SlideShare una empresa de Scribd logo

Model based vulnerability testing

Descargar como PPTX, PDF
Kupili Archana
Kupili Archana
Tecnología
1 de 23
Model-Based Vulnerability Testing for Web Applications Presented By:- K.Archana 100101CSR027 Branch:-CSE Head of Department:- Mr. Monoj Kar
Contents O Introduction O MBVT O MBVT Approach O DVWA Example with MBVT Approach O Advantages O Disadvantages O References
Introduction O Web applications are becoming more popular in means of modern information interaction, which leads to a growth of the demand of Web applications. O At the same time, Web application vulnerabilities are drastically increasing. O One of the most important software security practices that is used to mitigate the increasing number of vulnerabilities is security testing.
Continue… O One of the security testing is Model-Based Vulnerability Testing(MBVT).
MBVT O Model-Based Vulnerability Testing (MBVT) for Web applications, aims at improving the accuracy and precision of vulnerability testing. O Accuracy:- capability to focus on the relevant part of the software O Precision:- capability to avoid both false positive and false negative. O MBVT adapted the traditional approach of Model-Based Testing (MBT) in order to generate vulnerability test cases for Web applications.
MBVT Approach
DVWA Example using MBVT Approach O DVWA:- Damn Vulnerable Web Application O DVWA is an open-source Web application test bed, based on PHP/MySQL. O DVWA embeds several vulnerabilities(like SQL Injection and Blind SQL Injection, and Reflected and Stored XSS).
O In this example we will focus on RXSS vulnerabilities through form fields. O RXSS is one of the major breach because it is highly used and its exploitation leads to severe risks. O We will apply the four activities of MBVT approach to DVWA.
1. Formalizing Vulnerability Test Patterns into Test Purposes O Vulnerability Test Patterns (vTP) are the initial artefacts of our approach. O A vTP expresses the testing needs and procedures allowing the identification of a particular breach in a Web application.
A vTP of Reflected XSS
O A test purpose is a high level expression that formalizes a test intention linked to a testing objective. O We propose test purposes as a mean to drive the automated test generation. O Smartesting Test Purpose Language is a textual language based on regular expressions, allowing the formalization of vulnerability test intention in terms of states to be reach and operations to be called.
test Purpose formalizing the vTP on DVWA
2. Modeling:- O The modeling activity produces a model based on the functional specifications of the application, and on the test purposes. Class diagram of the SUT structure, for our MBVT approach
3. Test Generation:- O The main purpose of the test generation activity is to produce test cases from both the model and the test purposes. O This activity consists of three phases. O The first phase transforms the model and the test purposes into elements usable by the Smartesting CertifyIt MBT tool.
O The second phase produces the abstract test cases from the test targets. O The third phase exports the abstract test cases into the execution environment.
Generated abstract test case example
4. Adaptation and test execution:- a. Adaptation:- O During the modeling activity, all data used by the application, are modeled in a abstract way. O Hence, the test suite can’t be executed as it is. O So, the generated abstract test cases are translated into executable scripts.
b. Test Execution:- O The adapted test cases are executed in order to produce a verdict. O There is a new terminology fitting the characteristics of a test execution:- Attack-pass Attack-fail Inconclusive O Our model defines four malicious data dedicated to Reflected XSS attacks.
O These values are defined in an abstract way, and must be adapted. O Each of them is mapped to a concrete value, as shown in figure: Mapping between abstract and concrete values
Advantages O MBVT can address both technical and logical vulnerabilities.
Disadvantages O Needed effort to design models, test patterns and adapter.
References O www.infoq.com/articles/defending-against-web- application-vulnerabilities O G Erdogan - 2009 - ntnu.diva-portal.org O http://narainko.wordpress.com/2012/08/26/unde rstanding-false-positive-and-false-negative O http://istina.msu.ru/media/publications/articles/5 db/2e2/2755271/OWASP-AppSecEU08- Petukhov.pdf O http://www.spacios.eu/sectest2013/pdfs/sectest 2013_submission_8.pdf
Thank You

Recomendados

Mutation Testing for DSLs (Tool Demo)
Mutation Testing for DSLs (Tool Demo)Mutation Testing for DSLs (Tool Demo)
Mutation Testing for DSLs (Tool Demo)Pablo Gómez Abajo
 
