Worst-Input Mutation Approach to Web Services Vulnerability Testing Based on SOAP Messages

Jinfu Chen; Huanhuan Wang; Dave Towey; Chengying Mao; Rubing Huang; Yongzhao Zhan

doi:10.1109/TST.2014.6919819

AI Chat Paper

Note: Please note that the following content is generated by AMiner AI. SciOpen does not take any responsibility related to this content.

Chat more with AI

| Sign up

Browse by Subject

Search for peer-reviewed journals with full access.

Journals A - Z

About Us

Discover the SciOpen Platform and Achieve Your Research Goals with Ease.

About Us

Publish with Us

Support

Journals A - Z

About Us

Publish with Us

Support

PDF (1 MB)

Cite

EndNote(RIS) BibTeX

Collect

Submit Manuscript

AI Chat Paper

Show Outline

Outline

Show full outline

Hide outline

Outline

Show full outline

Hide outline

Open Access

Worst-Input Mutation Approach to Web Services Vulnerability Testing Based on SOAP Messages

Jinfu Chen(

), Huanhuan Wang, Dave Towey, Chengying Mao, Rubing Huang, Yongzhao Zhan

School of Computer Science and Communication Engineering, Jiangsu University, Zhenjiang 212013, China.

School of Computer Science, The University of Nottingham Ningbo China, Ningbo 315100, China.

School of Software and Communication Engineering, Jiangxi University of Finance and Economics, Nanchang 330013, China.

Show Author Information

Abstract

The growing popularity and application of Web services have led to increased attention regarding the vulnerability of software based on these services. Vulnerability testing examines the trustworthiness and reduces the security risks of software systems. This paper proposes a worst-input mutation approach for testing Web service vulnerability based on Simple Object Access Protocol (SOAP) messages. Based on characteristics of SOAP messages, the proposed approach uses the farthest neighbor concept to guide generation of the test suite. The corresponding automatic test case generation algorithm, namely, the Test Case generation based on the Farthest Neighbor (TCFN), is also presented. The method involves partitioning the input domain into sub-domains according to the number and type of SOAP message parameters in the TCFN, selecting the candidate test case whose distance is the farthest from all executed test cases, and applying it to test the Web service. We also implement and describe a prototype Web service vulnerability testing tool. The tool was applied to the testing of Web services on the Internet. The experimental results show that the proposed approach can find more vulnerability faults than other related approaches.

Keywords

security testing Web service vulnerability SOAP message test case generation mutation operator

References

[1]

S. Hanna and M. Munro, An approach for wsdl-based automated robustness testing of web services, presented at the 16th International Conference on Information Systems Development, Nanchang, China, 2009, pp. 1093-1104.

Crossref

[2]

T. Takase and K. Tajima, Efficient web service message exchange by SOAP bounding framework, in the 11th IEEE International Enterprise Distributed Object Computing, Annapolis, MD, USA, 2007, pp. 63-72.

Crossref

[3]

L. Wu, X. K. Li, and H. Wang, Research on the reliability testing of web service based on fault injection technology, Journal of Chinese Computer System, vol. 28, no. 1, pp. 127-131, 2007.

Google Scholar

[4]

M. Palacios, J. Garcia-Fanjul, and J. Tuya, Testing in service oriented architectures with dynamic binding: A mapping study, Information and Software Technology, vol. 53, no. 3, pp. 171-189, 2011.

Crossref Google Scholar

[5]

C. A. Sun, G. Wang, B. H. Mu, H. Liu, Z. S. Wang, and T. Y. Chen, A metamorphic relation-based approach to testing web services without oracles, International Journal of Web Services Research, vol. 9, no. 1, pp. 51-73, 2012.

Crossref Google Scholar

[6]

C. A. Sun, G. Wang, B. H. Mu, H. Liu, Z. S. Wang, and T. Y. Chen, Metamorphic testing for web services: Framework and a case study, presented at the IEEE International Conference on Web Services, Washington DC, USA, 2011, pp. 283-290.

Crossref

[7]

L. F. de Almeida and S. R. Vergilio, Exploring perturbation based testing for web services, presented at the IEEE International Conference on Web Services, Chicago, USA, 2006, pp. 717-726.

[8]

H. C. Kim, Y. H. Choi, and D. H. Lee, Efficient file fuzz testing using automated analysis of binary file format, Journal of Systems Architecture, vol. 57, no. 3, pp. 259-268, 2011.

Crossref Google Scholar

[9]

S. Bekrar, C. Bekrar, R. Groz, and L. Mounier, Finding software vulnerabilities by smart fuzzing, in Proceedings of the Fourth IEEE International Conference on Software Testing, Verification and Validation, Berlin, Germany, 2011, pp. 427-430.

Crossref

[10]

J. Offutt and W. Xu, Generating test cases for web services using data perturbation, ACM SIGSOFT Software Engineering Notes, vol. 29, no. 5, pp. 1-10, 2004.

Crossref Google Scholar

[11]

A. C. V. de Melo and P. Silveira, Improving data perturbation testing techniques for web services, Information Science, vol. 181, no. 3, pp. 600-619, 2011.

