SlideShare a Scribd company logo

Model based vulnerability testing

Download as PPTX, PDF
Kupili Archana
Kupili Archana

This document discusses model-based vulnerability testing (MBVT) for web applications. MBVT aims to improve the accuracy and precision of vulnerability testing. The document outlines the MBVT approach, which includes formalizing vulnerability test patterns, modeling the system under test, generating test cases from the model and test purposes, and adapting and executing the test cases. An example of applying the MBVT approach to the Damn Vulnerable Web Application is provided to test for reflected cross-site scripting vulnerabilities. The document also discusses advantages of MBVT in addressing both technical and logical vulnerabilities, and disadvantages such as effort required to design models, test patterns, and adapters.

Technology
1 of 23
Model-Based Vulnerability Testing for Web Applications Presented By:- K.Archana 100101CSR027 Branch:-CSE Head of Department:- Mr. Monoj Kar
Contents O Introduction O MBVT O MBVT Approach O DVWA Example with MBVT Approach O Advantages O Disadvantages O References
Introduction O Web applications are becoming more popular in means of modern information interaction, which leads to a growth of the demand of Web applications. O At the same time, Web application vulnerabilities are drastically increasing. O One of the most important software security practices that is used to mitigate the increasing number of vulnerabilities is security testing.
Continue… O One of the security testing is Model-Based Vulnerability Testing(MBVT).
MBVT O Model-Based Vulnerability Testing (MBVT) for Web applications, aims at improving the accuracy and precision of vulnerability testing. O Accuracy:- capability to focus on the relevant part of the software O Precision:- capability to avoid both false positive and false negative. O MBVT adapted the traditional approach of Model-Based Testing (MBT) in order to generate vulnerability test cases for Web applications.
MBVT Approach
DVWA Example using MBVT Approach O DVWA:- Damn Vulnerable Web Application O DVWA is an open-source Web application test bed, based on PHP/MySQL. O DVWA embeds several vulnerabilities(like SQL Injection and Blind SQL Injection, and Reflected and Stored XSS).
O In this example we will focus on RXSS vulnerabilities through form fields. O RXSS is one of the major breach because it is highly used and its exploitation leads to severe risks. O We will apply the four activities of MBVT approach to DVWA.
1. Formalizing Vulnerability Test Patterns into Test Purposes O Vulnerability Test Patterns (vTP) are the initial artefacts of our approach. O A vTP expresses the testing needs and procedures allowing the identification of a particular breach in a Web application.
A vTP of Reflected XSS
O A test purpose is a high level expression that formalizes a test intention linked to a testing objective. O We propose test purposes as a mean to drive the automated test generation. O Smartesting Test Purpose Language is a textual language based on regular expressions, allowing the formalization of vulnerability test intention in terms of states to be reach and operations to be called.
test Purpose formalizing the vTP on DVWA
2. Modeling:- O The modeling activity produces a model based on the functional specifications of the application, and on the test purposes. Class diagram of the SUT structure, for our MBVT approach
3. Test Generation:- O The main purpose of the test generation activity is to produce test cases from both the model and the test purposes. O This activity consists of three phases. O The first phase transforms the model and the test purposes into elements usable by the Smartesting CertifyIt MBT tool.
O The second phase produces the abstract test cases from the test targets. O The third phase exports the abstract test cases into the execution environment.
Generated abstract test case example
4. Adaptation and test execution:- a. Adaptation:- O During the modeling activity, all data used by the application, are modeled in a abstract way. O Hence, the test suite can’t be executed as it is. O So, the generated abstract test cases are translated into executable scripts.
b. Test Execution:- O The adapted test cases are executed in order to produce a verdict. O There is a new terminology fitting the characteristics of a test execution:- Attack-pass Attack-fail Inconclusive O Our model defines four malicious data dedicated to Reflected XSS attacks.
O These values are defined in an abstract way, and must be adapted. O Each of them is mapped to a concrete value, as shown in figure: Mapping between abstract and concrete values
Advantages O MBVT can address both technical and logical vulnerabilities.
Disadvantages O Needed effort to design models, test patterns and adapter.
References O www.infoq.com/articles/defending-against-web- application-vulnerabilities O G Erdogan - 2009 - ntnu.diva-portal.org O http://narainko.wordpress.com/2012/08/26/unde rstanding-false-positive-and-false-negative O http://istina.msu.ru/media/publications/articles/5 db/2e2/2755271/OWASP-AppSecEU08- Petukhov.pdf O http://www.spacios.eu/sectest2013/pdfs/sectest 2013_submission_8.pdf
Thank You