Generation of mutation testing tools with Wodel-Test
Generation of mutation testing tools with Wodel-TestGeneration of mutation testing tools with Wodel-Test
Generation of mutation testing tools with Wodel-TestPablo Gómez Abajo
 
Software testing
Software testingSoftware testing
Software testingashamarsha
 
Towards a model-driven engineering solution for language independent mutation...
Towards a model-driven engineering solution for language independent mutation...Towards a model-driven engineering solution for language independent mutation...
Towards a model-driven engineering solution for language independent mutation...Pablo Gómez Abajo
 
Software Testing Techniques
Software Testing TechniquesSoftware Testing Techniques
Software Testing TechniquesKiran Kumar
 
Complexity Measures for Secure Service-Orieted Software Architectures
Complexity Measures for Secure Service-Orieted Software ArchitecturesComplexity Measures for Secure Service-Orieted Software Architectures
Complexity Measures for Secure Service-Orieted Software ArchitecturesTim Menzies
 
The Gap Between Academic Research and Industrial Practice in Software Testing
The Gap Between Academic Research and Industrial Practice in Software TestingThe Gap Between Academic Research and Industrial Practice in Software Testing
The Gap Between Academic Research and Industrial Practice in Software TestingZoltan Micskei
 
Path testing
Path testingPath testing
Path testingMohamed Ali
 

Recomendados

Mutation Testing for DSLs (Tool Demo)
Mutation Testing for DSLs (Tool Demo)Mutation Testing for DSLs (Tool Demo)
Mutation Testing for DSLs (Tool Demo)Pablo Gómez Abajo
 
Generation of mutation testing tools with Wodel-Test
Generation of mutation testing tools with Wodel-TestGeneration of mutation testing tools with Wodel-Test
Generation of mutation testing tools with Wodel-TestPablo Gómez Abajo
 
Software testing
Software testingSoftware testing
Software testingashamarsha
 
Towards a model-driven engineering solution for language independent mutation...
Towards a model-driven engineering solution for language independent mutation...Towards a model-driven engineering solution for language independent mutation...
Towards a model-driven engineering solution for language independent mutation...Pablo Gómez Abajo
 
Software Testing Techniques
Software Testing TechniquesSoftware Testing Techniques
Software Testing TechniquesKiran Kumar
 
Complexity Measures for Secure Service-Orieted Software Architectures
Complexity Measures for Secure Service-Orieted Software ArchitecturesComplexity Measures for Secure Service-Orieted Software Architectures
Complexity Measures for Secure Service-Orieted Software ArchitecturesTim Menzies
 
The Gap Between Academic Research and Industrial Practice in Software Testing
The Gap Between Academic Research and Industrial Practice in Software TestingThe Gap Between Academic Research and Industrial Practice in Software Testing
The Gap Between Academic Research and Industrial Practice in Software TestingZoltan Micskei
 
Path testing
Path testingPath testing
Path testingMohamed Ali
 
Generating test cases using UML Communication Diagram
Generating test cases using UML Communication Diagram Generating test cases using UML Communication Diagram
Generating test cases using UML Communication Diagram Praveen Penumathsa
 
Path Testing
Path TestingPath Testing
Path TestingSun Technlogies
 
White Box Testing And Control Flow & Loop Testing
White Box Testing And Control Flow & Loop TestingWhite Box Testing And Control Flow & Loop Testing
White Box Testing And Control Flow & Loop TestingAnkit Mulani
 
Introduction to software testing
Introduction to software testingIntroduction to software testing
Introduction to software testingASIT Education
 
Unit 2 unit testing
Unit 2 unit testingUnit 2 unit testing
Unit 2 unit testingravikhimani1984
 
Blackbox
BlackboxBlackbox
BlackboxGuruKrishnaTeja
 
Cyclomatic complexity
Cyclomatic complexityCyclomatic complexity
Cyclomatic complexityNikita Kesharwani
 
Software Testing - Day Two
Software Testing - Day TwoSoftware Testing - Day Two
Software Testing - Day TwoGovardhan Reddy
 