Crossref Google Scholar

[12]

P. Silveira and A. C. V. de Melo, Exploring XML perturbation techniques for web services testing, Lecture Notes in Computer Science, vol. 5648, pp. 355-369, 2009.

Crossref Google Scholar

[13]

J. F. Chen, Q. Li, C. Y. Mao, D. Towey, Y. Z. Zhan, and H. H. Wang, A web services vulnerability testing approach based on combinatorial mutation and SOAP message mutation, Service Oriented Computing and Applications, vol. 8, no. 1, pp. 1-13, 2014.

Crossref Google Scholar

[14]

L. Novak and A. Zamulin, A formal model for XML schema, in Proceedings of the 21st International Conference on Data Engineering Workshops, Tokyo, Japan, pp. 1283-1293, 2005.

Crossref

[15]

W. Xu, J. Offutt, and J. Luo, Testing web services by XML perturbation, in Proceedings of the 16th IEEE International Symposium on Software Reliability Engineering, Chicago, USA, pp. 257-266, 2005.

[16]

J. F. Chen, Y. S. Lu, and X. D. Xie, Component security testing approach by using interface fault injection, Journal of Chinese Computer System, vol. 31, no. 6, pp. 1090-1096, 2010.

Google Scholar

[17]

S. Anand, E. K. Burke, T. Y. Chen, J. Clark, M. B. Cohen, W. Grieskamp, M. Harman, M. J. Harrold, and P. McMinn, An orchestrated survey of methodologies for automated software test case generation, Journal of Systems and Software, vol. 86, no. 8, pp. 1978-2001, 2013.

Crossref Google Scholar

[18]

T. Y. Chen, F. C. Kuo, H. Liu, and W. E. Wong, Code coverage of adaptive random testing, IEEE Transactions on Reliability, vol. 62 no. 1, pp. 226-237, 2013.

Crossref Google Scholar

[19]

A. Shahbazi, A. Tappenden, and J. Miller, Centroidal voronoi tessellationsCa new approach to random testing, IEEE Transactions on Software Engineering, vol. 39, no. 2, pp. 163-183, 2013.

Crossref Google Scholar

[20]

C. Bohm, S. Berchtold, and D. A. Keim, Searching in high dimensional spaces: Index structures for improving the performance of multimedia databases, ACM Computing Surveys, vol. 33, no. 3, pp. 322-373, 2001.

Crossref Google Scholar

[21]

T. Y. Chen, F. C. Kuo, R. G. Merkel, and T. H. Tse, Adaptive random testing: The ART of test case diversity, Journal of Systems and Software, vol. 83, no. 1, pp. 60-66, 2010.

Crossref Google Scholar

[22]

M. H. Alsuwaiyel, Algorithms: Design Techniques and Analysis. World Scientific Pub Co Inc, November 1998.

Crossref

[23]

K. P. Chan, T. Y. Chen, and D. Towey, Adaptive random testing with filtering: An overhead reduction technique, presented at the 17th International Conference on Software Engineering and Knowledge Engineering, Taipei, China, pp. 292-299, 2005.

[24]

K. P. Chan, T. Y. Chen, and D. Towey, Restricted random testing: Adaptive random testing by exclusion, International Journal of Software Engineering and Knowledge Engineering, vol. 16, no. 4, pp. 553-584, 2006.

Crossref Google Scholar

[25]

T. Y. Chen, F. C. Kuo, and C. A. Sun, Impact of the compactness of failure regions on the performance of adaptive random testing, Journal of Software, vol. 17, no. 12, pp. 2438-2449, 2006.

Crossref Google Scholar

[26]

I. N. Bronshtein, K. A. Semendyayev, G. Musiol, and H. Mhlig, Handbook of Mathematics. Springer, 2007.

[27]

B. H. Li and Z. X. Hao, Efficient filtration and query algorithm of reverse furthest neighbor, Journal of Chinese Computer Systems, vol 30, no. 10, pp. 1948-1951, 2009.

Google Scholar

[28]

J. M. Voas and K. W. Miller, Predicting software’s minimum-time-to-hazard andmean-time-to-hazard for rare input events, presented at the 6th International Symposium on Software Reliability Engineering, Toulouse, France, 1995, pp. 229-238.

[29]

SoapUI, SmartBear software, http://www.soapui.org, 2012.

Tsinghua Science and Technology

Volume 19 Issue 5,
October 2014

Pages 429-441

DOI: 10.1109/TST.2014.6919819

Cite this article:

Chen J, Wang H, Towey D, et al. Worst-Input Mutation Approach to Web Services Vulnerability Testing Based on SOAP Messages. Tsinghua Science and Technology, 2014, 19(5): 429-441. https://doi.org/10.1109/TST.2014.6919819

601

Views

Downloads

Crossref

N/A

Web of Science

Scopus

CSCD

Google Scholar
Citation

Altmetrics

Received: 01 April 2014

Revised: 14 July 2014

Accepted: 18 August 2014

Published: 13 October 2014