Recommended

Mutation Testing for DSLs (Tool Demo)
Mutation Testing for DSLs (Tool Demo)Mutation Testing for DSLs (Tool Demo)
Mutation Testing for DSLs (Tool Demo)
Pablo Gómez Abajo
 
Generation of mutation testing tools with Wodel-Test
Generation of mutation testing tools with Wodel-TestGeneration of mutation testing tools with Wodel-Test
Generation of mutation testing tools with Wodel-Test
Pablo Gómez Abajo
 
Software testing
Software testingSoftware testing
Software testingashamarsha
 
Towards a model-driven engineering solution for language independent mutation...
Towards a model-driven engineering solution for language independent mutation...Towards a model-driven engineering solution for language independent mutation...
Towards a model-driven engineering solution for language independent mutation...
Pablo Gómez Abajo
 
Software Testing Techniques
Software Testing TechniquesSoftware Testing Techniques
Software Testing Techniques
Kiran Kumar
 
Complexity Measures for Secure Service-Orieted Software Architectures
Complexity Measures for Secure Service-Orieted Software ArchitecturesComplexity Measures for Secure Service-Orieted Software Architectures
Complexity Measures for Secure Service-Orieted Software Architectures
Tim Menzies
 
The Gap Between Academic Research and Industrial Practice in Software Testing
The Gap Between Academic Research and Industrial Practice in Software TestingThe Gap Between Academic Research and Industrial Practice in Software Testing
The Gap Between Academic Research and Industrial Practice in Software Testing
Zoltan Micskei
 
Path testing
Path testingPath testing
Path testing
Mohamed Ali
 

Recommended

Mutation Testing for DSLs (Tool Demo)
Mutation Testing for DSLs (Tool Demo)Mutation Testing for DSLs (Tool Demo)
Mutation Testing for DSLs (Tool Demo)
Pablo Gómez Abajo
 
Generation of mutation testing tools with Wodel-Test
Generation of mutation testing tools with Wodel-TestGeneration of mutation testing tools with Wodel-Test
Generation of mutation testing tools with Wodel-Test
Pablo Gómez Abajo
 
Software testing
Software testingSoftware testing
Software testingashamarsha
 
Towards a model-driven engineering solution for language independent mutation...
Towards a model-driven engineering solution for language independent mutation...Towards a model-driven engineering solution for language independent mutation...
Towards a model-driven engineering solution for language independent mutation...
Pablo Gómez Abajo
 
Software Testing Techniques
Software Testing TechniquesSoftware Testing Techniques
Software Testing Techniques
Kiran Kumar
 
Complexity Measures for Secure Service-Orieted Software Architectures
Complexity Measures for Secure Service-Orieted Software ArchitecturesComplexity Measures for Secure Service-Orieted Software Architectures
Complexity Measures for Secure Service-Orieted Software Architectures
Tim Menzies
 
The Gap Between Academic Research and Industrial Practice in Software Testing
The Gap Between Academic Research and Industrial Practice in Software TestingThe Gap Between Academic Research and Industrial Practice in Software Testing
The Gap Between Academic Research and Industrial Practice in Software Testing
Zoltan Micskei
 
Path testing
Path testingPath testing
Path testing
Mohamed Ali
 
Generating test cases using UML Communication Diagram
Generating test cases using UML Communication Diagram Generating test cases using UML Communication Diagram
Generating test cases using UML Communication Diagram
Praveen Penumathsa
 
Path Testing
Path TestingPath Testing
Path Testing
Sun Technlogies
 
White Box Testing And Control Flow & Loop Testing
White Box Testing And Control Flow & Loop TestingWhite Box Testing And Control Flow & Loop Testing
White Box Testing And Control Flow & Loop TestingAnkit Mulani
 
