Ottawa | University of Luxembourg University of Ottawa | University of Luxembourg 5 Nazanin Bayati - Metamorphic Testing for Web System Security 13 September 2023 MST-wi: Metamorphic Security Testing for Web Interfaces Web System Execute the Data Collection Framework Catalog of 76 Metamorphic Relations Select or Specify the Metamorphic Relations Execute the Metamorphic Testing Framework Test results Translate Metamorphic Relations to Java List of Metamorphic Relations Executable Metamorphic Relations in Java Source Inputs 1 2 3 4 Submit form logout Log in logout Log in
  • 6. University of Ottawa | University of Luxembourg University of Ottawa | University of Luxembourg 6 Nazanin Bayati - Metamorphic Testing for Web System Security 13 September 2023 MST-wi – MR Example • Security issue: Bypass Authorization Schema
  • 7. University of Ottawa | University of Luxembourg University of Ottawa | University of Luxembourg 7 Nazanin Bayati - Metamorphic Testing for Web System Security 13 September 2023 MST-wi – MR Example • Security issue: Bypass Authorization Schema
  • 8. University of Ottawa | University of Luxembourg University of Ottawa | University of Luxembourg 8 Nazanin Bayati - Metamorphic Testing for Web System Security 13 September 2023 MST-wi – MR Example • Security issue: Bypass Authorization Schema
  • 9. University of Ottawa | University of Luxembourg University of Ottawa | University of Luxembourg 9 Nazanin Bayati - Metamorphic Testing for Web System Security 13 September 2023 MST-wi – MR Example • Security issue: Bypass Authorization Schema
  • 10. University of Ottawa | University of Luxembourg University of Ottawa | University of Luxembourg 10 Nazanin Bayati - Metamorphic Testing for Web System Security 13 September 2023 MST-wi – MR Example • Security issue: Bypass Authorization Schema
  • 11. University of Ottawa | University of Luxembourg University of Ottawa | University of Luxembourg 11 Nazanin Bayati - Metamorphic Testing for Web System Security 13 September 2023 MST-wi – MR Example • Security issue: Bypass Authorization Schema
  • 12. University of Ottawa | University of Luxembourg University of Ottawa | University of Luxembourg 12 Nazanin Bayati - Metamorphic Testing for Web System Security 13 September 2023 MST-wi – MR Example • Security issue: Bypass Authorization Schema Our metamorphic testing algorithm executes each MR multiple times, to ensure that every possible combination of source and follow-up inputs is exercised
  • 13. University of Ottawa | University of Luxembourg University of Ottawa | University of Luxembourg 13 Nazanin Bayati - Metamorphic Testing for Web System Security 13 September 2023 MST-wi – Research Questions • RQ1. What testing activities can be automated thanks to oracle automation provided by MST-wi? • RQ2. What vulnerability types can MST-wi detect? • RQ3. What testability guidelines can we define to enable effective test automation with MST-wi? • RQ4. How does MST-wi compare to state-of-the-art SAST and DAST tools? • RQ5. Can we identify patterns for writing MST-wi relations? • RQ6. Is MST-wi effective? • RQ7. Is MST-wi efficient?
  • 14. University of Ottawa | University of Luxembourg University of Ottawa | University of Luxembourg 14 Nazanin Bayati - Metamorphic Testing for Web System Security 13 September 2023 MST-wi – What vulnerability types can MST-wi detect? • We investigated the feasibility of implementing MRs that discover the vulnerability types described in the MITRE Common Weakness Enumeration (CWE) database • Considered three subsets: • CWE view for common security architectural tactics • CWE Top 25 most dangerous software errors • OWASP Top 10 Web security risks • To implement an MR, for each weakness, we first inspect its description, its demonstrative examples, the description of concrete vulnerabilities (CVE) and common attack patterns (CAPEC) associated with the weakness. • This process led to a catalog of 76 MRs.
