SlideShare ist ein Scribd-Unternehmen logo

Model based vulnerability testing

Als PPTX, PDF herunterladen
Kupili Archana
Kupili Archana
Technologie
1 von 23
Model-Based Vulnerability Testing for Web Applications Presented By:- K.Archana 100101CSR027 Branch:-CSE Head of Department:- Mr. Monoj Kar
Contents O Introduction O MBVT O MBVT Approach O DVWA Example with MBVT Approach O Advantages O Disadvantages O References
Introduction O Web applications are becoming more popular in means of modern information interaction, which leads to a growth of the demand of Web applications. O At the same time, Web application vulnerabilities are drastically increasing. O One of the most important software security practices that is used to mitigate the increasing number of vulnerabilities is security testing.
Continue… O One of the security testing is Model-Based Vulnerability Testing(MBVT).
MBVT O Model-Based Vulnerability Testing (MBVT) for Web applications, aims at improving the accuracy and precision of vulnerability testing. O Accuracy:- capability to focus on the relevant part of the software O Precision:- capability to avoid both false positive and false negative. O MBVT adapted the traditional approach of Model-Based Testing (MBT) in order to generate vulnerability test cases for Web applications.
MBVT Approach
DVWA Example using MBVT Approach O DVWA:- Damn Vulnerable Web Application O DVWA is an open-source Web application test bed, based on PHP/MySQL. O DVWA embeds several vulnerabilities(like SQL Injection and Blind SQL Injection, and Reflected and Stored XSS).
O In this example we will focus on RXSS vulnerabilities through form fields. O RXSS is one of the major breach because it is highly used and its exploitation leads to severe risks. O We will apply the four activities of MBVT approach to DVWA.
1. Formalizing Vulnerability Test Patterns into Test Purposes O Vulnerability Test Patterns (vTP) are the initial artefacts of our approach. O A vTP expresses the testing needs and procedures allowing the identification of a particular breach in a Web application.
A vTP of Reflected XSS
O A test purpose is a high level expression that formalizes a test intention linked to a testing objective. O We propose test purposes as a mean to drive the automated test generation. O Smartesting Test Purpose Language is a textual language based on regular expressions, allowing the formalization of vulnerability test intention in terms of states to be reach and operations to be called.
test Purpose formalizing the vTP on DVWA
2. Modeling:- O The modeling activity produces a model based on the functional specifications of the application, and on the test purposes. Class diagram of the SUT structure, for our MBVT approach
3. Test Generation:- O The main purpose of the test generation activity is to produce test cases from both the model and the test purposes. O This activity consists of three phases. O The first phase transforms the model and the test purposes into elements usable by the Smartesting CertifyIt MBT tool.
O The second phase produces the abstract test cases from the test targets. O The third phase exports the abstract test cases into the execution environment.
Generated abstract test case example
4. Adaptation and test execution:- a. Adaptation:- O During the modeling activity, all data used by the application, are modeled in a abstract way. O Hence, the test suite can’t be executed as it is. O So, the generated abstract test cases are translated into executable scripts.
b. Test Execution:- O The adapted test cases are executed in order to produce a verdict. O There is a new terminology fitting the characteristics of a test execution:- Attack-pass Attack-fail Inconclusive O Our model defines four malicious data dedicated to Reflected XSS attacks.
O These values are defined in an abstract way, and must be adapted. O Each of them is mapped to a concrete value, as shown in figure: Mapping between abstract and concrete values
Advantages O MBVT can address both technical and logical vulnerabilities.
Disadvantages O Needed effort to design models, test patterns and adapter.
References O www.infoq.com/articles/defending-against-web- application-vulnerabilities O G Erdogan - 2009 - ntnu.diva-portal.org O http://narainko.wordpress.com/2012/08/26/unde rstanding-false-positive-and-false-negative O http://istina.msu.ru/media/publications/articles/5 db/2e2/2755271/OWASP-AppSecEU08- Petukhov.pdf O http://www.spacios.eu/sectest2013/pdfs/sectest 2013_submission_8.pdf
Thank You

Empfohlen

Mutation Testing for DSLs (Tool Demo)
Mutation Testing for DSLs (Tool Demo)Mutation Testing for DSLs (Tool Demo)
Mutation Testing for DSLs (Tool Demo)
Pablo Gómez Abajo
 
