Abstract
Input sanitization and validation of user inputs are well-established protection mechanisms for microservice architectures against XML injection attacks (XMLi). The effectiveness of the protection mechanisms strongly depends on the quality of the sanitization and validation rule sets (e.g., regular expressions) and, therefore, security analysts have to test them thoroughly. In this demo, we introduce JCOMIX, a penetration testing tool that generates XMLi attacks (test cases) exposing XML vulnerabilities in front-end web applications. JCOMIX implements various search algorithms, including random search (traditional fuzzing), genetic algorithms (GAs), and the more recent co-operative, co-evolutionary algorithm designed explicitly for the XMLi testing (COMIX). We also show the results of an empirical study showing the effectiveness of JCOMIX in testing an open-source front-end web application.
Original language | English |
---|---|
Title of host publication | The 27th ACM Joint European Software Engineering Conference and Symposium on the Foundations of Software Engineering |
Subtitle of host publication | Proceedings of the 2019 27th ACM Joint Meeting European Software Engineering Conference and Symposium on the Foundations of Software Engineering |
Editors | Sven Apel, Marlon Dumas, Alessandra Russo, Dietmar Pfahl |
Place of Publication | New York |
Publisher | Association for Computing Machinery (ACM) |
Pages | 1090-1094 |
Number of pages | 5 |
ISBN (Electronic) | 978-1-4503-5572-8 |
DOIs | |
Publication status | Published - 2019 |
Event | 27th ACM Joint European Software Engineering Conference and Symposium on the Foundations of Software Engineering, ESEC/FSE 2019: The 27th ACM Joint European Software Engineering Conference and Symposium on the Foundations of Software Engineering - Tallinn, Estonia Duration: 26 Aug 2019 → 30 Aug 2019 |
Conference
Conference | 27th ACM Joint European Software Engineering Conference and Symposium on the Foundations of Software Engineering, ESEC/FSE 2019 |
---|---|
Country/Territory | Estonia |
City | Tallinn |
Period | 26/08/19 → 30/08/19 |
Keywords
- Search-based Software Engineering
- Security Testing
- Test Case Generation
- XML injection