1 / 24

SPaCiTE – Web Application Testing Engine

SPaCiTE – Web Application Testing Engine. Matthias Büchler , Johan Oudinet, and Alexander Pretschner April 21, 2012. Motivation / Purpose of the Tool. Web Application. Secure Model : M ⊨ φ. Is Web Application Secure ?. How does a secure model help to answer this question ?.

caia
Download Presentation

SPaCiTE – Web Application Testing Engine

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. SPaCiTE – Web Application Testing Engine Matthias Büchler, Johan Oudinet, and Alexander Pretschner April 21, 2012

  2. Motivation / Purpose of the Tool Web Application Secure Model: M ⊨ φ Is Web Application Secure ? How does a secure model help to answer this question?

  3. Motivation / Purpose of the Tool Client Side Server Side

  4. Motivation / Purpose of the Tool

  5. SPaCiTE Workflow • How SPaCiTE executes test cases (attack traces) based on secure models

  6. The Secure Model – Abstract Messages

  7. The Secure Model – Horn Clauses

  8. The Secure Model – The Honest User

  9. The Secure Model – The Server

  10. The Secure Model – Secrecy Goal

  11. Model-Based Flaw Injection Library <configuration> <ACflaw> <funcname>isAuthorizedTo*</funcname> </ACflaw> </configuration>

  12. Model Checking Reuse AVANTSSAR Backends SATMC CL-ATSE OFMC

  13. Abstract Attack Trace <tom> ->* webServer : login(tom,password(tom,webServer)) webServer -> <tom> : listStaffOf(tom) <tom> *-> webServer : viewProfileOf(jerry) webServer *->* <tom> : profileOf(jerry)

  14. Transform AAT to WAAL • Configuration Information • How are abstract messages translated into actions How is a viewProfileOf message generated in the browser?

  15. Transform AAT to WAAL • How are abstract messages translated into actions

  16. Transform AAT to WAAL • Translate WAAL actions to Java source code • Embed them into a test execution engine skeleton

  17. Execution • Execute the test case • Recovery actions might be needed

  18. Example of a Recovery Action

  19. Verdict

  20. Conclusion • Semi-automatic security testing of web applications • Automatic at browser level • May request help from a test expert at HTTP level • Interesting abstract attack traces were generated by injecting relevant source code level faults into the model • Relevant fault = known vulnerability that have been exploited to violate any security goal in the secure model. • We were able to reproduce all 4 Abstract Attack Traces coming from 2 RBAC and 2 XSS models

  21. Future Work • Target different vulnerabilities and security goals • Address side effects during recovery actions • Extend the tool when global observation is not possible • Integration work as part of SPaCiOS EU project www.spacios.eu * Demo on request, or visit: http://zvi.ipd.kit.edu/26_500.php

  22. Model-Based Flaw Injection Library • Mutation Operator represent vulnerabilities at model level • They combine a security property and a vulnerability

  23. Assumptions and Limitations • Secure model must exist • → If not, try to make use of model inference • Each abstract message must be mappable to WAAL actions • that means every abstract message must be expressed in terms of generating and/or verifying actions at browser level • that doesn’t imply that action must be performed in browser→ see Recovery Actions • → If not, WAAL actions can be bypassed and abstract message is directly mapped to protocol level messages (no guidance by SPaCiTE) • Used model checker considers the Dolev Yao Model for the intruder behavior • Intruder is the network (Every component must be wrapped by a Proxy to have global observation property) • No side effects during recovery actions • Deterministic system

More Related