Presentation Of Mbt Tools
Presentation Of Mbt ToolsPresentation Of Mbt Tools
Presentation Of Mbt ToolsHusnain Muhammad
 
Test design techniques
Test design techniquesTest design techniques
Test design techniquesGregory Solovey
 
Evaluating SRGMs for Automotive Software Project
Evaluating SRGMs for Automotive Software ProjectEvaluating SRGMs for Automotive Software Project
Evaluating SRGMs for Automotive Software ProjectRAKESH RANA
 
SE2_Lec 21_ TDD and Junit
SE2_Lec 21_ TDD and JunitSE2_Lec 21_ TDD and Junit
SE2_Lec 21_ TDD and JunitAmr E. Mohamed
 
A novel statistical cost model and an algorithm for efficient application off...
A novel statistical cost model and an algorithm for efficient application off...A novel statistical cost model and an algorithm for efficient application off...
A novel statistical cost model and an algorithm for efficient application off...Finalyearprojects Toall
 
Kap5 Looking Forward
Kap5 Looking ForwardKap5 Looking Forward
Kap5 Looking ForwardJonas Ludvigsson
 
Kap 8 Treatment
Kap 8 TreatmentKap 8 Treatment
Kap 8 TreatmentJonas Ludvigsson
 
Psychosis: Diathesis Stress Model (transition to adult levels of dopamine fro...
Psychosis: Diathesis Stress Model (transition to adult levels of dopamine fro...Psychosis: Diathesis Stress Model (transition to adult levels of dopamine fro...
Psychosis: Diathesis Stress Model (transition to adult levels of dopamine fro...Michael Changaris
 
paper 35_Using SysML for model-based vulnerability assessment_Soroush_Bassam_...
paper 35_Using SysML for model-based vulnerability assessment_Soroush_Bassam_...paper 35_Using SysML for model-based vulnerability assessment_Soroush_Bassam_...
paper 35_Using SysML for model-based vulnerability assessment_Soroush_Bassam_...S. Soroush Bassam
 
Biopsycosocial Model
Biopsycosocial ModelBiopsycosocial Model
Biopsycosocial Modelnh0627
 
Introduction to the BioPsychoSocial approach to Addiction
Introduction to the BioPsychoSocial approach to AddictionIntroduction to the BioPsychoSocial approach to Addiction
Introduction to the BioPsychoSocial approach to Addictionkavroom
 
The Power of Belief
The Power of BeliefThe Power of Belief
The Power of BeliefBruce Kasanoff
 
Lesson 4 biopsychosocial model
Lesson 4 biopsychosocial modelLesson 4 biopsychosocial model
Lesson 4 biopsychosocial modelCrystal Delosa
 
Biopsychosocial
BiopsychosocialBiopsychosocial
BiopsychosocialMimi Abesamis
 

Más contenido relacionado

La actualidad más candente

Generating test cases using UML Communication Diagram
Generating test cases using UML Communication Diagram Generating test cases using UML Communication Diagram
Generating test cases using UML Communication Diagram Praveen Penumathsa
 
White Box Testing And Control Flow & Loop Testing
White Box Testing And Control Flow & Loop TestingWhite Box Testing And Control Flow & Loop Testing
White Box Testing And Control Flow & Loop TestingAnkit Mulani
 
Introduction to software testing
Introduction to software testingIntroduction to software testing
Introduction to software testingASIT Education
 
Software Testing - Day Two
Software Testing - Day TwoSoftware Testing - Day Two
Software Testing - Day TwoGovardhan Reddy
 
Evaluating SRGMs for Automotive Software Project
Evaluating SRGMs for Automotive Software ProjectEvaluating SRGMs for Automotive Software Project
Evaluating SRGMs for Automotive Software ProjectRAKESH RANA
 
SE2_Lec 21_ TDD and Junit
SE2_Lec 21_ TDD and JunitSE2_Lec 21_ TDD and Junit
SE2_Lec 21_ TDD and JunitAmr E. Mohamed
 
A novel statistical cost model and an algorithm for efficient application off...
A novel statistical cost model and an algorithm for efficient application off...A novel statistical cost model and an algorithm for efficient application off...
A novel statistical cost model and an algorithm for efficient application off...Finalyearprojects Toall
 