Introduction to software testing
Introduction to software testingIntroduction to software testing
Introduction to software testing
ASIT Education
 
Unit 2 unit testing
Unit 2 unit testingUnit 2 unit testing
Unit 2 unit testing
ravikhimani1984
 
Blackbox
BlackboxBlackbox
Blackbox
GuruKrishnaTeja
 
Cyclomatic complexity
Cyclomatic complexityCyclomatic complexity
Cyclomatic complexity
Nikita Kesharwani
 
Software Testing - Day Two
Software Testing - Day TwoSoftware Testing - Day Two
Software Testing - Day TwoGovardhan Reddy
 
Presentation Of Mbt Tools
Presentation Of Mbt ToolsPresentation Of Mbt Tools
Presentation Of Mbt Tools
Husnain Muhammad
 
Test design techniques
Test design techniquesTest design techniques
Test design techniques
Gregory Solovey
 
Evaluating SRGMs for Automotive Software Project
Evaluating SRGMs for Automotive Software ProjectEvaluating SRGMs for Automotive Software Project
Evaluating SRGMs for Automotive Software Project
RAKESH RANA
 
SE2_Lec 21_ TDD and Junit
SE2_Lec 21_ TDD and JunitSE2_Lec 21_ TDD and Junit
SE2_Lec 21_ TDD and Junit
Amr E. Mohamed
 
A novel statistical cost model and an algorithm for efficient application off...
A novel statistical cost model and an algorithm for efficient application off...A novel statistical cost model and an algorithm for efficient application off...
A novel statistical cost model and an algorithm for efficient application off...
Finalyearprojects Toall
 
Kap5 Looking Forward
Kap5 Looking ForwardKap5 Looking Forward
Kap5 Looking Forward
Jonas Ludvigsson
 
Kap 8 Treatment
Kap 8 TreatmentKap 8 Treatment
Kap 8 Treatment
Jonas Ludvigsson
 
Psychosis: Diathesis Stress Model (transition to adult levels of dopamine fro...
Psychosis: Diathesis Stress Model (transition to adult levels of dopamine fro...Psychosis: Diathesis Stress Model (transition to adult levels of dopamine fro...
Psychosis: Diathesis Stress Model (transition to adult levels of dopamine fro...
Michael Changaris
 
paper 35_Using SysML for model-based vulnerability assessment_Soroush_Bassam_...
paper 35_Using SysML for model-based vulnerability assessment_Soroush_Bassam_...paper 35_Using SysML for model-based vulnerability assessment_Soroush_Bassam_...
paper 35_Using SysML for model-based vulnerability assessment_Soroush_Bassam_...S. Soroush Bassam
 
Biopsycosocial Model
Biopsycosocial ModelBiopsycosocial Model
Biopsycosocial Model
nh0627
 
Introduction to the BioPsychoSocial approach to Addiction
Introduction to the BioPsychoSocial approach to AddictionIntroduction to the BioPsychoSocial approach to Addiction
Introduction to the BioPsychoSocial approach to Addiction
kavroom
 
The Power of Belief
The Power of BeliefThe Power of Belief
The Power of Belief
Bruce Kasanoff
 
Lesson 4 biopsychosocial model
Lesson 4 biopsychosocial modelLesson 4 biopsychosocial model
Lesson 4 biopsychosocial modelCrystal Delosa
 
Biopsychosocial
BiopsychosocialBiopsychosocial
BiopsychosocialMimi Abesamis
 

More Related Content

What's hot

Generating test cases using UML Communication Diagram
Generating test cases using UML Communication Diagram Generating test cases using UML Communication Diagram
Generating test cases using UML Communication Diagram
Praveen Penumathsa
 
Path Testing
Path TestingPath Testing
Path Testing
Sun Technlogies
 
White Box Testing And Control Flow & Loop Testing
White Box Testing And Control Flow & Loop TestingWhite Box Testing And Control Flow & Loop Testing
White Box Testing And Control Flow & Loop TestingAnkit Mulani
 
