SlideShare une entreprise Scribd logo

Model based vulnerability testing

Télécharger en tant que PPTX, PDF
Kupili Archana
Kupili Archana
Technologie
1  sur  23
Model-Based Vulnerability Testing for Web Applications Presented By:- K.Archana 100101CSR027 Branch:-CSE Head of Department:- Mr. Monoj Kar
Contents O Introduction O MBVT O MBVT Approach O DVWA Example with MBVT Approach O Advantages O Disadvantages O References
Introduction O Web applications are becoming more popular in means of modern information interaction, which leads to a growth of the demand of Web applications. O At the same time, Web application vulnerabilities are drastically increasing. O One of the most important software security practices that is used to mitigate the increasing number of vulnerabilities is security testing.
Continue… O One of the security testing is Model-Based Vulnerability Testing(MBVT).
MBVT O Model-Based Vulnerability Testing (MBVT) for Web applications, aims at improving the accuracy and precision of vulnerability testing. O Accuracy:- capability to focus on the relevant part of the software O Precision:- capability to avoid both false positive and false negative. O MBVT adapted the traditional approach of Model-Based Testing (MBT) in order to generate vulnerability test cases for Web applications.
MBVT Approach
DVWA Example using MBVT Approach O DVWA:- Damn Vulnerable Web Application O DVWA is an open-source Web application test bed, based on PHP/MySQL. O DVWA embeds several vulnerabilities(like SQL Injection and Blind SQL Injection, and Reflected and Stored XSS).
O In this example we will focus on RXSS vulnerabilities through form fields. O RXSS is one of the major breach because it is highly used and its exploitation leads to severe risks. O We will apply the four activities of MBVT approach to DVWA.
1. Formalizing Vulnerability Test Patterns into Test Purposes O Vulnerability Test Patterns (vTP) are the initial artefacts of our approach. O A vTP expresses the testing needs and procedures allowing the identification of a particular breach in a Web application.
A vTP of Reflected XSS
O A test purpose is a high level expression that formalizes a test intention linked to a testing objective. O We propose test purposes as a mean to drive the automated test generation. O Smartesting Test Purpose Language is a textual language based on regular expressions, allowing the formalization of vulnerability test intention in terms of states to be reach and operations to be called.
test Purpose formalizing the vTP on DVWA
2. Modeling:- O The modeling activity produces a model based on the functional specifications of the application, and on the test purposes. Class diagram of the SUT structure, for our MBVT approach
3. Test Generation:- O The main purpose of the test generation activity is to produce test cases from both the model and the test purposes. O This activity consists of three phases. O The first phase transforms the model and the test purposes into elements usable by the Smartesting CertifyIt MBT tool.
O The second phase produces the abstract test cases from the test targets. O The third phase exports the abstract test cases into the execution environment.
Generated abstract test case example
4. Adaptation and test execution:- a. Adaptation:- O During the modeling activity, all data used by the application, are modeled in a abstract way. O Hence, the test suite can’t be executed as it is. O So, the generated abstract test cases are translated into executable scripts.
b. Test Execution:- O The adapted test cases are executed in order to produce a verdict. O There is a new terminology fitting the characteristics of a test execution:- Attack-pass Attack-fail Inconclusive O Our model defines four malicious data dedicated to Reflected XSS attacks.
O These values are defined in an abstract way, and must be adapted. O Each of them is mapped to a concrete value, as shown in figure: Mapping between abstract and concrete values
Advantages O MBVT can address both technical and logical vulnerabilities.
Disadvantages O Needed effort to design models, test patterns and adapter.
References O www.infoq.com/articles/defending-against-web- application-vulnerabilities O G Erdogan - 2009 - ntnu.diva-portal.org O http://narainko.wordpress.com/2012/08/26/unde rstanding-false-positive-and-false-negative O http://istina.msu.ru/media/publications/articles/5 db/2e2/2755271/OWASP-AppSecEU08- Petukhov.pdf O http://www.spacios.eu/sectest2013/pdfs/sectest 2013_submission_8.pdf
Thank You

Recommandé

Mutation Testing for DSLs (Tool Demo)
Mutation Testing for DSLs (Tool Demo)Mutation Testing for DSLs (Tool Demo)
Mutation Testing for DSLs (Tool Demo)
Pablo Gómez Abajo
 
