Worst-input mutation approach to web services vulnerability testing based on SOAP messages

Jinfu Chen, Huanhuan Wang, Dave Towey, Chengying Mao, Rubing Huang, Yongzhao Zhan

Research output: Journal PublicationArticlepeer-review

16 Citations (Scopus)
43 Downloads (Pure)

Abstract

The growing popularity and application of Web services have led to increased attention regarding the vulnerability of software based on these services. Vulnerability testing examines the trustworthiness and reduces the security risks of software systems. This paper proposes a worst-input mutation approach for testing Web service vulnerability based on Simple Object Access Protocol (SOAP) messages. Based on characteristics of SOAP messages, the proposed approach uses the farthest neighbor concept to guide generation of the test suite. The corresponding automatic test case generation algorithm, namely, the Test Case generation based on the Farthest Neighbor (TCFN), is also presented. The method involves partitioning the input domain into sub-domains according to the number and type of SOAP message parameters in the TCFN, selecting the candidate test case whose distance is the farthest from all executed test cases, and applying it to test the Web service. We also implement and describe a prototype Web service vulnerability testing tool. The tool was applied to the testing of Web services on the Internet. The experimental results show that the proposed approach can find more vulnerability faults than other related approaches.

Original languageEnglish
Pages (from-to)429-441
Number of pages13
JournalTsinghua Science and Technology
Volume19
Issue number5
DOIs
Publication statusPublished - 1 Oct 2014

Keywords

  • SOAP message
  • Web service vulnerability
  • mutation operator
  • security testing
  • test case generation

ASJC Scopus subject areas

  • General

Fingerprint

Dive into the research topics of 'Worst-input mutation approach to web services vulnerability testing based on SOAP messages'. Together they form a unique fingerprint.

Cite this