期刊文献+
任意字段
题名或关键词
题名
关键词
文摘
作者
第一作者
机构
刊名
分类号
参考文献
作者简介
基金资助
栏目信息

使用模板组合动态生成测试用例的Web应用漏洞发掘方法 被引量:4

Using templates combination to generate testing vectors dynamically in detecting Web applications vulnerabilities
下载PDF
导出
摘要 为了丰富Web应用漏洞测试所需要的测试数据集,提出一种新的模糊测试用例生成方法,弥补了现有Web应用漏洞测试技术及工具采用固定测试用例、无法动态生成与扩展的问题。提出一种基于模板的动态组合生成测试用例的方法,对典型测试用例进行归类,生成不同的模板库,再通过模板库规则和随机变化动态生成大量测试用例,从而极大地丰富测试用例的变化,提高Web应用漏洞检测率,使Web应用模糊测试成为可能。实验结果表明,使用该方法生成测试用例的漏洞测试工具较同类工具发现了更多的Web应用漏洞。实验证明本方法有效可行。 This paper proposed a new approach of generating fuzzing testing vectors, which could expand testing dataset vastly and made up for deficiencies that testing vectors were fixed and non-extendable in existing methods and tools in Web applications vulnerabilities detecting. The new approach created templates via classifying existing testing vectors and combined those templates with constraint and random variation to generate vast various vectors dynamically. These various vectors improved Web applications vulnerabilities detection rate and made the Web applications fuzzing testing possible. The experimental results show that the vulnerability testing tool, which uses testing vectors generated by the new method, finds more Web applications vulnerabilities than comparable testing tools. The experiment proves the validity of the method.
作者 李政 许欣 廖乐健 李璐
机构地区 北京理工大学计算机学院 军工保密资格审查认证中心实验室
出处 《计算机应用研究》 CSCD 北大核心 2015年第10期3004-3008,3040,共6页 Application Research of Computers
基金 国家"973"计划资助项目(2013CB329605)
关键词 测试用例 Web应用漏洞 模板 组合 漏洞检测率 testing vectors Web applications vulnerabilities templates combination vulnerabilities detection rate
分类号 TP393.08 [自动化与计算机技术—计算机应用技术]
  • 相关文献

参考文献18

  • 1Wassermann G,Su Zhendong. Static detection of cross-site scriptingvulnerabilities [ C ] //Proc of the 30th ACM/IEEE International Con-ference on Software Engineering. 2008 : 171-180.
  • 2刘仁千,张玉中,张超永.基于源代码的软件安全性测试研究[J].计算机安全,2013(8):32-35. 被引量:9
  • 3Halfond W G J, Orso A, Manolios P. WASP: protecting Web appli-cations using positive tainting and syntax-aware evaluation [ J]. IEEETrans on Software Engineering,2008,34( 1) :65-81.
  • 4Balzarotti D, Cova M, Felmetsger V, et al. Saner: comp-osing staticand dynamic analysis to validate sanitization in Web applications[C ] //Proc of IEEE Symposium on Security and Privacy. 2008 :387-401.
  • 5Cook W R, Rai S. Safe query objects: statically typed objects as re-motely executable queries[ C ] //Proc of the 27th ACM/IEEE Interna-tional Conference on Software Engineering. 2005 :97-106.
  • 6Kieyzun A, Guo P J, Jayaraman K, et al. Automatic creation of SQLinjection and cross-site scripting attacks [ C ] //Proc of the 31st ACM/IEEE International Conference on Software Engineering. 2009: 199-209.
  • 7Beizer B. Black-box testing: techniques for functional testing of soft-ware and systems [ M ]. [ S. 1. ] : Wiley ,1995.
  • 8TestingSecurity. Paros proxy [ EB/OL]. (2010) [2014-03- 26 ]. ht-tp://www. testingsecurity. com/paros一proxy.
  • 9SQLmap. SQLmap introduction [ EB/OL]. (2013) [2014-03-26 ].http://sqlmap. org/.
  • 10OWASP. OWASP_WebScarab_projectt EB/OL]. (2013) [ 2014-03-26]. https://www. owasp. org/index. php/Category : OWASP_Web-Scarab一Project.

二级参考文献6

  • 1张泽华,饶若楠,凌君逸.基于风险测试揭错能力分析[J].计算机工程,2004,30(B12):72-73. 被引量:4
  • 2吴芳美等.安全软件测试评估[M].北京:中国铁道出版社,2001.
  • 3Gary McGraw,Bruce Potter. Software security testing[J]. IEEE SecurityaPrivacy, 2004,2(5):8]-85.
  • 4Oded vulnerability Fredericton Conference Tal,Scott Knight,Tom Dean. Syntax-based testing of frame- based New Brunswick, Canada on Privacy, Security and network Proc Trust, protocols [C] Second 2004, Annua 155-160.
  • 5Du Wenliang,Mathur A P.Vulnerability testing of software system using fault injection [P,].CoastTP98 02,1998.
  • 6施寅生,邓世伟,谷天阳.软件安全性测试方法与工具[J].计算机工程与设计,2008,29(1):27-30. 被引量:21

共引文献8

同被引文献29

引证文献4

二级引证文献29

计算机应用研究
2015年 第10期

相关作者

内容加载中请稍等...

相关机构

内容加载中请稍等...

相关主题

内容加载中请稍等...

浏览历史

内容加载中请稍等...
;
使用帮助 返回顶部