La actualidad más candente (13)

Generating test cases using UML Communication Diagram
Generating test cases using UML Communication Diagram Generating test cases using UML Communication Diagram
Generating test cases using UML Communication Diagram
 
Path Testing
Path TestingPath Testing
Path Testing
 
White Box Testing And Control Flow & Loop Testing
White Box Testing And Control Flow & Loop TestingWhite Box Testing And Control Flow & Loop Testing
White Box Testing And Control Flow & Loop Testing
 
Introduction to software testing
Introduction to software testingIntroduction to software testing
Introduction to software testing
 
Unit 2 unit testing
Unit 2 unit testingUnit 2 unit testing
Unit 2 unit testing
 
Blackbox
BlackboxBlackbox
Blackbox
 
Cyclomatic complexity
Cyclomatic complexityCyclomatic complexity
Cyclomatic complexity
 
Software Testing - Day Two
Software Testing - Day TwoSoftware Testing - Day Two
Software Testing - Day Two
 
Presentation Of Mbt Tools
Presentation Of Mbt ToolsPresentation Of Mbt Tools
Presentation Of Mbt Tools
 
Test design techniques
Test design techniquesTest design techniques
Test design techniques
 
Evaluating SRGMs for Automotive Software Project
Evaluating SRGMs for Automotive Software ProjectEvaluating SRGMs for Automotive Software Project
Evaluating SRGMs for Automotive Software Project
 
SE2_Lec 21_ TDD and Junit
SE2_Lec 21_ TDD and JunitSE2_Lec 21_ TDD and Junit
SE2_Lec 21_ TDD and Junit
 
A novel statistical cost model and an algorithm for efficient application off...
A novel statistical cost model and an algorithm for efficient application off...A novel statistical cost model and an algorithm for efficient application off...
A novel statistical cost model and an algorithm for efficient application off...
 

Destacado

Psychosis: Diathesis Stress Model (transition to adult levels of dopamine fro...
Psychosis: Diathesis Stress Model (transition to adult levels of dopamine fro...Psychosis: Diathesis Stress Model (transition to adult levels of dopamine fro...
Psychosis: Diathesis Stress Model (transition to adult levels of dopamine fro...Michael Changaris
 
paper 35_Using SysML for model-based vulnerability assessment_Soroush_Bassam_...
paper 35_Using SysML for model-based vulnerability assessment_Soroush_Bassam_...paper 35_Using SysML for model-based vulnerability assessment_Soroush_Bassam_...
paper 35_Using SysML for model-based vulnerability assessment_Soroush_Bassam_...S. Soroush Bassam
 
Biopsycosocial Model
Biopsycosocial ModelBiopsycosocial Model
Biopsycosocial Modelnh0627
 
Introduction to the BioPsychoSocial approach to Addiction
Introduction to the BioPsychoSocial approach to AddictionIntroduction to the BioPsychoSocial approach to Addiction
Introduction to the BioPsychoSocial approach to Addictionkavroom
 
Lesson 4 biopsychosocial model
Lesson 4 biopsychosocial modelLesson 4 biopsychosocial model
Lesson 4 biopsychosocial modelCrystal Delosa
 
Theories of stress
Theories of stressTheories of stress
Theories of stressIAU Dent
 

Destacado (11)

Kap5 Looking Forward
Kap5 Looking ForwardKap5 Looking Forward
Kap5 Looking Forward
 
Kap 8 Treatment
Kap 8 TreatmentKap 8 Treatment
Kap 8 Treatment
 
Psychosis: Diathesis Stress Model (transition to adult levels of dopamine fro...
Psychosis: Diathesis Stress Model (transition to adult levels of dopamine fro...Psychosis: Diathesis Stress Model (transition to adult levels of dopamine fro...
Psychosis: Diathesis Stress Model (transition to adult levels of dopamine fro...
 
paper 35_Using SysML for model-based vulnerability assessment_Soroush_Bassam_...
paper 35_Using SysML for model-based vulnerability assessment_Soroush_Bassam_...paper 35_Using SysML for model-based vulnerability assessment_Soroush_Bassam_...
paper 35_Using SysML for model-based vulnerability assessment_Soroush_Bassam_...
 