  • 15. University of Ottawa | University of Luxembourg University of Ottawa | University of Luxembourg 15 Nazanin Bayati - Metamorphic Testing for Web System Security 13 September 2023 MST-wi – What vulnerability types can MST-wi detect? Security Design Principle Vulnerability types Addressed by MST-wi Rank Audit 6 1(16%) 10th Authenticate Actors 28 12 (43%) 4th Authorize Actors 60 34 (57%) 3rd Cross Cutting 9 3 (33%) 6th Encrypt Data 38 8 (21%) 8th Identify Actors 12 3 (25%) 7th Limit Access 8 3 (38%) 5th Limit Exposure 6 0 (0%) 11th Lock Computer 1 0 (0%) 11th Manage User Session 6 4 (67%) 2nd Validate Inputs 39 31 (79%) 1st Verify Message Integrity 19 2 (20%) 9th Total 223 101 (45%) Summary of the CWE architectural security design principles and weaknesses addressed by MST-wi.
  • 16. University of Ottawa | University of Luxembourg University of Ottawa | University of Luxembourg 16 Nazanin Bayati - Metamorphic Testing for Web System Security 13 September 2023 MST-wi – How does MST-wi compare to state-of-the-art SAST and DAST tools? • We compared the vulnerability types detected by MST-wi, with the vulnerability types detected by state- of-the-art SAST and DAST tool reported in a recent empirical study
  • 17. University of Ottawa | University of Luxembourg University of Ottawa | University of Luxembourg 17 Nazanin Bayati - Metamorphic Testing for Web System Security 13 September 2023 MST-wi – How does MST-wi compare to state-of-the-art SAST and DAST tools? Security Design Principle Weaknesses Addresses by Weaknesses Addressed by MST but not by Weaknesses bot addresses by MST but addresses by MST Zap DA2 Sonar SA2 Zap DA2 Sonar SA2 Zap DA2 Sonar SA2 Audit 1 0 0 0 3 1 1 1 0 0 0 0 2 Authenticate Actors 12 0 2 1 9 12 11 11 7 0 1 0 4 Authorize Actors 34 2 0 1 13 32 34 34 25 0 0 1 4 Cross Cutting 3 0 0 2 0 3 3 2 3 0 0 1 0 Encrypt Data 8 2 5 8 10 8 8 7 4 2 5 7 6 Identify Actors 3 1 1 1 7 3 3 3 1 1 1 1 5 Limit Access 3 0 1 1 5 3 3 2 0 0 1 0 2 Limit Exposure 0 1 0 0 1 0 0 0 0 1 0 0 1 Lock Computer 0 0 0 0 0 0 0 0 0 0 0 0 0 Manage User Session 4 0 0 0 2 4 4 4 2 0 0 0 0 Validate Inputs 31 10 7 2 14 24 25 30 19 3 1 1 2 Verify Message Integrity 2 1 0 0 3 2 2 2 1 1 0 0 2 Total 101 17 16 16 67 92 94 96 62 8 9 11 28 84 The set of weaknesses targeted by MST-wi is larger than what can be targeted by applying all four competing approaches together.
  • 18. University of Ottawa | University of Luxembourg University of Ottawa | University of Luxembourg 18 Nazanin Bayati - Metamorphic Testing for Web System Security 13 September 2023 MST-wi – Is MST-wi effective? Applied MST-wi to test well-known Web systems: • Jenkins v 2.121 • Joomla v. 3.8.7. Assessed MST-wi capability to detect known vulnerabilities: • 11 for Jenkins, 3 for Joomla. • One of them discovered by MST-wi (CVE-2018-17857) Considered two setups: • Derive source inputs with crawler only • Consider additional manually implemented functional test cases Metrics: • Sensitivity: proportion of vulnerabilities identified • Specificity: proportion of inputs not leading to false alarms