Generation of mutation testing tools with Wodel-Test
Generation of mutation testing tools with Wodel-TestGeneration of mutation testing tools with Wodel-Test
Generation of mutation testing tools with Wodel-Test
Pablo Gómez Abajo
 
Software testing
Software testingSoftware testing
Software testing
ashamarsha
 
Towards a model-driven engineering solution for language independent mutation...
Towards a model-driven engineering solution for language independent mutation...Towards a model-driven engineering solution for language independent mutation...
Towards a model-driven engineering solution for language independent mutation...
Pablo Gómez Abajo
 
Software Testing Techniques
Software Testing TechniquesSoftware Testing Techniques
Software Testing Techniques
Kiran Kumar
 
Complexity Measures for Secure Service-Orieted Software Architectures
Complexity Measures for Secure Service-Orieted Software ArchitecturesComplexity Measures for Secure Service-Orieted Software Architectures
Complexity Measures for Secure Service-Orieted Software Architectures
Tim Menzies
 
The Gap Between Academic Research and Industrial Practice in Software Testing
The Gap Between Academic Research and Industrial Practice in Software TestingThe Gap Between Academic Research and Industrial Practice in Software Testing
The Gap Between Academic Research and Industrial Practice in Software Testing
Zoltan Micskei
 
Path testing
Path testingPath testing
Path testing
Mohamed Ali
 

Recommandé

Mutation Testing for DSLs (Tool Demo)
Mutation Testing for DSLs (Tool Demo)Mutation Testing for DSLs (Tool Demo)
Mutation Testing for DSLs (Tool Demo)
Pablo Gómez Abajo
 
Generation of mutation testing tools with Wodel-Test
Generation of mutation testing tools with Wodel-TestGeneration of mutation testing tools with Wodel-Test
Generation of mutation testing tools with Wodel-Test
Pablo Gómez Abajo
 
Software testing
Software testingSoftware testing
Software testing
ashamarsha
 
Towards a model-driven engineering solution for language independent mutation...
Towards a model-driven engineering solution for language independent mutation...Towards a model-driven engineering solution for language independent mutation...
Towards a model-driven engineering solution for language independent mutation...
Pablo Gómez Abajo
 
Software Testing Techniques
Software Testing TechniquesSoftware Testing Techniques
Software Testing Techniques
Kiran Kumar
 
Complexity Measures for Secure Service-Orieted Software Architectures
Complexity Measures for Secure Service-Orieted Software ArchitecturesComplexity Measures for Secure Service-Orieted Software Architectures
Complexity Measures for Secure Service-Orieted Software Architectures
Tim Menzies
 
The Gap Between Academic Research and Industrial Practice in Software Testing
The Gap Between Academic Research and Industrial Practice in Software TestingThe Gap Between Academic Research and Industrial Practice in Software Testing
The Gap Between Academic Research and Industrial Practice in Software Testing
Zoltan Micskei
 
Path testing
Path testingPath testing
Path testing
Mohamed Ali
 
Generating test cases using UML Communication Diagram
Generating test cases using UML Communication Diagram Generating test cases using UML Communication Diagram
Generating test cases using UML Communication Diagram
Praveen Penumathsa
 
Path Testing
Path TestingPath Testing
Path Testing
Sun Technlogies
 
White Box Testing And Control Flow & Loop Testing
White Box Testing And Control Flow & Loop TestingWhite Box Testing And Control Flow & Loop Testing
White Box Testing And Control Flow & Loop Testing
Ankit Mulani
 
Introduction to software testing
Introduction to software testingIntroduction to software testing
Introduction to software testing
ASIT Education
 
Unit 2 unit testing
Unit 2 unit testingUnit 2 unit testing
Unit 2 unit testing
ravikhimani1984
 
Blackbox
BlackboxBlackbox
Blackbox
GuruKrishnaTeja
 
Cyclomatic complexity
Cyclomatic complexityCyclomatic complexity
Cyclomatic complexity
Nikita Kesharwani
 
Software Testing - Day Two
Software Testing - Day TwoSoftware Testing - Day Two
Software Testing - Day Two
Govardhan Reddy
 
