AI Chat Paper
Note: Please note that the following content is generated by AMiner AI. SciOpen does not take any responsibility related to this content.
{{lang === 'zh_CN' ? '文章概述' : 'Summary'}}
{{lang === 'en_US' ? '中' : 'Eng'}}
Chat more with AI
PDF (1 MB)
Collect
Submit Manuscript AI Chat Paper
Show Outline
Outline
Show full outline
Hide outline
Outline
Show full outline
Hide outline
Open Access

Worst-Input Mutation Approach to Web Services Vulnerability Testing Based on SOAP Messages

School of Computer Science and Communication Engineering, Jiangsu University, Zhenjiang 212013, China.
School of Computer Science, The University of Nottingham Ningbo China, Ningbo 315100, China.
School of Software and Communication Engineering, Jiangxi University of Finance and Economics, Nanchang 330013, China.
Show Author Information

Abstract

The growing popularity and application of Web services have led to increased attention regarding the vulnerability of software based on these services. Vulnerability testing examines the trustworthiness and reduces the security risks of software systems. This paper proposes a worst-input mutation approach for testing Web service vulnerability based on Simple Object Access Protocol (SOAP) messages. Based on characteristics of SOAP messages, the proposed approach uses the farthest neighbor concept to guide generation of the test suite. The corresponding automatic test case generation algorithm, namely, the Test Case generation based on the Farthest Neighbor (TCFN), is also presented. The method involves partitioning the input domain into sub-domains according to the number and type of SOAP message parameters in the TCFN, selecting the candidate test case whose distance is the farthest from all executed test cases, and applying it to test the Web service. We also implement and describe a prototype Web service vulnerability testing tool. The tool was applied to the testing of Web services on the Internet. The experimental results show that the proposed approach can find more vulnerability faults than other related approaches.