Introduction to software testing
Introduction to software testingIntroduction to software testing
Introduction to software testing
ASIT Education
 
Unit 2 unit testing
Unit 2 unit testingUnit 2 unit testing
Unit 2 unit testing
ravikhimani1984
 
Blackbox
BlackboxBlackbox
Blackbox
GuruKrishnaTeja
 
Cyclomatic complexity
Cyclomatic complexityCyclomatic complexity
Cyclomatic complexity
Nikita Kesharwani
 
Software Testing - Day Two
Software Testing - Day TwoSoftware Testing - Day Two
Software Testing - Day TwoGovardhan Reddy
 
Presentation Of Mbt Tools
Presentation Of Mbt ToolsPresentation Of Mbt Tools
Presentation Of Mbt Tools
Husnain Muhammad
 
Test design techniques
Test design techniquesTest design techniques
Test design techniques
Gregory Solovey
 
Evaluating SRGMs for Automotive Software Project
Evaluating SRGMs for Automotive Software ProjectEvaluating SRGMs for Automotive Software Project
Evaluating SRGMs for Automotive Software Project
RAKESH RANA
 
SE2_Lec 21_ TDD and Junit
SE2_Lec 21_ TDD and JunitSE2_Lec 21_ TDD and Junit
SE2_Lec 21_ TDD and Junit
Amr E. Mohamed
 
A novel statistical cost model and an algorithm for efficient application off...
A novel statistical cost model and an algorithm for efficient application off...A novel statistical cost model and an algorithm for efficient application off...
A novel statistical cost model and an algorithm for efficient application off...
Finalyearprojects Toall
 

What's hot (13)

Generating test cases using UML Communication Diagram
Generating test cases using UML Communication Diagram Generating test cases using UML Communication Diagram
Generating test cases using UML Communication Diagram
 
Path Testing
Path TestingPath Testing
Path Testing
 
White Box Testing And Control Flow & Loop Testing
White Box Testing And Control Flow & Loop TestingWhite Box Testing And Control Flow & Loop Testing
White Box Testing And Control Flow & Loop Testing
 
Introduction to software testing
Introduction to software testingIntroduction to software testing
Introduction to software testing
 
Unit 2 unit testing
Unit 2 unit testingUnit 2 unit testing
Unit 2 unit testing
 
Blackbox
BlackboxBlackbox
Blackbox
 
Cyclomatic complexity
Cyclomatic complexityCyclomatic complexity
Cyclomatic complexity
 
Software Testing - Day Two
Software Testing - Day TwoSoftware Testing - Day Two
Software Testing - Day Two
 
Presentation Of Mbt Tools
Presentation Of Mbt ToolsPresentation Of Mbt Tools
Presentation Of Mbt Tools
 
Test design techniques
Test design techniquesTest design techniques
Test design techniques
 
Evaluating SRGMs for Automotive Software Project
Evaluating SRGMs for Automotive Software ProjectEvaluating SRGMs for Automotive Software Project
Evaluating SRGMs for Automotive Software Project
 
SE2_Lec 21_ TDD and Junit
SE2_Lec 21_ TDD and JunitSE2_Lec 21_ TDD and Junit
SE2_Lec 21_ TDD and Junit
 
A novel statistical cost model and an algorithm for efficient application off...
A novel statistical cost model and an algorithm for efficient application off...A novel statistical cost model and an algorithm for efficient application off...
A novel statistical cost model and an algorithm for efficient application off...
 

