In this project, we seek to develop new security testing concepts for web technologies in general, suitable for black-box testing as well as integration into development workflows. XSS is only one form of injection; we want to explore a variety of other possibilities such as Content Injection on the client side (which has very different requirements regarding its output context; it also allows us to examine new delivery methods like HTTP Header Injection) and SQL injections on the server side. Both lend themselves to be the focus of research due to their popularity, high impact and oftentimes slow adaption and low quality of countermeasures. We will further advance the underlying methodology by improving both the generation/selection of attack vectors (test cases) and the localization of sanitization bugs. Ultimately, we plan to create a prototype combinatorial security testing framework for web technologies to validate our approach.
|Effective start/end date||1/07/17 → 30/06/20|