King's College London

Research portal

MobSTer: A Model-based Security Testing Framework for Web Applications

Research output: Contribution to journalArticlepeer-review

Michele Peroli, Federico De Meo, Luca Vigano, Davide Guardini

Original languageEnglish
Article numbere1685
Number of pages40
JournalSOFTWARE TESTING VERIFICATION AND RELIABILITY
Volume28
Issue number8
Early online date27 Sep 2018
DOIs
Accepted/In press18 Jun 2018
E-pub ahead of print27 Sep 2018
PublishedDec 2018

Documents

King's Authors

Abstract

Web applications have become one of the preferred means for users to perform a number of crucial and security-sensitive operations such as selling and buying goods or managing bank accounts, official documents, personal health records, smart houses and so on. The pervasive adoption of such web applications calls for an extensive security analysis in order to avoid attacks. Penetration testing is the most common approach for testing the security of web applications, but model-based security testing has been steadily maturing into a viable alternative and/or complementary approach. Penetration testing is very efficient but the experience of the security analyst is crucial; model-based security testing relies on formal methods but the security analyst has to first create a suitable model of the web application. In this paper, we introduce MobSTer, a formal and flexible model-based security testing framework that contributes to filling the gap between these two security testing approaches. The main idea underlying this framework is that the use of model-checking techniques can automate the search for possible vulnerable entry points in the web application, i.e., it permits an analyst to perform security testing without missing important checks. Moreover, the framework also allows for reuse: the analyst can collect her expertise into the framework and (re)use it during future tests on possibly different web applications. We have implemented MobSTer as a prototype and applied it to test a number of case studies to assess its strength and concretely evaluate it with respect to four state-of-the-art tools normally used by penetration testers.

Download statistics

No data available

View graph of relations

© 2020 King's College London | Strand | London WC2R 2LS | England | United Kingdom | Tel +44 (0)20 7836 5454