Presentation Of Mbt Tools
Presentation Of Mbt ToolsPresentation Of Mbt Tools
Presentation Of Mbt Tools
Husnain Muhammad
 
Test design techniques
Test design techniquesTest design techniques
Test design techniques
Gregory Solovey
 
Evaluating SRGMs for Automotive Software Project
Evaluating SRGMs for Automotive Software ProjectEvaluating SRGMs for Automotive Software Project
Evaluating SRGMs for Automotive Software Project
RAKESH RANA
 
SE2_Lec 21_ TDD and Junit
SE2_Lec 21_ TDD and JunitSE2_Lec 21_ TDD and Junit
SE2_Lec 21_ TDD and Junit
Amr E. Mohamed
 
A novel statistical cost model and an algorithm for efficient application off...
A novel statistical cost model and an algorithm for efficient application off...A novel statistical cost model and an algorithm for efficient application off...
A novel statistical cost model and an algorithm for efficient application off...
Finalyearprojects Toall
 
Kap5 Looking Forward
Kap5 Looking ForwardKap5 Looking Forward
Kap5 Looking Forward
Jonas Ludvigsson
 
Kap 8 Treatment
Kap 8 TreatmentKap 8 Treatment
Kap 8 Treatment
Jonas Ludvigsson
 
Psychosis: Diathesis Stress Model (transition to adult levels of dopamine fro...
Psychosis: Diathesis Stress Model (transition to adult levels of dopamine fro...Psychosis: Diathesis Stress Model (transition to adult levels of dopamine fro...
Psychosis: Diathesis Stress Model (transition to adult levels of dopamine fro...
Michael Changaris
 
paper 35_Using SysML for model-based vulnerability assessment_Soroush_Bassam_...
paper 35_Using SysML for model-based vulnerability assessment_Soroush_Bassam_...paper 35_Using SysML for model-based vulnerability assessment_Soroush_Bassam_...
paper 35_Using SysML for model-based vulnerability assessment_Soroush_Bassam_...
S. Soroush Bassam
 
Biopsycosocial Model
Biopsycosocial ModelBiopsycosocial Model
Biopsycosocial Model
nh0627
 
Introduction to the BioPsychoSocial approach to Addiction
Introduction to the BioPsychoSocial approach to AddictionIntroduction to the BioPsychoSocial approach to Addiction
Introduction to the BioPsychoSocial approach to Addiction
kavroom
 
The Power of Belief
The Power of BeliefThe Power of Belief
The Power of Belief
Bruce Kasanoff
 
Lesson 4 biopsychosocial model
Lesson 4 biopsychosocial modelLesson 4 biopsychosocial model
Lesson 4 biopsychosocial model
Crystal Delosa
 
Biopsychosocial
BiopsychosocialBiopsychosocial
Biopsychosocial
Mimi Abesamis
 

Contenu connexe

Tendances

White Box Testing And Control Flow & Loop Testing
White Box Testing And Control Flow & Loop TestingWhite Box Testing And Control Flow & Loop Testing
White Box Testing And Control Flow & Loop Testing
Ankit Mulani
 
Software Testing - Day Two
Software Testing - Day TwoSoftware Testing - Day Two
Software Testing - Day Two
Govardhan Reddy
 

Tendances (13)

Generating test cases using UML Communication Diagram
Generating test cases using UML Communication Diagram Generating test cases using UML Communication Diagram
Generating test cases using UML Communication Diagram
 
Path Testing
Path TestingPath Testing
Path Testing
 
White Box Testing And Control Flow & Loop Testing
White Box Testing And Control Flow & Loop TestingWhite Box Testing And Control Flow & Loop Testing
White Box Testing And Control Flow & Loop Testing
 
Introduction to software testing
Introduction to software testingIntroduction to software testing
Introduction to software testing
 
Unit 2 unit testing
Unit 2 unit testingUnit 2 unit testing
Unit 2 unit testing
 
Blackbox
BlackboxBlackbox
Blackbox
 
Cyclomatic complexity
Cyclomatic complexityCyclomatic complexity
Cyclomatic complexity
 
Software Testing - Day Two
Software Testing - Day TwoSoftware Testing - Day Two
Software Testing - Day Two
 