Generation of mutation testing tools with Wodel-Test
Generation of mutation testing tools with Wodel-TestGeneration of mutation testing tools with Wodel-Test
Generation of mutation testing tools with Wodel-Test
Pablo Gómez Abajo
 
Software testing
Software testingSoftware testing
Software testing
ashamarsha
 
Towards a model-driven engineering solution for language independent mutation...
Towards a model-driven engineering solution for language independent mutation...Towards a model-driven engineering solution for language independent mutation...
Towards a model-driven engineering solution for language independent mutation...
Pablo Gómez Abajo
 
Software Testing Techniques
Software Testing TechniquesSoftware Testing Techniques
Software Testing Techniques
Kiran Kumar
 
Complexity Measures for Secure Service-Orieted Software Architectures
Complexity Measures for Secure Service-Orieted Software ArchitecturesComplexity Measures for Secure Service-Orieted Software Architectures
Complexity Measures for Secure Service-Orieted Software Architectures
Tim Menzies
 
The Gap Between Academic Research and Industrial Practice in Software Testing
The Gap Between Academic Research and Industrial Practice in Software TestingThe Gap Between Academic Research and Industrial Practice in Software Testing
The Gap Between Academic Research and Industrial Practice in Software Testing
Zoltan Micskei
 
Path testing
Path testingPath testing
Path testing
Mohamed Ali
 

Empfohlen

Mutation Testing for DSLs (Tool Demo)
Mutation Testing for DSLs (Tool Demo)Mutation Testing for DSLs (Tool Demo)
Mutation Testing for DSLs (Tool Demo)
Pablo Gómez Abajo
 
Generation of mutation testing tools with Wodel-Test
Generation of mutation testing tools with Wodel-TestGeneration of mutation testing tools with Wodel-Test
Generation of mutation testing tools with Wodel-Test
Pablo Gómez Abajo
 
Software testing
Software testingSoftware testing
Software testing
ashamarsha
 
Towards a model-driven engineering solution for language independent mutation...
Towards a model-driven engineering solution for language independent mutation...Towards a model-driven engineering solution for language independent mutation...
Towards a model-driven engineering solution for language independent mutation...
Pablo Gómez Abajo
 
Software Testing Techniques
Software Testing TechniquesSoftware Testing Techniques
Software Testing Techniques
Kiran Kumar
 
Complexity Measures for Secure Service-Orieted Software Architectures
Complexity Measures for Secure Service-Orieted Software ArchitecturesComplexity Measures for Secure Service-Orieted Software Architectures
Complexity Measures for Secure Service-Orieted Software Architectures
Tim Menzies
 
The Gap Between Academic Research and Industrial Practice in Software Testing
The Gap Between Academic Research and Industrial Practice in Software TestingThe Gap Between Academic Research and Industrial Practice in Software Testing
The Gap Between Academic Research and Industrial Practice in Software Testing
Zoltan Micskei
 
Path testing
Path testingPath testing
Path testing
Mohamed Ali
 
Generating test cases using UML Communication Diagram
Generating test cases using UML Communication Diagram Generating test cases using UML Communication Diagram
Generating test cases using UML Communication Diagram
Praveen Penumathsa
 
Path Testing
Path TestingPath Testing
Path Testing
Sun Technlogies
 
White Box Testing And Control Flow & Loop Testing
White Box Testing And Control Flow & Loop TestingWhite Box Testing And Control Flow & Loop Testing
White Box Testing And Control Flow & Loop Testing
Ankit Mulani
 
Introduction to software testing
Introduction to software testingIntroduction to software testing
Introduction to software testing
ASIT Education
 
Unit 2 unit testing
Unit 2 unit testingUnit 2 unit testing
Unit 2 unit testing
ravikhimani1984
 
Blackbox
BlackboxBlackbox
Blackbox
GuruKrishnaTeja
 
Cyclomatic complexity
Cyclomatic complexityCyclomatic complexity
Cyclomatic complexity
Nikita Kesharwani
 
Software Testing - Day Two
Software Testing - Day TwoSoftware Testing - Day Two
Software Testing - Day Two
Govardhan Reddy
 