Viewers also liked

Kap5 Looking Forward
Kap5 Looking ForwardKap5 Looking Forward
Kap5 Looking Forward
Jonas Ludvigsson
 
Kap 8 Treatment
Kap 8 TreatmentKap 8 Treatment
Kap 8 Treatment
Jonas Ludvigsson
 
Psychosis: Diathesis Stress Model (transition to adult levels of dopamine fro...
Psychosis: Diathesis Stress Model (transition to adult levels of dopamine fro...Psychosis: Diathesis Stress Model (transition to adult levels of dopamine fro...
Psychosis: Diathesis Stress Model (transition to adult levels of dopamine fro...
Michael Changaris
 
paper 35_Using SysML for model-based vulnerability assessment_Soroush_Bassam_...
paper 35_Using SysML for model-based vulnerability assessment_Soroush_Bassam_...paper 35_Using SysML for model-based vulnerability assessment_Soroush_Bassam_...
paper 35_Using SysML for model-based vulnerability assessment_Soroush_Bassam_...S. Soroush Bassam
 
Biopsycosocial Model
Biopsycosocial ModelBiopsycosocial Model
Biopsycosocial Model
nh0627
 
Introduction to the BioPsychoSocial approach to Addiction
Introduction to the BioPsychoSocial approach to AddictionIntroduction to the BioPsychoSocial approach to Addiction
Introduction to the BioPsychoSocial approach to Addiction
kavroom
 
The Power of Belief
The Power of BeliefThe Power of Belief
The Power of Belief
Bruce Kasanoff
 
Lesson 4 biopsychosocial model
Lesson 4 biopsychosocial modelLesson 4 biopsychosocial model
Lesson 4 biopsychosocial modelCrystal Delosa
 
Theories of stress
Theories of stressTheories of stress
Theories of stress
IAU Dent
 
Stress theories
Stress theoriesStress theories
Stress theories
D Dutta Roy
 

Viewers also liked (11)

Kap5 Looking Forward
Kap5 Looking ForwardKap5 Looking Forward
Kap5 Looking Forward
 
Kap 8 Treatment
Kap 8 TreatmentKap 8 Treatment
Kap 8 Treatment
 
Psychosis: Diathesis Stress Model (transition to adult levels of dopamine fro...
Psychosis: Diathesis Stress Model (transition to adult levels of dopamine fro...Psychosis: Diathesis Stress Model (transition to adult levels of dopamine fro...
Psychosis: Diathesis Stress Model (transition to adult levels of dopamine fro...
 
paper 35_Using SysML for model-based vulnerability assessment_Soroush_Bassam_...
paper 35_Using SysML for model-based vulnerability assessment_Soroush_Bassam_...paper 35_Using SysML for model-based vulnerability assessment_Soroush_Bassam_...
paper 35_Using SysML for model-based vulnerability assessment_Soroush_Bassam_...
 
Biopsycosocial Model
Biopsycosocial ModelBiopsycosocial Model
Biopsycosocial Model
 
Introduction to the BioPsychoSocial approach to Addiction
Introduction to the BioPsychoSocial approach to AddictionIntroduction to the BioPsychoSocial approach to Addiction
Introduction to the BioPsychoSocial approach to Addiction
 
The Power of Belief
The Power of BeliefThe Power of Belief
The Power of Belief
 
Lesson 4 biopsychosocial model
Lesson 4 biopsychosocial modelLesson 4 biopsychosocial model
Lesson 4 biopsychosocial model
 
Biopsychosocial
BiopsychosocialBiopsychosocial
Biopsychosocial
 
Theories of stress
Theories of stressTheories of stress
Theories of stress
 
Stress theories
Stress theoriesStress theories
Stress theories
 

Similar to Model based vulnerability testing

A03720106
A03720106A03720106
A03720106
inventionjournals
 
Comparing model coverage and code coverage in Model Driven testing: an explor...
Comparing model coverage and code coverage in Model Driven testing: an explor...Comparing model coverage and code coverage in Model Driven testing: an explor...
Comparing model coverage and code coverage in Model Driven testing: an explor...
REvERSE University of Naples Federico II
 
How I Pass ASTQB Mobile Tester (ASTQB-MT) Certification in First Attempt?
How I Pass ASTQB Mobile Tester (ASTQB-MT) Certification in First Attempt?How I Pass ASTQB Mobile Tester (ASTQB-MT) Certification in First Attempt?
How I Pass ASTQB Mobile Tester (ASTQB-MT) Certification in First Attempt?
Meghna Arora
 
Model based vulnerability testing report
Model based vulnerability testing reportModel based vulnerability testing report
Model based vulnerability testing reportKupili Archana
 