  • 19. University of Ottawa | University of Luxembourg University of Ottawa | University of Luxembourg 19 Nazanin Bayati - Metamorphic Testing for Web System Security 13 September 2023 MST-wi – Is MST-wi effective? • The high specificity indicates that only a negligible fraction of follow-up inputs leads to false alarms • Since sensitivity reflects the fault detection rate (i.e., the proportion of vulnerabilities discovered), we conclude that our approach is highly effective • We can discover more than 60% of vulnerabilities in a completely automated manner, using only the crawler • And up to 85% using both crawler and manual inputs
  • 20. University of Ottawa | University of Luxembourg University of Ottawa | University of Luxembourg 20 Nazanin Bayati - Metamorphic Testing for Web System Security 13 September 2023 https://github.com/MetamorphicSecurityTesting/MST
  • 21. University of Ottawa | University of Luxembourg University of Ottawa | University of Luxembourg 21 Nazanin Bayati - Metamorphic Testing for Web System Security 13 September 2023 Metamorphic Testing for Web System Security Presented by: Nazanin Bayati 13 September 2023 N. Bayati Chaleshtari, F. Pastore, A. Goknil, and L. Briand, "Metamorphic Testing for Web System Security", IEEE Transactions on Software Engineering, 2023, https://ieeexplore.ieee.org/document/10089522 n.bayati@uottawa.ca University of Ottawa University of Luxembourg
  • 22. University of Ottawa | University of Luxembourg University of Ottawa | University of Luxembourg 23 Nazanin Bayati - Metamorphic Testing for Web System Security 13 September 2023 MST-wi – How does MST-wi compare to state-of-the-art SAST and DAST tools? Security Design Principle Weaknesses Addresses by Weaknesses Addressed by MST but not by Weaknesses bot addresses by MST but addresses by MST Zap DA2 Sonar SA2 Zap DA2 Sonar SA2 Zap DA2 Sonar SA2 Audit 1 0 0 0 3 1 1 1 0 0 0 0 2 Authenticate Actors 12 0 2 1 9 12 11 11 7 0 1 0 4 Authorize Actors 34 2 0 1 13 32 34 34 25 0 0 1 4 Cross Cutting 3 0 0 2 0 3 3 2 3 0 0 1 0 Encrypt Data 8 2 5 8 10 8 8 7 4 2 5 7 6 Identify Actors 3 1 1 1 7 3 3 3 1 1 1 1 5 Limit Access 3 0 1 1 5 3 3 2 0 0 1 0 2 Limit Exposure 0 1 0 0 1 0 0 0 0 1 0 0 1 Lock Computer 0 0 0 0 0 0 0 0 0 0 0 0 0 Manage User Session 4 0 0 0 2 4 4 4 2 0 0 0 0 Validate Inputs 31 10 7 2 14 24 25 30 19 3 1 1 2 Verify Message Integrity 2 1 0 0 3 2 2 2 1 1 0 0 2 Total 101 17 16 16 67 92 94 96 62 8 9 11 28 56 MST can detect 56 weaknesses that any other approach cannot address.
  • 23. University of Ottawa | University of Luxembourg University of Ottawa | University of Luxembourg 24 Nazanin Bayati - Metamorphic Testing for Web System Security 13 September 2023 MST-wi – How does MST-wi compare to state-of-the-art SAST and DAST tools? Security Design Principle Weaknesses Addresses by Weaknesses Addressed by MST but not by Weaknesses not addresses by MST but addresses by MST Zap DA2 Sonar SA2 Zap DA2 Sonar SA2 Zap DA2 Sonar SA2 Audit 1 0 0 0 3 1 1 1 0 0 0 0 2 Authenticate Actors 12 0 2 1 9 12 11 11 7 0 1 0 4 Authorize Actors 34 2 0 1 13 32 34 34 25 0 0 1 4 Cross Cutting 3 0 0 2 0 3 3 2 3 0 0 1 0 Encrypt Data 8 2 5 8 10 8 8 7 4 2 5 7 6 Identify Actors 3 1 1 1 7 3 3 3 1 1 1 1 5 Limit Access 3 0 1 1 5 3 3 2 0 0 1 0 2 Limit Exposure 0 1 0 0 1 0 0 0 0 1 0 0 1 Lock Computer 0 0 0 0 0 0 0 0 0 0 0 0 0 Manage User Session 4 0 0 0 2 4 4 4 2 0 0 0 0 Validate Inputs 31 10 7 2 14 24 25 30 19 3 1 1 2 Verify Message Integrity 2 1 0 0 3 2 2 2 1 1 0 0 2 Total 101 17 16 16 67 92 94 96 62 8 9 11 28 39 Combined together, DAST/SAST approaches can address only 39 weaknesses that MST-wi does not address.