Presentation Of Mbt Tools
Presentation Of Mbt ToolsPresentation Of Mbt Tools
Presentation Of Mbt Tools
 
Test design techniques
Test design techniquesTest design techniques
Test design techniques
 
Evaluating SRGMs for Automotive Software Project
Evaluating SRGMs for Automotive Software ProjectEvaluating SRGMs for Automotive Software Project
Evaluating SRGMs for Automotive Software Project
 
SE2_Lec 21_ TDD and Junit
SE2_Lec 21_ TDD and JunitSE2_Lec 21_ TDD and Junit
SE2_Lec 21_ TDD and Junit
 
A novel statistical cost model and an algorithm for efficient application off...
A novel statistical cost model and an algorithm for efficient application off...A novel statistical cost model and an algorithm for efficient application off...
A novel statistical cost model and an algorithm for efficient application off...
 

En vedette

paper 35_Using SysML for model-based vulnerability assessment_Soroush_Bassam_...
paper 35_Using SysML for model-based vulnerability assessment_Soroush_Bassam_...paper 35_Using SysML for model-based vulnerability assessment_Soroush_Bassam_...
paper 35_Using SysML for model-based vulnerability assessment_Soroush_Bassam_...
S. Soroush Bassam
 
Lesson 4 biopsychosocial model
Lesson 4 biopsychosocial modelLesson 4 biopsychosocial model
Lesson 4 biopsychosocial model
Crystal Delosa
 

En vedette (11)

Kap5 Looking Forward
Kap5 Looking ForwardKap5 Looking Forward
Kap5 Looking Forward
 
Kap 8 Treatment
Kap 8 TreatmentKap 8 Treatment
Kap 8 Treatment
 
Psychosis: Diathesis Stress Model (transition to adult levels of dopamine fro...
Psychosis: Diathesis Stress Model (transition to adult levels of dopamine fro...Psychosis: Diathesis Stress Model (transition to adult levels of dopamine fro...
Psychosis: Diathesis Stress Model (transition to adult levels of dopamine fro...
 
paper 35_Using SysML for model-based vulnerability assessment_Soroush_Bassam_...
paper 35_Using SysML for model-based vulnerability assessment_Soroush_Bassam_...paper 35_Using SysML for model-based vulnerability assessment_Soroush_Bassam_...
paper 35_Using SysML for model-based vulnerability assessment_Soroush_Bassam_...
 
Biopsycosocial Model
Biopsycosocial ModelBiopsycosocial Model
Biopsycosocial Model
 
Introduction to the BioPsychoSocial approach to Addiction
Introduction to the BioPsychoSocial approach to AddictionIntroduction to the BioPsychoSocial approach to Addiction
Introduction to the BioPsychoSocial approach to Addiction
 
The Power of Belief
The Power of BeliefThe Power of Belief
The Power of Belief
 
Lesson 4 biopsychosocial model
Lesson 4 biopsychosocial modelLesson 4 biopsychosocial model
Lesson 4 biopsychosocial model
 
Biopsychosocial
BiopsychosocialBiopsychosocial
Biopsychosocial
 
Theories of stress
Theories of stressTheories of stress
Theories of stress
 
Stress theories
Stress theoriesStress theories
Stress theories
 

Similaire à Model based vulnerability testing

Model based vulnerability testing report
Model based vulnerability testing reportModel based vulnerability testing report
Model based vulnerability testing report
Kupili Archana
 
Model Based Software Testing
Model Based Software TestingModel Based Software Testing
Model Based Software Testing
Esin Karaman
 
Mining Fix Patterns for FindBugs Violations
Mining Fix Patterns for FindBugs ViolationsMining Fix Patterns for FindBugs Violations
Mining Fix Patterns for FindBugs Violations
Dongsun Kim
 
Validation and Verification of SYSML Activity Diagrams Using HOARE Logic
Validation and Verification of SYSML Activity Diagrams Using HOARE Logic Validation and Verification of SYSML Activity Diagrams Using HOARE Logic
Validation and Verification of SYSML Activity Diagrams Using HOARE Logic
ijseajournal
 