Presentation Of Mbt Tools
Presentation Of Mbt ToolsPresentation Of Mbt Tools
Presentation Of Mbt Tools
Husnain Muhammad
 
Test design techniques
Test design techniquesTest design techniques
Test design techniques
Gregory Solovey
 
Evaluating SRGMs for Automotive Software Project
Evaluating SRGMs for Automotive Software ProjectEvaluating SRGMs for Automotive Software Project
Evaluating SRGMs for Automotive Software Project
RAKESH RANA
 
SE2_Lec 21_ TDD and Junit
SE2_Lec 21_ TDD and JunitSE2_Lec 21_ TDD and Junit
SE2_Lec 21_ TDD and Junit
Amr E. Mohamed
 
A novel statistical cost model and an algorithm for efficient application off...
A novel statistical cost model and an algorithm for efficient application off...A novel statistical cost model and an algorithm for efficient application off...
A novel statistical cost model and an algorithm for efficient application off...
Finalyearprojects Toall
 
Kap5 Looking Forward
Kap5 Looking ForwardKap5 Looking Forward
Kap5 Looking Forward
Jonas Ludvigsson
 
Kap 8 Treatment
Kap 8 TreatmentKap 8 Treatment
Kap 8 Treatment
Jonas Ludvigsson
 
Psychosis: Diathesis Stress Model (transition to adult levels of dopamine fro...
Psychosis: Diathesis Stress Model (transition to adult levels of dopamine fro...Psychosis: Diathesis Stress Model (transition to adult levels of dopamine fro...
Psychosis: Diathesis Stress Model (transition to adult levels of dopamine fro...
Michael Changaris
 
paper 35_Using SysML for model-based vulnerability assessment_Soroush_Bassam_...
paper 35_Using SysML for model-based vulnerability assessment_Soroush_Bassam_...paper 35_Using SysML for model-based vulnerability assessment_Soroush_Bassam_...
paper 35_Using SysML for model-based vulnerability assessment_Soroush_Bassam_...
S. Soroush Bassam
 
Biopsycosocial Model
Biopsycosocial ModelBiopsycosocial Model
Biopsycosocial Model
nh0627
 
Introduction to the BioPsychoSocial approach to Addiction
Introduction to the BioPsychoSocial approach to AddictionIntroduction to the BioPsychoSocial approach to Addiction
Introduction to the BioPsychoSocial approach to Addiction
kavroom
 
The Power of Belief
The Power of BeliefThe Power of Belief
The Power of Belief
Bruce Kasanoff
 
Lesson 4 biopsychosocial model
Lesson 4 biopsychosocial modelLesson 4 biopsychosocial model
Lesson 4 biopsychosocial model
Crystal Delosa
 
Biopsychosocial
BiopsychosocialBiopsychosocial
Biopsychosocial
Mimi Abesamis
 

Weitere ähnliche Inhalte

Was ist angesagt?

White Box Testing And Control Flow & Loop Testing
White Box Testing And Control Flow & Loop TestingWhite Box Testing And Control Flow & Loop Testing
White Box Testing And Control Flow & Loop Testing
Ankit Mulani
 
Software Testing - Day Two
Software Testing - Day TwoSoftware Testing - Day Two
Software Testing - Day Two
Govardhan Reddy
 

Was ist angesagt? (13)

Generating test cases using UML Communication Diagram
Generating test cases using UML Communication Diagram Generating test cases using UML Communication Diagram
Generating test cases using UML Communication Diagram
 
Path Testing
Path TestingPath Testing
Path Testing
 
White Box Testing And Control Flow & Loop Testing
White Box Testing And Control Flow & Loop TestingWhite Box Testing And Control Flow & Loop Testing
White Box Testing And Control Flow & Loop Testing
 
Introduction to software testing
Introduction to software testingIntroduction to software testing
Introduction to software testing
 
Unit 2 unit testing
Unit 2 unit testingUnit 2 unit testing
Unit 2 unit testing
 
Blackbox
BlackboxBlackbox
Blackbox
 
Cyclomatic complexity
Cyclomatic complexityCyclomatic complexity
Cyclomatic complexity
 
Software Testing - Day Two
Software Testing - Day TwoSoftware Testing - Day Two
Software Testing - Day Two
 