  • 24. University of Ottawa | University of Luxembourg University of Ottawa | University of Luxembourg 25 Nazanin Bayati - Metamorphic Testing for Web System Security 13 September 2023 MST-wi – How does MST-wi compare to state-of-the-art SAST and DAST tools? Security Design Principle Weaknesses Addresses by Weaknesses Addressed by MST but not by Weaknesses not addresses by MST but addresses by MST Zap DA2 Sonar SA2 Zap DA2 Sonar SA2 Zap DA2 Sonar SA2 Audit 1 0 0 0 3 1 1 1 0 0 0 0 2 Authenticate Actors 12 0 2 1 9 12 11 11 7 0 1 0 4 Authorize Actors 34 2 0 1 13 32 34 34 25 0 0 1 4 Cross Cutting 3 0 0 2 0 3 3 2 3 0 0 1 0 Encrypt Data 8 2 5 8 10 8 8 7 4 2 5 7 6 Identify Actors 3 1 1 1 7 3 3 3 1 1 1 1 5 Limit Access 3 0 1 1 5 3 3 2 0 0 1 0 2 Limit Exposure 0 1 0 0 1 0 0 0 0 1 0 0 1 Lock Computer 0 0 0 0 0 0 0 0 0 0 0 0 0 Manage User Session 4 0 0 0 2 4 4 4 2 0 0 0 0 Validate Inputs 31 10 7 2 14 24 25 30 19 3 1 1 2 Verify Message Integrity 2 1 0 0 3 2 2 2 1 1 0 0 2 Total 101 17 16 16 67 92 94 96 62 8 9 11 28 39 Combined together, DAST/SAST approaches can address only 39 weaknesses that MST-wi does not address. • The weaknesses that MST-wi cannot address are mostly those (i) that can only be discovered using program analysis, (ii) that are not related to user-system interactions, or (iii) that concern non-Web-based systems.
  • 25. University of Ottawa | University of Luxembourg University of Ottawa | University of Luxembourg 26 Nazanin Bayati - Metamorphic Testing for Web System Security 13 September 2023 MST-wi – How does MST-wi compare to state-of-the-art SAST and DAST tools? Security Design Principle Weaknesses Addresses by Weaknesses Addressed by MST but not by Weaknesses bot addresses by MST but addresses by MST Zap DA2 Sonar SA2 Zap DA2 Sonar SA2 Zap DA2 Sonar SA2 Audit 1 0 0 0 3 1 1 1 0 0 0 0 2 Authenticate Actors 12 0 2 1 9 12 11 11 7 0 1 0 4 Authorize Actors 34 2 0 1 13 32 34 34 25 0 0 1 4 Cross Cutting 3 0 0 2 0 3 3 2 3 0 0 1 0 Encrypt Data 8 2 5 8 10 8 8 7 4 2 5 7 6 Identify Actors 3 1 1 1 7 3 3 3 1 1 1 1 5 Limit Access 3 0 1 1 5 3 3 2 0 0 1 0 2 Limit Exposure 0 1 0 0 1 0 0 0 0 1 0 0 1 Lock Computer 0 0 0 0 0 0 0 0 0 0 0 0 0 Manage User Session 4 0 0 0 2 4 4 4 2 0 0 0 0 Validate Inputs 31 10 7 2 14 24 25 30 19 3 1 1 2 Verify Message Integrity 2 1 0 0 3 2 2 2 1 1 0 0 2 Total 101 17 16 16 67 92 94 96 62 8 9 11 28 Combining MST-wi with SA2 seems to be a particularly effective combination as it enables detecting 129 weaknesses (i.e., 101 + 28), which is 92% of the 140 weaknesses that can be detected by any approach.
  • 26. University of Ottawa | University of Luxembourg University of Ottawa | University of Luxembourg 29 Nazanin Bayati - Metamorphic Testing for Web System Security 13 September 2023 MST-wi: Metamorphic Security Testing for Web Interfaces Web System Execute the Data Collection Framework List of Predefined Metamorphic Relations Select and Specify the MRs Execute the Metamorphic Testing Framework Test results Transform MRs to Java List of MRs Executable MRs S(x,y) Source Inputs
  • 27. University of Ottawa | University of Luxembourg University of Ottawa | University of Luxembourg 30 Nazanin Bayati - Metamorphic Testing for Web System Security 13 September 2023 MST-wi – Is MST-wi effective? • The high specificity indicates that only a negligible fraction of follow-up inputs leads to false alarms • Since sensitivity reflects the fault detection rate (i.e., the proportion of vulnerabilities discovered), we conclude that our approach is highly effective • We can discover more than 60% of vulnerabilities in a completely automated manner, using only the crawler • And up to 85% using both crawler and manual inputs