Semi-Automatic Security Testing of Web Applications from a Secure Model
Web applications are a major target of attackers. The increasing complexity of such applications and the subtlety of today’s attacks make it very hard for developers to manually secure their web applications. Penetration testing is considered an art; the success of a penetration tester in detecting vulnerabilities hence mainly depends on his skills. Recently, model-checkers dedicated to security analysis have proved their ability to identify complex attacks on web-based security protocols. However, bridging the gap between an abstract attack trace output by a model-checker and a penetration test on the real web application is still an open issue. We present here a methodology for (semi-)automatic testing web applications starting from a secure model. First, we mutate the model to introduce specific vulnerabilities present in web applications. Then, a model-checker outputs attack traces that exploit those vulnerabilities. Next, the attack traces are translated into concrete test cases by using a 2-step mapping. Finally, the tests are executed on the real system using an automatic procedure that may request the help of a test expert from time to time. A prototype has been implemented and evaluated on WebGoat, an insecure web application maintained by OWASP.
The following video shows how the prototype works for bypassing a Role-Based Access Control (RBAC) system in a WebGoat lesson.
This lesson implements a simple Web application that handles user profiles. After a user is logged in, the server returns a list of user profiles he is (should be) authorized to see. To view a profile, the user selects the profile from the provided list and clicks on the 'viewProfile' button.
First of all, the video shows a normal use of the web application. Then, starting from a secure model (i.e., a model-checker does not report any attack), a mutation operator is applied to this model in order to inject a missing-authorization-check vulnerability. Next, the model-checker generates a potential abstract attack trace. Finally, this abstract attack is instantiated (in two-steps using Web Application Abstract Language (WAAL) as an intermediate language) and is executed on the real system. The execution part also shows how the recovery actions from the Test Execution Engine (TEE) handle missing information or discrepancy between the model and the web application at run-time.
WebM Plugin for Internet Explorer: http://tools.google.com/dlpage/webmmf