Model-based Testing of a Software Bus - Applied on Core Flight Executive
Model-based Testing of a Software Bus - Applied on Core Flight ExecutiveModel-based Testing of a Software Bus - Applied on Core Flight Executive
Model-based Testing of a Software Bus - Applied on Core Flight Executive
Dharmalingam Ganesan
 
Model Based Software Testing
Model Based Software TestingModel Based Software Testing
Model Based Software TestingEsin Karaman
 
Unit Testing Essay
Unit Testing EssayUnit Testing Essay
Unit Testing Essay
Dani Cox
 
Mining Fix Patterns for FindBugs Violations
Mining Fix Patterns for FindBugs ViolationsMining Fix Patterns for FindBugs Violations
Mining Fix Patterns for FindBugs Violations
Dongsun Kim
 
Testing of Object-Oriented Software
Testing of Object-Oriented SoftwareTesting of Object-Oriented Software
Testing of Object-Oriented Software
Praveen Penumathsa
 
Role+Of+Testing+In+Sdlc
Role+Of+Testing+In+SdlcRole+Of+Testing+In+Sdlc
Role+Of+Testing+In+Sdlc
mahendra singh
 
Validation and Verification of SYSML Activity Diagrams Using HOARE Logic
Validation and Verification of SYSML Activity Diagrams Using HOARE Logic Validation and Verification of SYSML Activity Diagrams Using HOARE Logic
Validation and Verification of SYSML Activity Diagrams Using HOARE Logic
ijseajournal
 
Ragha Deepika_Exp_4+
Ragha Deepika_Exp_4+Ragha Deepika_Exp_4+
Ragha Deepika_Exp_4+Ragha batchu
 
st-notes-13-26-software-testing-is-the-act-of-examining-the-artifacts-and-the...
st-notes-13-26-software-testing-is-the-act-of-examining-the-artifacts-and-the...st-notes-13-26-software-testing-is-the-act-of-examining-the-artifacts-and-the...
st-notes-13-26-software-testing-is-the-act-of-examining-the-artifacts-and-the...
mwpeexdvjgtqujwhog
 
Estimation techniques and risk management
Estimation techniques and risk managementEstimation techniques and risk management
Estimation techniques and risk management
Purushottam Basnet
 
Next level of test automation with Model-based Testing (MBT): Experience and ...
Next level of test automation with Model-based Testing (MBT): Experience and ...Next level of test automation with Model-based Testing (MBT): Experience and ...
Next level of test automation with Model-based Testing (MBT): Experience and ...
Vahid Garousi
 
D0423022028
D0423022028D0423022028
D0423022028
ijceronline
 
Information hiding based on optimization technique for Encrypted Images
Information hiding based on optimization technique for Encrypted ImagesInformation hiding based on optimization technique for Encrypted Images
Information hiding based on optimization technique for Encrypted Images
IRJET Journal
 

Similar to Model based vulnerability testing (20)

50120140502017
5012014050201750120140502017
50120140502017
 
A03720106
A03720106A03720106
A03720106
 
Comparing model coverage and code coverage in Model Driven testing: an explor...
Comparing model coverage and code coverage in Model Driven testing: an explor...Comparing model coverage and code coverage in Model Driven testing: an explor...
Comparing model coverage and code coverage in Model Driven testing: an explor...
 
How I Pass ASTQB Mobile Tester (ASTQB-MT) Certification in First Attempt?
How I Pass ASTQB Mobile Tester (ASTQB-MT) Certification in First Attempt?How I Pass ASTQB Mobile Tester (ASTQB-MT) Certification in First Attempt?
How I Pass ASTQB Mobile Tester (ASTQB-MT) Certification in First Attempt?
 