Ragha Deepika_Exp_4+
Ragha Deepika_Exp_4+Ragha Deepika_Exp_4+
Ragha Deepika_Exp_4+
Ragha batchu
 
st-notes-13-26-software-testing-is-the-act-of-examining-the-artifacts-and-the...
st-notes-13-26-software-testing-is-the-act-of-examining-the-artifacts-and-the...st-notes-13-26-software-testing-is-the-act-of-examining-the-artifacts-and-the...
st-notes-13-26-software-testing-is-the-act-of-examining-the-artifacts-and-the...
mwpeexdvjgtqujwhog
 

Similaire à Model based vulnerability testing (20)

50120140502017
5012014050201750120140502017
50120140502017
 
A03720106
A03720106A03720106
A03720106
 
Comparing model coverage and code coverage in Model Driven testing: an explor...
Comparing model coverage and code coverage in Model Driven testing: an explor...Comparing model coverage and code coverage in Model Driven testing: an explor...
Comparing model coverage and code coverage in Model Driven testing: an explor...
 
How I Pass ASTQB Mobile Tester (ASTQB-MT) Certification in First Attempt?
How I Pass ASTQB Mobile Tester (ASTQB-MT) Certification in First Attempt?How I Pass ASTQB Mobile Tester (ASTQB-MT) Certification in First Attempt?
How I Pass ASTQB Mobile Tester (ASTQB-MT) Certification in First Attempt?
 
Model based vulnerability testing report
Model based vulnerability testing reportModel based vulnerability testing report
Model based vulnerability testing report
 
Pawan Resume
Pawan ResumePawan Resume
Pawan Resume
 
Model-based Testing of a Software Bus - Applied on Core Flight Executive
Model-based Testing of a Software Bus - Applied on Core Flight ExecutiveModel-based Testing of a Software Bus - Applied on Core Flight Executive
Model-based Testing of a Software Bus - Applied on Core Flight Executive
 
Model Based Software Testing
Model Based Software TestingModel Based Software Testing
Model Based Software Testing
 
Unit Testing Essay
Unit Testing EssayUnit Testing Essay
Unit Testing Essay
 
Mining Fix Patterns for FindBugs Violations
Mining Fix Patterns for FindBugs ViolationsMining Fix Patterns for FindBugs Violations
Mining Fix Patterns for FindBugs Violations
 
Testing of Object-Oriented Software
Testing of Object-Oriented SoftwareTesting of Object-Oriented Software
Testing of Object-Oriented Software
 
Role+Of+Testing+In+Sdlc
Role+Of+Testing+In+SdlcRole+Of+Testing+In+Sdlc
Role+Of+Testing+In+Sdlc
 
Testing
TestingTesting
Testing
 
Validation and Verification of SYSML Activity Diagrams Using HOARE Logic
Validation and Verification of SYSML Activity Diagrams Using HOARE Logic Validation and Verification of SYSML Activity Diagrams Using HOARE Logic
Validation and Verification of SYSML Activity Diagrams Using HOARE Logic
 
Ragha Deepika_Exp_4+
Ragha Deepika_Exp_4+Ragha Deepika_Exp_4+
Ragha Deepika_Exp_4+
 
st-notes-13-26-software-testing-is-the-act-of-examining-the-artifacts-and-the...
st-notes-13-26-software-testing-is-the-act-of-examining-the-artifacts-and-the...st-notes-13-26-software-testing-is-the-act-of-examining-the-artifacts-and-the...
st-notes-13-26-software-testing-is-the-act-of-examining-the-artifacts-and-the...
 
Estimation techniques and risk management
Estimation techniques and risk managementEstimation techniques and risk management
Estimation techniques and risk management
 
Next level of test automation with Model-based Testing (MBT): Experience and ...
Next level of test automation with Model-based Testing (MBT): Experience and ...Next level of test automation with Model-based Testing (MBT): Experience and ...
Next level of test automation with Model-based Testing (MBT): Experience and ...
 