Biopsycosocial Model
Biopsycosocial ModelBiopsycosocial Model
Biopsycosocial Model
 
Introduction to the BioPsychoSocial approach to Addiction
Introduction to the BioPsychoSocial approach to AddictionIntroduction to the BioPsychoSocial approach to Addiction
Introduction to the BioPsychoSocial approach to Addiction
 
The Power of Belief
The Power of BeliefThe Power of Belief
The Power of Belief
 
Lesson 4 biopsychosocial model
Lesson 4 biopsychosocial modelLesson 4 biopsychosocial model
Lesson 4 biopsychosocial model
 
Biopsychosocial
BiopsychosocialBiopsychosocial
Biopsychosocial
 
Theories of stress
Theories of stressTheories of stress
Theories of stress
 
Stress theories
Stress theoriesStress theories
Stress theories
 

Similar a Model based vulnerability testing

Comparing model coverage and code coverage in Model Driven testing: an explor...
Comparing model coverage and code coverage in Model Driven testing: an explor...Comparing model coverage and code coverage in Model Driven testing: an explor...
Comparing model coverage and code coverage in Model Driven testing: an explor...REvERSE University of Naples Federico II
 
How I Pass ASTQB Mobile Tester (ASTQB-MT) Certification in First Attempt?
How I Pass ASTQB Mobile Tester (ASTQB-MT) Certification in First Attempt?How I Pass ASTQB Mobile Tester (ASTQB-MT) Certification in First Attempt?
How I Pass ASTQB Mobile Tester (ASTQB-MT) Certification in First Attempt?Meghna Arora
 
Model based vulnerability testing report
Model based vulnerability testing reportModel based vulnerability testing report
Model based vulnerability testing reportKupili Archana
 
Model-based Testing of a Software Bus - Applied on Core Flight Executive
Model-based Testing of a Software Bus - Applied on Core Flight ExecutiveModel-based Testing of a Software Bus - Applied on Core Flight Executive
Model-based Testing of a Software Bus - Applied on Core Flight ExecutiveDharmalingam Ganesan
 
Model Based Software Testing
Model Based Software TestingModel Based Software Testing
Model Based Software TestingEsin Karaman
 
Unit Testing Essay
Unit Testing EssayUnit Testing Essay
Unit Testing EssayDani Cox
 
Mining Fix Patterns for FindBugs Violations
Mining Fix Patterns for FindBugs ViolationsMining Fix Patterns for FindBugs Violations
Mining Fix Patterns for FindBugs ViolationsDongsun Kim
 
Testing of Object-Oriented Software
Testing of Object-Oriented SoftwareTesting of Object-Oriented Software
Testing of Object-Oriented SoftwarePraveen Penumathsa
 
Role+Of+Testing+In+Sdlc
Role+Of+Testing+In+SdlcRole+Of+Testing+In+Sdlc
Role+Of+Testing+In+Sdlcmahendra singh
 
Validation and Verification of SYSML Activity Diagrams Using HOARE Logic
Validation and Verification of SYSML Activity Diagrams Using HOARE Logic Validation and Verification of SYSML Activity Diagrams Using HOARE Logic
Validation and Verification of SYSML Activity Diagrams Using HOARE Logic ijseajournal
 
Ragha Deepika_Exp_4+
Ragha Deepika_Exp_4+Ragha Deepika_Exp_4+
Ragha Deepika_Exp_4+Ragha batchu
 
st-notes-13-26-software-testing-is-the-act-of-examining-the-artifacts-and-the...
st-notes-13-26-software-testing-is-the-act-of-examining-the-artifacts-and-the...st-notes-13-26-software-testing-is-the-act-of-examining-the-artifacts-and-the...
st-notes-13-26-software-testing-is-the-act-of-examining-the-artifacts-and-the...mwpeexdvjgtqujwhog
 
Estimation techniques and risk management
Estimation techniques and risk managementEstimation techniques and risk management
Estimation techniques and risk managementPurushottam Basnet
 