Presentation Of Mbt Tools
Presentation Of Mbt ToolsPresentation Of Mbt Tools
Presentation Of Mbt Tools
 
Test design techniques
Test design techniquesTest design techniques
Test design techniques
 
Evaluating SRGMs for Automotive Software Project
Evaluating SRGMs for Automotive Software ProjectEvaluating SRGMs for Automotive Software Project
Evaluating SRGMs for Automotive Software Project
 
SE2_Lec 21_ TDD and Junit
SE2_Lec 21_ TDD and JunitSE2_Lec 21_ TDD and Junit
SE2_Lec 21_ TDD and Junit
 
A novel statistical cost model and an algorithm for efficient application off...
A novel statistical cost model and an algorithm for efficient application off...A novel statistical cost model and an algorithm for efficient application off...
A novel statistical cost model and an algorithm for efficient application off...
 

Andere mochten auch

paper 35_Using SysML for model-based vulnerability assessment_Soroush_Bassam_...
paper 35_Using SysML for model-based vulnerability assessment_Soroush_Bassam_...paper 35_Using SysML for model-based vulnerability assessment_Soroush_Bassam_...
paper 35_Using SysML for model-based vulnerability assessment_Soroush_Bassam_...
S. Soroush Bassam
 
Lesson 4 biopsychosocial model
Lesson 4 biopsychosocial modelLesson 4 biopsychosocial model
Lesson 4 biopsychosocial model
Crystal Delosa
 

Andere mochten auch (11)

Kap5 Looking Forward
Kap5 Looking ForwardKap5 Looking Forward
Kap5 Looking Forward
 
Kap 8 Treatment
Kap 8 TreatmentKap 8 Treatment
Kap 8 Treatment
 
Psychosis: Diathesis Stress Model (transition to adult levels of dopamine fro...
Psychosis: Diathesis Stress Model (transition to adult levels of dopamine fro...Psychosis: Diathesis Stress Model (transition to adult levels of dopamine fro...
Psychosis: Diathesis Stress Model (transition to adult levels of dopamine fro...
 
paper 35_Using SysML for model-based vulnerability assessment_Soroush_Bassam_...
paper 35_Using SysML for model-based vulnerability assessment_Soroush_Bassam_...paper 35_Using SysML for model-based vulnerability assessment_Soroush_Bassam_...
paper 35_Using SysML for model-based vulnerability assessment_Soroush_Bassam_...
 
Biopsycosocial Model
Biopsycosocial ModelBiopsycosocial Model
Biopsycosocial Model
 
Introduction to the BioPsychoSocial approach to Addiction
Introduction to the BioPsychoSocial approach to AddictionIntroduction to the BioPsychoSocial approach to Addiction
Introduction to the BioPsychoSocial approach to Addiction
 
The Power of Belief
The Power of BeliefThe Power of Belief
The Power of Belief
 
Lesson 4 biopsychosocial model
Lesson 4 biopsychosocial modelLesson 4 biopsychosocial model
Lesson 4 biopsychosocial model
 
Biopsychosocial
BiopsychosocialBiopsychosocial
Biopsychosocial
 
Theories of stress
Theories of stressTheories of stress
Theories of stress
 
Stress theories
Stress theoriesStress theories
Stress theories
 

Ähnlich wie Model based vulnerability testing

Model based vulnerability testing report
Model based vulnerability testing reportModel based vulnerability testing report
Model based vulnerability testing report
Kupili Archana
 
Model Based Software Testing
Model Based Software TestingModel Based Software Testing
Model Based Software Testing
Esin Karaman
 
Mining Fix Patterns for FindBugs Violations
Mining Fix Patterns for FindBugs ViolationsMining Fix Patterns for FindBugs Violations
Mining Fix Patterns for FindBugs Violations
Dongsun Kim
 
Validation and Verification of SYSML Activity Diagrams Using HOARE Logic
Validation and Verification of SYSML Activity Diagrams Using HOARE Logic Validation and Verification of SYSML Activity Diagrams Using HOARE Logic
Validation and Verification of SYSML Activity Diagrams Using HOARE Logic
ijseajournal
 