Model based vulnerability testing report
Model based vulnerability testing reportModel based vulnerability testing report
Model based vulnerability testing report
 
Pawan Resume
Pawan ResumePawan Resume
Pawan Resume
 
Model-based Testing of a Software Bus - Applied on Core Flight Executive
Model-based Testing of a Software Bus - Applied on Core Flight ExecutiveModel-based Testing of a Software Bus - Applied on Core Flight Executive
Model-based Testing of a Software Bus - Applied on Core Flight Executive
 
Model Based Software Testing
Model Based Software TestingModel Based Software Testing
Model Based Software Testing
 
Unit Testing Essay
Unit Testing EssayUnit Testing Essay
Unit Testing Essay
 
Mining Fix Patterns for FindBugs Violations
Mining Fix Patterns for FindBugs ViolationsMining Fix Patterns for FindBugs Violations
Mining Fix Patterns for FindBugs Violations
 
Testing of Object-Oriented Software
Testing of Object-Oriented SoftwareTesting of Object-Oriented Software
Testing of Object-Oriented Software
 
Role+Of+Testing+In+Sdlc
Role+Of+Testing+In+SdlcRole+Of+Testing+In+Sdlc
Role+Of+Testing+In+Sdlc
 
Testing
TestingTesting
Testing
 
Validation and Verification of SYSML Activity Diagrams Using HOARE Logic
Validation and Verification of SYSML Activity Diagrams Using HOARE Logic Validation and Verification of SYSML Activity Diagrams Using HOARE Logic
Validation and Verification of SYSML Activity Diagrams Using HOARE Logic
 
Ragha Deepika_Exp_4+
Ragha Deepika_Exp_4+Ragha Deepika_Exp_4+
Ragha Deepika_Exp_4+
 
st-notes-13-26-software-testing-is-the-act-of-examining-the-artifacts-and-the...
st-notes-13-26-software-testing-is-the-act-of-examining-the-artifacts-and-the...st-notes-13-26-software-testing-is-the-act-of-examining-the-artifacts-and-the...
st-notes-13-26-software-testing-is-the-act-of-examining-the-artifacts-and-the...
 
Estimation techniques and risk management
Estimation techniques and risk managementEstimation techniques and risk management
Estimation techniques and risk management
 
Next level of test automation with Model-based Testing (MBT): Experience and ...
Next level of test automation with Model-based Testing (MBT): Experience and ...Next level of test automation with Model-based Testing (MBT): Experience and ...
Next level of test automation with Model-based Testing (MBT): Experience and ...
 
D0423022028
D0423022028D0423022028
D0423022028
 
Information hiding based on optimization technique for Encrypted Images
Information hiding based on optimization technique for Encrypted ImagesInformation hiding based on optimization technique for Encrypted Images
Information hiding based on optimization technique for Encrypted Images
 

Recently uploaded

FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdfFIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance
 
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
Product School
 
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
Product School
 
Essentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with ParametersEssentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with Parameters
Safe Software
 
Key Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfKey Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdf
Cheryl Hung
 
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Product School
 
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
UiPathCommunity
 
Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...
Product School
 
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
BookNet Canada
 
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptxIOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
Abida Shariff
 
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualitySoftware Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Inflectra
 
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 previewState of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
Prayukth K V
 
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Tobias Schneck
 
UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3
DianaGray10
 
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Ramesh Iyer
 
Search and Society: Reimagining Information Access for Radical Futures
Search and Society: Reimagining Information Access for Radical FuturesSearch and Society: Reimagining Information Access for Radical Futures
Search and Society: Reimagining Information Access for Radical Futures
Bhaskar Mitra
 
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Thierry Lestable
 
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
Product School
 
Epistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI supportEpistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI support
Alan Dix
 
JMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and GrafanaJMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and Grafana
RTTS
 

Recently uploaded (20)

FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdfFIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
 
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
 
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
 
Essentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with ParametersEssentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with Parameters
 
Key Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfKey Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdf
 
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
 
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
 
Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...
 