Next level of test automation with Model-based Testing (MBT): Experience and ...
Next level of test automation with Model-based Testing (MBT): Experience and ...Next level of test automation with Model-based Testing (MBT): Experience and ...
Next level of test automation with Model-based Testing (MBT): Experience and ...Vahid Garousi
 
Information hiding based on optimization technique for Encrypted Images
Information hiding based on optimization technique for Encrypted ImagesInformation hiding based on optimization technique for Encrypted Images
Information hiding based on optimization technique for Encrypted ImagesIRJET Journal
 

Similar a Model based vulnerability testing (20)

50120140502017
5012014050201750120140502017
50120140502017
 
A03720106
A03720106A03720106
A03720106
 
Comparing model coverage and code coverage in Model Driven testing: an explor...
Comparing model coverage and code coverage in Model Driven testing: an explor...Comparing model coverage and code coverage in Model Driven testing: an explor...
Comparing model coverage and code coverage in Model Driven testing: an explor...
 
How I Pass ASTQB Mobile Tester (ASTQB-MT) Certification in First Attempt?
How I Pass ASTQB Mobile Tester (ASTQB-MT) Certification in First Attempt?How I Pass ASTQB Mobile Tester (ASTQB-MT) Certification in First Attempt?
How I Pass ASTQB Mobile Tester (ASTQB-MT) Certification in First Attempt?
 
Model based vulnerability testing report
Model based vulnerability testing reportModel based vulnerability testing report
Model based vulnerability testing report
 
Pawan Resume
Pawan ResumePawan Resume
Pawan Resume
 
Model-based Testing of a Software Bus - Applied on Core Flight Executive
Model-based Testing of a Software Bus - Applied on Core Flight ExecutiveModel-based Testing of a Software Bus - Applied on Core Flight Executive
Model-based Testing of a Software Bus - Applied on Core Flight Executive
 
Model Based Software Testing
Model Based Software TestingModel Based Software Testing
Model Based Software Testing
 
Unit Testing Essay
Unit Testing EssayUnit Testing Essay
Unit Testing Essay
 
Mining Fix Patterns for FindBugs Violations
Mining Fix Patterns for FindBugs ViolationsMining Fix Patterns for FindBugs Violations
Mining Fix Patterns for FindBugs Violations
 
Testing of Object-Oriented Software
Testing of Object-Oriented SoftwareTesting of Object-Oriented Software
Testing of Object-Oriented Software
 
Role+Of+Testing+In+Sdlc
Role+Of+Testing+In+SdlcRole+Of+Testing+In+Sdlc
Role+Of+Testing+In+Sdlc
 
Testing
TestingTesting
Testing
 
Validation and Verification of SYSML Activity Diagrams Using HOARE Logic
Validation and Verification of SYSML Activity Diagrams Using HOARE Logic Validation and Verification of SYSML Activity Diagrams Using HOARE Logic
Validation and Verification of SYSML Activity Diagrams Using HOARE Logic
 
Ragha Deepika_Exp_4+
Ragha Deepika_Exp_4+Ragha Deepika_Exp_4+
Ragha Deepika_Exp_4+
 
st-notes-13-26-software-testing-is-the-act-of-examining-the-artifacts-and-the...
st-notes-13-26-software-testing-is-the-act-of-examining-the-artifacts-and-the...st-notes-13-26-software-testing-is-the-act-of-examining-the-artifacts-and-the...
st-notes-13-26-software-testing-is-the-act-of-examining-the-artifacts-and-the...
 
Estimation techniques and risk management
Estimation techniques and risk managementEstimation techniques and risk management
Estimation techniques and risk management
 
Next level of test automation with Model-based Testing (MBT): Experience and ...
Next level of test automation with Model-based Testing (MBT): Experience and ...Next level of test automation with Model-based Testing (MBT): Experience and ...
Next level of test automation with Model-based Testing (MBT): Experience and ...
 