Ragha Deepika_Exp_4+
Ragha Deepika_Exp_4+Ragha Deepika_Exp_4+
Ragha Deepika_Exp_4+
Ragha batchu
 
st-notes-13-26-software-testing-is-the-act-of-examining-the-artifacts-and-the...
st-notes-13-26-software-testing-is-the-act-of-examining-the-artifacts-and-the...st-notes-13-26-software-testing-is-the-act-of-examining-the-artifacts-and-the...
st-notes-13-26-software-testing-is-the-act-of-examining-the-artifacts-and-the...
mwpeexdvjgtqujwhog
 

Ähnlich wie Model based vulnerability testing (20)

50120140502017
5012014050201750120140502017
50120140502017
 
A03720106
A03720106A03720106
A03720106
 
Comparing model coverage and code coverage in Model Driven testing: an explor...
Comparing model coverage and code coverage in Model Driven testing: an explor...Comparing model coverage and code coverage in Model Driven testing: an explor...
Comparing model coverage and code coverage in Model Driven testing: an explor...
 
How I Pass ASTQB Mobile Tester (ASTQB-MT) Certification in First Attempt?
How I Pass ASTQB Mobile Tester (ASTQB-MT) Certification in First Attempt?How I Pass ASTQB Mobile Tester (ASTQB-MT) Certification in First Attempt?
How I Pass ASTQB Mobile Tester (ASTQB-MT) Certification in First Attempt?
 
Model based vulnerability testing report
Model based vulnerability testing reportModel based vulnerability testing report
Model based vulnerability testing report
 
Pawan Resume
Pawan ResumePawan Resume
Pawan Resume
 
Model-based Testing of a Software Bus - Applied on Core Flight Executive
Model-based Testing of a Software Bus - Applied on Core Flight ExecutiveModel-based Testing of a Software Bus - Applied on Core Flight Executive
Model-based Testing of a Software Bus - Applied on Core Flight Executive
 
Model Based Software Testing
Model Based Software TestingModel Based Software Testing
Model Based Software Testing
 
Unit Testing Essay
Unit Testing EssayUnit Testing Essay
Unit Testing Essay
 
Mining Fix Patterns for FindBugs Violations
Mining Fix Patterns for FindBugs ViolationsMining Fix Patterns for FindBugs Violations
Mining Fix Patterns for FindBugs Violations
 
Testing of Object-Oriented Software
Testing of Object-Oriented SoftwareTesting of Object-Oriented Software
Testing of Object-Oriented Software
 
Role+Of+Testing+In+Sdlc
Role+Of+Testing+In+SdlcRole+Of+Testing+In+Sdlc
Role+Of+Testing+In+Sdlc
 
Testing
TestingTesting
Testing
 
Validation and Verification of SYSML Activity Diagrams Using HOARE Logic
Validation and Verification of SYSML Activity Diagrams Using HOARE Logic Validation and Verification of SYSML Activity Diagrams Using HOARE Logic
Validation and Verification of SYSML Activity Diagrams Using HOARE Logic
 
Ragha Deepika_Exp_4+
Ragha Deepika_Exp_4+Ragha Deepika_Exp_4+
Ragha Deepika_Exp_4+
 
st-notes-13-26-software-testing-is-the-act-of-examining-the-artifacts-and-the...
st-notes-13-26-software-testing-is-the-act-of-examining-the-artifacts-and-the...st-notes-13-26-software-testing-is-the-act-of-examining-the-artifacts-and-the...
st-notes-13-26-software-testing-is-the-act-of-examining-the-artifacts-and-the...
 
Estimation techniques and risk management
Estimation techniques and risk managementEstimation techniques and risk management
Estimation techniques and risk management
 
Next level of test automation with Model-based Testing (MBT): Experience and ...
Next level of test automation with Model-based Testing (MBT): Experience and ...Next level of test automation with Model-based Testing (MBT): Experience and ...
Next level of test automation with Model-based Testing (MBT): Experience and ...
 
