Worst-input mutation approach to web services vulnerability testing based on SOAP messages

Jinfu Chen; Huanhuan Wang; Dave Towey; Chengying Mao; Rubing Huang; Yongzhao Zhan

doi:10.1109/TST.2014.6919819

Worst-input mutation approach to web services vulnerability testing based on SOAP messages

Jinfu Chen, Huanhuan Wang, Dave Towey, Chengying Mao, Rubing Huang, Yongzhao Zhan

School of Computer Science

Research output: Journal Publication › Article › peer-review

16 Citations (Scopus)

44 Downloads (Pure)

Abstract

The growing popularity and application of Web services have led to increased attention regarding the vulnerability of software based on these services. Vulnerability testing examines the trustworthiness and reduces the security risks of software systems. This paper proposes a worst-input mutation approach for testing Web service vulnerability based on Simple Object Access Protocol (SOAP) messages. Based on characteristics of SOAP messages, the proposed approach uses the farthest neighbor concept to guide generation of the test suite. The corresponding automatic test case generation algorithm, namely, the Test Case generation based on the Farthest Neighbor (TCFN), is also presented. The method involves partitioning the input domain into sub-domains according to the number and type of SOAP message parameters in the TCFN, selecting the candidate test case whose distance is the farthest from all executed test cases, and applying it to test the Web service. We also implement and describe a prototype Web service vulnerability testing tool. The tool was applied to the testing of Web services on the Internet. The experimental results show that the proposed approach can find more vulnerability faults than other related approaches.

Original language	English
Pages (from-to)	429-441
Number of pages	13
Journal	Tsinghua Science and Technology
Volume	19
Issue number	5
DOIs	https://doi.org/10.1109/TST.2014.6919819
Publication status	Published - 1 Oct 2014

Keywords

SOAP message
Web service vulnerability
mutation operator
security testing
test case generation

ASJC Scopus subject areas

General

Access to Document

10.1109/TST.2014.6919819

Web services testing paper(2014.04.01.Final revision)Accepted author manuscript, 409 KB

Cite this

@article{e7f4220515d6467e81ccc5e6a313c95f,

title = "Worst-input mutation approach to web services vulnerability testing based on SOAP messages",

abstract = "The growing popularity and application of Web services have led to increased attention regarding the vulnerability of software based on these services. Vulnerability testing examines the trustworthiness and reduces the security risks of software systems. This paper proposes a worst-input mutation approach for testing Web service vulnerability based on Simple Object Access Protocol (SOAP) messages. Based on characteristics of SOAP messages, the proposed approach uses the farthest neighbor concept to guide generation of the test suite. The corresponding automatic test case generation algorithm, namely, the Test Case generation based on the Farthest Neighbor (TCFN), is also presented. The method involves partitioning the input domain into sub-domains according to the number and type of SOAP message parameters in the TCFN, selecting the candidate test case whose distance is the farthest from all executed test cases, and applying it to test the Web service. We also implement and describe a prototype Web service vulnerability testing tool. The tool was applied to the testing of Web services on the Internet. The experimental results show that the proposed approach can find more vulnerability faults than other related approaches.",

keywords = "SOAP message, Web service vulnerability, mutation operator, security testing, test case generation",

author = "Jinfu Chen and Huanhuan Wang and Dave Towey and Chengying Mao and Rubing Huang and Yongzhao Zhan",

note = "Publisher Copyright: {\textcopyright} 2014 Tsinghua University Press.",

year = "2014",

month = oct,

day = "1",

doi = "10.1109/TST.2014.6919819",

language = "English",

volume = "19",

pages = "429--441",

journal = "Tsinghua Science and Technology",

issn = "1007-0214",

publisher = "Tsinghua University",

number = "5",

}

TY - JOUR

T1 - Worst-input mutation approach to web services vulnerability testing based on SOAP messages

AU - Chen, Jinfu

AU - Wang, Huanhuan

AU - Towey, Dave

AU - Mao, Chengying

AU - Huang, Rubing

AU - Zhan, Yongzhao

PY - 2014/10/1

Y1 - 2014/10/1

N2 - The growing popularity and application of Web services have led to increased attention regarding the vulnerability of software based on these services. Vulnerability testing examines the trustworthiness and reduces the security risks of software systems. This paper proposes a worst-input mutation approach for testing Web service vulnerability based on Simple Object Access Protocol (SOAP) messages. Based on characteristics of SOAP messages, the proposed approach uses the farthest neighbor concept to guide generation of the test suite. The corresponding automatic test case generation algorithm, namely, the Test Case generation based on the Farthest Neighbor (TCFN), is also presented. The method involves partitioning the input domain into sub-domains according to the number and type of SOAP message parameters in the TCFN, selecting the candidate test case whose distance is the farthest from all executed test cases, and applying it to test the Web service. We also implement and describe a prototype Web service vulnerability testing tool. The tool was applied to the testing of Web services on the Internet. The experimental results show that the proposed approach can find more vulnerability faults than other related approaches.

AB - The growing popularity and application of Web services have led to increased attention regarding the vulnerability of software based on these services. Vulnerability testing examines the trustworthiness and reduces the security risks of software systems. This paper proposes a worst-input mutation approach for testing Web service vulnerability based on Simple Object Access Protocol (SOAP) messages. Based on characteristics of SOAP messages, the proposed approach uses the farthest neighbor concept to guide generation of the test suite. The corresponding automatic test case generation algorithm, namely, the Test Case generation based on the Farthest Neighbor (TCFN), is also presented. The method involves partitioning the input domain into sub-domains according to the number and type of SOAP message parameters in the TCFN, selecting the candidate test case whose distance is the farthest from all executed test cases, and applying it to test the Web service. We also implement and describe a prototype Web service vulnerability testing tool. The tool was applied to the testing of Web services on the Internet. The experimental results show that the proposed approach can find more vulnerability faults than other related approaches.

KW - SOAP message

KW - Web service vulnerability

KW - mutation operator

KW - security testing

KW - test case generation

UR - http://www.scopus.com/inward/record.url?scp=84920989701&partnerID=8YFLogxK

U2 - 10.1109/TST.2014.6919819

DO - 10.1109/TST.2014.6919819

M3 - Article

AN - SCOPUS:84920989701

SN - 1007-0214

VL - 19

SP - 429

EP - 441

JO - Tsinghua Science and Technology

JF - Tsinghua Science and Technology

IS - 5

ER -

Worst-input mutation approach to web services vulnerability testing based on SOAP messages

Abstract

Keywords

ASJC Scopus subject areas

Access to Document

Other files and links

Fingerprint

Cite this