Ontology-driven Security Testing of Web Applications

Josip Bozic*, Yihao Li, Franz Wotawa

*Corresponding author for this work

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Abstract

Vulnerabilities in existing software systems represent
a great challenge for security assurance, where well known
attacks like cross-site scripting (XSS) or SQL injections (SQLI)
still represent a common threat for today’s web applications. Failure
to cover these issues in verification might result in unforeseen
consequences for users of such software systems. For this reason,
we have to come up with a rigorous testing approach should
that should combine knowledge about common attacks and the
system under test. Ontologies, which is a concept originating
from philosophy and also considered in AI research, provide
means for formalizing such knowledge from which we want to
obtain test cases in an automated fashion. In this paper, we follow
this idea and present a security testing approach that relies on
ontologies of attacks and the system under test. In particular,
the used ontology depicts information from the domain of web
applications as well as their communication protocol. Actually,
such a model represents an attack ontology that serves as the
initial step in a test generation process. In turn, the inferred
output is used in order to test a SUT for vulnerabilities. The test
case generation process converts ontologies into input models for
combinatorial testing (CT), from which we obtain abstract test
cases that can be automatically mapped to concrete ones. Besides
outlining the foundations behind this approach, we also show its
applicability considering case studies from the domain of web
applications.
Original languageEnglish
Title of host publicationProceedings - 2020 IEEE International Conference on Artificial Intelligence Testing, AITest 2020
PublisherIEEE Publications
Pages115-122
ISBN (Electronic)978-1-7281-6984-2
DOIs
Publication statusPublished - Aug 2020
Event 2020 IEEE International Conference on Artificial Intelligence Testing - Keble College, Oxford University, Virtuell, United Kingdom
Duration: 3 Aug 20206 Aug 2020

Conference

Conference 2020 IEEE International Conference on Artificial Intelligence Testing
Abbreviated titleAITest 2020
CountryUnited Kingdom
CityVirtuell
Period3/08/206/08/20

Fingerprint Dive into the research topics of 'Ontology-driven Security Testing of Web Applications'. Together they form a unique fingerprint.

  • Cite this

    Bozic, J., Li, Y., & Wotawa, F. (2020). Ontology-driven Security Testing of Web Applications. In Proceedings - 2020 IEEE International Conference on Artificial Intelligence Testing, AITest 2020 (pp. 115-122). IEEE Publications. https://doi.org/10.1109/AITEST49225.2020.00024