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
 
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptxIOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
 
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualitySoftware Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
 
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 previewState of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
 
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
 
UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3
 
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
 
Search and Society: Reimagining Information Access for Radical Futures
Search and Society: Reimagining Information Access for Radical FuturesSearch and Society: Reimagining Information Access for Radical Futures
Search and Society: Reimagining Information Access for Radical Futures
 
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
 
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
 
Epistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI supportEpistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI support
 
JMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and GrafanaJMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and Grafana
 

Model based vulnerability testing

  • 1. Model-Based Vulnerability Testing for Web Applications Presented By:- K.Archana 100101CSR027 Branch:-CSE Head of Department:- Mr. Monoj Kar
  • 2. Contents O Introduction O MBVT O MBVT Approach O DVWA Example with MBVT Approach O Advantages O Disadvantages O References
  • 3. Introduction O Web applications are becoming more popular in means of modern information interaction, which leads to a growth of the demand of Web applications. O At the same time, Web application vulnerabilities are drastically increasing. O One of the most important software security practices that is used to mitigate the increasing number of vulnerabilities is security testing.
  • 4. Continue… O One of the security testing is Model-Based Vulnerability Testing(MBVT).
  • 5. MBVT O Model-Based Vulnerability Testing (MBVT) for Web applications, aims at improving the accuracy and precision of vulnerability testing. O Accuracy:- capability to focus on the relevant part of the software O Precision:- capability to avoid both false positive and false negative. O MBVT adapted the traditional approach of Model-Based Testing (MBT) in order to generate vulnerability test cases for Web applications.
  • 7. DVWA Example using MBVT Approach O DVWA:- Damn Vulnerable Web Application O DVWA is an open-source Web application test bed, based on PHP/MySQL. O DVWA embeds several vulnerabilities(like SQL Injection and Blind SQL Injection, and Reflected and Stored XSS).
  • 8. O In this example we will focus on RXSS vulnerabilities through form fields. O RXSS is one of the major breach because it is highly used and its exploitation leads to severe risks. O We will apply the four activities of MBVT approach to DVWA.
  • 9. 1. Formalizing Vulnerability Test Patterns into Test Purposes O Vulnerability Test Patterns (vTP) are the initial artefacts of our approach. O A vTP expresses the testing needs and procedures allowing the identification of a particular breach in a Web application.
  • 10. A vTP of Reflected XSS
  • 11. O A test purpose is a high level expression that formalizes a test intention linked to a testing objective. O We propose test purposes as a mean to drive the automated test generation. O Smartesting Test Purpose Language is a textual language based on regular expressions, allowing the formalization of vulnerability test intention in terms of states to be reach and operations to be called.
  • 12. test Purpose formalizing the vTP on DVWA
  • 13. 2. Modeling:- O The modeling activity produces a model based on the functional specifications of the application, and on the test purposes. Class diagram of the SUT structure, for our MBVT approach
  • 14. 3. Test Generation:- O The main purpose of the test generation activity is to produce test cases from both the model and the test purposes. O This activity consists of three phases. O The first phase transforms the model and the test purposes into elements usable by the Smartesting CertifyIt MBT tool.
  • 15. O The second phase produces the abstract test cases from the test targets. O The third phase exports the abstract test cases into the execution environment.
  • 16. Generated abstract test case example
  • 17. 4. Adaptation and test execution:- a. Adaptation:- O During the modeling activity, all data used by the application, are modeled in a abstract way. O Hence, the test suite can’t be executed as it is. O So, the generated abstract test cases are translated into executable scripts.
  • 18. b. Test Execution:- O The adapted test cases are executed in order to produce a verdict. O There is a new terminology fitting the characteristics of a test execution:- Attack-pass Attack-fail Inconclusive O Our model defines four malicious data dedicated to Reflected XSS attacks.
  • 19. O These values are defined in an abstract way, and must be adapted. O Each of them is mapped to a concrete value, as shown in figure: Mapping between abstract and concrete values
  • 20. Advantages O MBVT can address both technical and logical vulnerabilities.
  • 21. Disadvantages O Needed effort to design models, test patterns and adapter.
  • 22. References O www.infoq.com/articles/defending-against-web- application-vulnerabilities O G Erdogan - 2009 - ntnu.diva-portal.org O http://narainko.wordpress.com/2012/08/26/unde rstanding-false-positive-and-false-negative O http://istina.msu.ru/media/publications/articles/5 db/2e2/2755271/OWASP-AppSecEU08- Petukhov.pdf O http://www.spacios.eu/sectest2013/pdfs/sectest 2013_submission_8.pdf