D0423022028
D0423022028D0423022028
D0423022028
 
Information hiding based on optimization technique for Encrypted Images
Information hiding based on optimization technique for Encrypted ImagesInformation hiding based on optimization technique for Encrypted Images
Information hiding based on optimization technique for Encrypted Images
 

Dernier

Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Orbitshub
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
WSO2
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Angeliki Cooney
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Jeffrey Haguewood
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Orbitshub
 

Dernier (20)

[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
WSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering Developers
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontology
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 

Model based vulnerability testing

  • 1. Model-Based Vulnerability Testing for Web Applications Presented By:- K.Archana 100101CSR027 Branch:-CSE Head of Department:- Mr. Monoj Kar
  • 2. Contents O Introduction O MBVT O MBVT Approach O DVWA Example with MBVT Approach O Advantages O Disadvantages O References
  • 3. Introduction O Web applications are becoming more popular in means of modern information interaction, which leads to a growth of the demand of Web applications. O At the same time, Web application vulnerabilities are drastically increasing. O One of the most important software security practices that is used to mitigate the increasing number of vulnerabilities is security testing.
  • 4. Continue… O One of the security testing is Model-Based Vulnerability Testing(MBVT).
  • 5. MBVT O Model-Based Vulnerability Testing (MBVT) for Web applications, aims at improving the accuracy and precision of vulnerability testing. O Accuracy:- capability to focus on the relevant part of the software O Precision:- capability to avoid both false positive and false negative. O MBVT adapted the traditional approach of Model-Based Testing (MBT) in order to generate vulnerability test cases for Web applications.
  • 7. DVWA Example using MBVT Approach O DVWA:- Damn Vulnerable Web Application O DVWA is an open-source Web application test bed, based on PHP/MySQL. O DVWA embeds several vulnerabilities(like SQL Injection and Blind SQL Injection, and Reflected and Stored XSS).
  • 8. O In this example we will focus on RXSS vulnerabilities through form fields. O RXSS is one of the major breach because it is highly used and its exploitation leads to severe risks. O We will apply the four activities of MBVT approach to DVWA.
  • 9. 1. Formalizing Vulnerability Test Patterns into Test Purposes O Vulnerability Test Patterns (vTP) are the initial artefacts of our approach. O A vTP expresses the testing needs and procedures allowing the identification of a particular breach in a Web application.
  • 10. A vTP of Reflected XSS
  • 11. O A test purpose is a high level expression that formalizes a test intention linked to a testing objective. O We propose test purposes as a mean to drive the automated test generation. O Smartesting Test Purpose Language is a textual language based on regular expressions, allowing the formalization of vulnerability test intention in terms of states to be reach and operations to be called.
  • 12. test Purpose formalizing the vTP on DVWA
  • 13. 2. Modeling:- O The modeling activity produces a model based on the functional specifications of the application, and on the test purposes. Class diagram of the SUT structure, for our MBVT approach
  • 14. 3. Test Generation:- O The main purpose of the test generation activity is to produce test cases from both the model and the test purposes. O This activity consists of three phases. O The first phase transforms the model and the test purposes into elements usable by the Smartesting CertifyIt MBT tool.
  • 15. O The second phase produces the abstract test cases from the test targets. O The third phase exports the abstract test cases into the execution environment.
  • 16. Generated abstract test case example
  • 17. 4. Adaptation and test execution:- a. Adaptation:- O During the modeling activity, all data used by the application, are modeled in a abstract way. O Hence, the test suite can’t be executed as it is. O So, the generated abstract test cases are translated into executable scripts.
  • 18. b. Test Execution:- O The adapted test cases are executed in order to produce a verdict. O There is a new terminology fitting the characteristics of a test execution:- Attack-pass Attack-fail Inconclusive O Our model defines four malicious data dedicated to Reflected XSS attacks.
  • 19. O These values are defined in an abstract way, and must be adapted. O Each of them is mapped to a concrete value, as shown in figure: Mapping between abstract and concrete values
  • 20. Advantages O MBVT can address both technical and logical vulnerabilities.
  • 21. Disadvantages O Needed effort to design models, test patterns and adapter.
  • 22. References O www.infoq.com/articles/defending-against-web- application-vulnerabilities O G Erdogan - 2009 - ntnu.diva-portal.org O http://narainko.wordpress.com/2012/08/26/unde rstanding-false-positive-and-false-negative O http://istina.msu.ru/media/publications/articles/5 db/2e2/2755271/OWASP-AppSecEU08- Petukhov.pdf O http://www.spacios.eu/sectest2013/pdfs/sectest 2013_submission_8.pdf