Metamorphic Testing for Web System Security

Security testing aims at verifying that the software meets its security properties. In modern Web systems, however, this often entails verification of outputs generated when exercising system with a very large set inputs. Full automation is thus required to lower costs and increase effectiveness testing. Unfortunately, achieve such automation, in addition strategies for automatically deriving test inputs, we need address oracle problem, which refers challenge, given an input system, distinguishing correct from incorrect behavior (e.g., response be received after specific HTTP GET request). paper, propose Metamorphic Testing Web-interactions ( MST-wi ), metamorphic approach integrates generation inspired by mutational fuzzing alleviates problem It enables engineers specify relations (MRs) capture many properties systems. To facilitate specification MRs, provide domain-specific language accompanied Eclipse editor. collects data transforms MRs into executable Java code perform tests systems detect vulnerabilities based on collected data. We catalog 76 system-agnostic automate covers 39% OWASP activities not automated state-of-the-art techniques; further, our can discover 102 different types vulnerabilities, correspond 45% due violations design principles according MITRE CWE database. also define guidelines enable improve testability under respect approach. evaluated scalability two well-known (i.e., Jenkins Joomla). detected 85% their showed high specificity (99.81% inputs do lead false positive); findings include new vulnerability Jenkins. Finally, results demonstrate scale, enabling overnight.