D0423022028
D0423022028D0423022028
D0423022028
 
Information hiding based on optimization technique for Encrypted Images
Information hiding based on optimization technique for Encrypted ImagesInformation hiding based on optimization technique for Encrypted Images
Information hiding based on optimization technique for Encrypted Images
 

Kürzlich hochgeladen

Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Victor Rentea
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 

Kürzlich hochgeladen (20)

Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
WSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering Developers
 
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 

Model based vulnerability testing

  • 1. Model-Based Vulnerability Testing for Web Applications Presented By:- K.Archana 100101CSR027 Branch:-CSE Head of Department:- Mr. Monoj Kar
  • 2. Contents O Introduction O MBVT O MBVT Approach O DVWA Example with MBVT Approach O Advantages O Disadvantages O References
  • 3. Introduction O Web applications are becoming more popular in means of modern information interaction, which leads to a growth of the demand of Web applications. O At the same time, Web application vulnerabilities are drastically increasing. O One of the most important software security practices that is used to mitigate the increasing number of vulnerabilities is security testing.
  • 4. Continue… O One of the security testing is Model-Based Vulnerability Testing(MBVT).
  • 5. MBVT O Model-Based Vulnerability Testing (MBVT) for Web applications, aims at improving the accuracy and precision of vulnerability testing. O Accuracy:- capability to focus on the relevant part of the software O Precision:- capability to avoid both false positive and false negative. O MBVT adapted the traditional approach of Model-Based Testing (MBT) in order to generate vulnerability test cases for Web applications.
  • 7. DVWA Example using MBVT Approach O DVWA:- Damn Vulnerable Web Application O DVWA is an open-source Web application test bed, based on PHP/MySQL. O DVWA embeds several vulnerabilities(like SQL Injection and Blind SQL Injection, and Reflected and Stored XSS).
  • 8. O In this example we will focus on RXSS vulnerabilities through form fields. O RXSS is one of the major breach because it is highly used and its exploitation leads to severe risks. O We will apply the four activities of MBVT approach to DVWA.
  • 9. 1. Formalizing Vulnerability Test Patterns into Test Purposes O Vulnerability Test Patterns (vTP) are the initial artefacts of our approach. O A vTP expresses the testing needs and procedures allowing the identification of a particular breach in a Web application.
  • 10. A vTP of Reflected XSS
  • 11. O A test purpose is a high level expression that formalizes a test intention linked to a testing objective. O We propose test purposes as a mean to drive the automated test generation. O Smartesting Test Purpose Language is a textual language based on regular expressions, allowing the formalization of vulnerability test intention in terms of states to be reach and operations to be called.
  • 12. test Purpose formalizing the vTP on DVWA
  • 13. 2. Modeling:- O The modeling activity produces a model based on the functional specifications of the application, and on the test purposes. Class diagram of the SUT structure, for our MBVT approach
  • 14. 3. Test Generation:- O The main purpose of the test generation activity is to produce test cases from both the model and the test purposes. O This activity consists of three phases. O The first phase transforms the model and the test purposes into elements usable by the Smartesting CertifyIt MBT tool.
  • 15. O The second phase produces the abstract test cases from the test targets. O The third phase exports the abstract test cases into the execution environment.
  • 16. Generated abstract test case example
  • 17. 4. Adaptation and test execution:- a. Adaptation:- O During the modeling activity, all data used by the application, are modeled in a abstract way. O Hence, the test suite can’t be executed as it is. O So, the generated abstract test cases are translated into executable scripts.
  • 18. b. Test Execution:- O The adapted test cases are executed in order to produce a verdict. O There is a new terminology fitting the characteristics of a test execution:- Attack-pass Attack-fail Inconclusive O Our model defines four malicious data dedicated to Reflected XSS attacks.
  • 19. O These values are defined in an abstract way, and must be adapted. O Each of them is mapped to a concrete value, as shown in figure: Mapping between abstract and concrete values
  • 20. Advantages O MBVT can address both technical and logical vulnerabilities.
  • 21. Disadvantages O Needed effort to design models, test patterns and adapter.
  • 22. References O www.infoq.com/articles/defending-against-web- application-vulnerabilities O G Erdogan - 2009 - ntnu.diva-portal.org O http://narainko.wordpress.com/2012/08/26/unde rstanding-false-positive-and-false-negative O http://istina.msu.ru/media/publications/articles/5 db/2e2/2755271/OWASP-AppSecEU08- Petukhov.pdf O http://www.spacios.eu/sectest2013/pdfs/sectest 2013_submission_8.pdf