Research On Security Testing Approach Of Web Application

With the widespread use of the internet,e-commerce and e-government system, the number of attacks against web applications are growing fast, which has resulted in increasingly concerns on web application security among reaserchers. Compared with common applications, web applications are more insecure because of two facts:their trustless runtime environment and open runtime state. A web application is composed of sever part and client part. The client part runs on the explorer's computer. Its environment is easy to be perturbed and forged by a malicious attacker. Besides the environmental perturbation, the web application's internal state is also prone to be attacked. First, the sever part of the web application must transfer its internal state information to the client part because the http protocol is stateless. Thus a malicious user can view the internal state information and modify it. Second, the source code of the client part is open to the explorer and easy to be forged. Last, the execution of a web application is composed of many requests of web pages. A malicious attacker can change the sequence of these requests or ignore some execution steps by jump to the later part of the execution sequence. Thus cause security violations. Currently, the reaserch on web system security focus on the vulnerability of operation systems, database and web server softwares, or the technology of Intrusion Tolerance rather than the security of the web application itself. Lots of reaserches on the security of web application only focus on some special vulnerability. To the best of our knowledge, there is not a Comprehensive study on the web application security testing.The study and classification of security vulnerabilities is the important basis for reaserching the technology of web applications security testing. It can help to build an effective test model and design good test cases. This paper proposes a taxonomy model using analytic hierarchy process for classifying security flaws of web application, and defines all kinds of vulnerabilities classfied by the taxonomy model. Then apply the taxonomy model to classifying 87 security flaws from the OWASP security flaw database, and compare the classification results with that of using EAI model to classify. The result of the experiment reveals that the taxonomy model is effective.Fault injection is an effective method for security test of software. It injects Faults into the application's environment to see how the application responds and whether there is a security violation. Environment fault injection method is easy to define common procedure to make appropriate test cases. It is suitable to security testing of web applications. However, when used to test the web application, environment fault injection method has a weakness. It only considers the perturbation from the web application's environment, but ignores internal status disturbances which also play an important role in the security attribute of web applications. To overcome this weakness, this paper proposes a test model named EAS fault model, provides an vulnerability determine rule base, and designs Error constructor operators. Then we test a web application named PEGames using EAS model. The experiment revealed that the fault coverage of EAS model is high.When testing a web application for security purpose, testers have to select a test case set with appropriate scale because of the limit of time and money. In order to quantify the evaluation of the adequacy of the selected test set, this paper propose a test effect evaluation model based on the Analytic Hierarchy Process, and define a test effect evaluation function. An experiment was made by using the evaluation model to evaluate the vulnerability test effect of a BBS application name IPB. The experiment result revealed that the evaluation value calculated by the evaluation function is positively correlated with the number of vulnerabilities found in the real test. It proves that the evaluation method proposed by this paper is practical and reliable.