TU Darmstadt / ULB / TUbiblio

Supporting Security Testers in Discovering Injection Flaws

Türpe, Sven ; Poller, Andreas ; Trukenmüller, Jan ; Repp, Jürgen ; Bornmann, Christian (2008)
Supporting Security Testers in Discovering Injection Flaws.
doi: 10.1109/TAIC-PART.2008.7
Konferenzveröffentlichung, Bibliographie

Kurzbeschreibung (Abstract)

We present a platform for software security testing primarily designed to support human testers in discovering injection flaws in distributed systems. Injection is an important class of security faults, caused by unsafe concatenation of input into strings interpreted by other components of the system. Examples include two of the most common security issues in Web applications, SQL injection and cross site scripting. This paper briefly discusses the fault model, derives a testing strategy that should discover a large subset of the injection flaws present, and describes a platform that helps security testers to discover injection flaws through dynamic grey-box testing. Our platform combines the respective strengths of machines and humans, automating what is easily automated while leaving to the tester the artistic portion of security testing. Although designed with a specific fault model in mind, our platform may be useful in a wide range of security testing tasks.

Typ des Eintrags: Konferenzveröffentlichung
Erschienen: 2008
Autor(en): Türpe, Sven ; Poller, Andreas ; Trukenmüller, Jan ; Repp, Jürgen ; Bornmann, Christian
Art des Eintrags: Bibliographie
Titel: Supporting Security Testers in Discovering Injection Flaws
Sprache: Englisch
Publikationsjahr: August 2008
Buchtitel: Proc. TAIC-PART 2008
DOI: 10.1109/TAIC-PART.2008.7
Kurzbeschreibung (Abstract):

We present a platform for software security testing primarily designed to support human testers in discovering injection flaws in distributed systems. Injection is an important class of security faults, caused by unsafe concatenation of input into strings interpreted by other components of the system. Examples include two of the most common security issues in Web applications, SQL injection and cross site scripting. This paper briefly discusses the fault model, derives a testing strategy that should discover a large subset of the injection flaws present, and describes a platform that helps security testers to discover injection flaws through dynamic grey-box testing. Our platform combines the respective strengths of machines and humans, automating what is easily automated while leaving to the tester the artistic portion of security testing. Although designed with a specific fault model in mind, our platform may be useful in a wide range of security testing tasks.

Freie Schlagworte: Secure Services; security testing; tool; vulnerability; SQL injection; cross site scripting; Softwaretest
ID-Nummer: TUD-CS-2008-1122
Fachbereich(e)/-gebiet(e): LOEWE > LOEWE-Zentren > CASED – Center for Advanced Security Research Darmstadt
LOEWE > LOEWE-Zentren
LOEWE
Hinterlegungsdatum: 30 Dez 2016 20:23
Letzte Änderung: 17 Mai 2018 13:02
PPN:
Export:
Suche nach Titel in: TUfind oder in Google
Frage zum Eintrag Frage zum Eintrag

Optionen (nur für Redakteure)
Redaktionelle Details anzeigen Redaktionelle Details anzeigen