D0423022028
D0423022028D0423022028
D0423022028
 
Information hiding based on optimization technique for Encrypted Images
Information hiding based on optimization technique for Encrypted ImagesInformation hiding based on optimization technique for Encrypted Images
Information hiding based on optimization technique for Encrypted Images
 

Último

#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...HostedbyConfluent
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...gurkirankumar98700
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxOnBoard
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 

Último (20)

#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptx
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 

Model based vulnerability testing

  • 1. Model-Based Vulnerability Testing for Web Applications Presented By:- K.Archana 100101CSR027 Branch:-CSE Head of Department:- Mr. Monoj Kar
  • 2. Contents O Introduction O MBVT O MBVT Approach O DVWA Example with MBVT Approach O Advantages O Disadvantages O References
  • 3. Introduction O Web applications are becoming more popular in means of modern information interaction, which leads to a growth of the demand of Web applications. O At the same time, Web application vulnerabilities are drastically increasing. O One of the most important software security practices that is used to mitigate the increasing number of vulnerabilities is security testing.
  • 4. Continue… O One of the security testing is Model-Based Vulnerability Testing(MBVT).
  • 5. MBVT O Model-Based Vulnerability Testing (MBVT) for Web applications, aims at improving the accuracy and precision of vulnerability testing. O Accuracy:- capability to focus on the relevant part of the software O Precision:- capability to avoid both false positive and false negative. O MBVT adapted the traditional approach of Model-Based Testing (MBT) in order to generate vulnerability test cases for Web applications.
  • 7. DVWA Example using MBVT Approach O DVWA:- Damn Vulnerable Web Application O DVWA is an open-source Web application test bed, based on PHP/MySQL. O DVWA embeds several vulnerabilities(like SQL Injection and Blind SQL Injection, and Reflected and Stored XSS).
  • 8. O In this example we will focus on RXSS vulnerabilities through form fields. O RXSS is one of the major breach because it is highly used and its exploitation leads to severe risks. O We will apply the four activities of MBVT approach to DVWA.
  • 9. 1. Formalizing Vulnerability Test Patterns into Test Purposes O Vulnerability Test Patterns (vTP) are the initial artefacts of our approach. O A vTP expresses the testing needs and procedures allowing the identification of a particular breach in a Web application.
  • 10. A vTP of Reflected XSS
  • 11. O A test purpose is a high level expression that formalizes a test intention linked to a testing objective. O We propose test purposes as a mean to drive the automated test generation. O Smartesting Test Purpose Language is a textual language based on regular expressions, allowing the formalization of vulnerability test intention in terms of states to be reach and operations to be called.
  • 12. test Purpose formalizing the vTP on DVWA
  • 13. 2. Modeling:- O The modeling activity produces a model based on the functional specifications of the application, and on the test purposes. Class diagram of the SUT structure, for our MBVT approach
  • 14. 3. Test Generation:- O The main purpose of the test generation activity is to produce test cases from both the model and the test purposes. O This activity consists of three phases. O The first phase transforms the model and the test purposes into elements usable by the Smartesting CertifyIt MBT tool.
  • 15. O The second phase produces the abstract test cases from the test targets. O The third phase exports the abstract test cases into the execution environment.
  • 16. Generated abstract test case example
  • 17. 4. Adaptation and test execution:- a. Adaptation:- O During the modeling activity, all data used by the application, are modeled in a abstract way. O Hence, the test suite can’t be executed as it is. O So, the generated abstract test cases are translated into executable scripts.
  • 18. b. Test Execution:- O The adapted test cases are executed in order to produce a verdict. O There is a new terminology fitting the characteristics of a test execution:- Attack-pass Attack-fail Inconclusive O Our model defines four malicious data dedicated to Reflected XSS attacks.
  • 19. O These values are defined in an abstract way, and must be adapted. O Each of them is mapped to a concrete value, as shown in figure: Mapping between abstract and concrete values
  • 20. Advantages O MBVT can address both technical and logical vulnerabilities.
  • 21. Disadvantages O Needed effort to design models, test patterns and adapter.
  • 22. References O www.infoq.com/articles/defending-against-web- application-vulnerabilities O G Erdogan - 2009 - ntnu.diva-portal.org O http://narainko.wordpress.com/2012/08/26/unde rstanding-false-positive-and-false-negative O http://istina.msu.ru/media/publications/articles/5 db/2e2/2755271/OWASP-AppSecEU08- Petukhov.pdf O http://www.spacios.eu/sectest2013/pdfs/sectest 2013_submission_8.pdf