References

[1]
S. Hanna and M. Munro, An approach for wsdl-based automated robustness testing of web services, presented at the 16th International Conference on Information Systems Development, Nanchang, China, 2009, pp. 1093-1104.
[2]
T. Takase and K. Tajima, Efficient web service message exchange by SOAP bounding framework, in the 11th IEEE International Enterprise Distributed Object Computing, Annapolis, MD, USA, 2007, pp. 63-72.
[3]
L. Wu, X. K. Li, and H. Wang, Research on the reliability testing of web service based on fault injection technology, Journal of Chinese Computer System, vol. 28, no. 1, pp. 127-131, 2007.
[4]
M. Palacios, J. Garcia-Fanjul, and J. Tuya, Testing in service oriented architectures with dynamic binding: A mapping study, Information and Software Technology, vol. 53, no. 3, pp. 171-189, 2011.
[5]
C. A. Sun, G. Wang, B. H. Mu, H. Liu, Z. S. Wang, and T. Y. Chen, A metamorphic relation-based approach to testing web services without oracles, International Journal of Web Services Research, vol. 9, no. 1, pp. 51-73, 2012.
[6]
C. A. Sun, G. Wang, B. H. Mu, H. Liu, Z. S. Wang, and T. Y. Chen, Metamorphic testing for web services: Framework and a case study, presented at the IEEE International Conference on Web Services, Washington DC, USA, 2011, pp. 283-290.
[7]
L. F. de Almeida and S. R. Vergilio, Exploring perturbation based testing for web services, presented at the IEEE International Conference on Web Services, Chicago, USA, 2006, pp. 717-726.
[8]
H. C. Kim, Y. H. Choi, and D. H. Lee, Efficient file fuzz testing using automated analysis of binary file format, Journal of Systems Architecture, vol. 57, no. 3, pp. 259-268, 2011.
[9]
S. Bekrar, C. Bekrar, R. Groz, and L. Mounier, Finding software vulnerabilities by smart fuzzing, in Proceedings of the Fourth IEEE International Conference on Software Testing, Verification and Validation, Berlin, Germany, 2011, pp. 427-430.
[10]
J. Offutt and W. Xu, Generating test cases for web services using data perturbation, ACM SIGSOFT Software Engineering Notes, vol. 29, no. 5, pp. 1-10, 2004.
[11]
A. C. V. de Melo and P. Silveira, Improving data perturbation testing techniques for web services, Information Science, vol. 181, no. 3, pp. 600-619, 2011.
[12]
P. Silveira and A. C. V. de Melo, Exploring XML perturbation techniques for web services testing, Lecture Notes in Computer Science, vol. 5648, pp. 355-369, 2009.
[13]
J. F. Chen, Q. Li, C. Y. Mao, D. Towey, Y. Z. Zhan, and H. H. Wang, A web services vulnerability testing approach based on combinatorial mutation and SOAP message mutation, Service Oriented Computing and Applications, vol. 8, no. 1, pp. 1-13, 2014.
[14]
L. Novak and A. Zamulin, A formal model for XML schema, in Proceedings of the 21st International Conference on Data Engineering Workshops, Tokyo, Japan, pp. 1283-1293, 2005.
[15]
W. Xu, J. Offutt, and J. Luo, Testing web services by XML perturbation, in Proceedings of the 16th IEEE International Symposium on Software Reliability Engineering, Chicago, USA, pp. 257-266, 2005.
[16]
J. F. Chen, Y. S. Lu, and X. D. Xie, Component security testing approach by using interface fault injection, Journal of Chinese Computer System, vol. 31, no. 6, pp. 1090-1096, 2010.
[17]
S. Anand, E. K. Burke, T. Y. Chen, J. Clark, M. B. Cohen, W. Grieskamp, M. Harman, M. J. Harrold, and P. McMinn, An orchestrated survey of methodologies for automated software test case generation, Journal of Systems and Software, vol. 86, no. 8, pp. 1978-2001, 2013.
[18]
T. Y. Chen, F. C. Kuo, H. Liu, and W. E. Wong, Code coverage of adaptive random testing, IEEE Transactions on Reliability, vol. 62 no. 1, pp. 226-237, 2013.
[19]
A. Shahbazi, A. Tappenden, and J. Miller, Centroidal voronoi tessellationsCa new approach to random testing, IEEE Transactions on Software Engineering, vol. 39, no. 2, pp. 163-183, 2013.
[20]
C. Bohm, S. Berchtold, and D. A. Keim, Searching in high dimensional spaces: Index structures for improving the performance of multimedia databases, ACM Computing Surveys, vol. 33, no. 3, pp. 322-373, 2001.
[21]
T. Y. Chen, F. C. Kuo, R. G. Merkel, and T. H. Tse, Adaptive random testing: The ART of test case diversity, Journal of Systems and Software, vol. 83, no. 1, pp. 60-66, 2010.
[22]
M. H. Alsuwaiyel, Algorithms: Design Techniques and Analysis. World Scientific Pub Co Inc, November 1998.
[23]
K. P. Chan, T. Y. Chen, and D. Towey, Adaptive random testing with filtering: An overhead reduction technique, presented at the 17th International Conference on Software Engineering and Knowledge Engineering, Taipei, China, pp. 292-299, 2005.
[24]
K. P. Chan, T. Y. Chen, and D. Towey, Restricted random testing: Adaptive random testing by exclusion, International Journal of Software Engineering and Knowledge Engineering, vol. 16, no. 4, pp. 553-584, 2006.
[25]
T. Y. Chen, F. C. Kuo, and C. A. Sun, Impact of the compactness of failure regions on the performance of adaptive random testing, Journal of Software, vol. 17, no. 12, pp. 2438-2449, 2006.
[26]
I. N. Bronshtein, K. A. Semendyayev, G. Musiol, and H. Mhlig, Handbook of Mathematics. Springer, 2007.
[27]
B. H. Li and Z. X. Hao, Efficient filtration and query algorithm of reverse furthest neighbor, Journal of Chinese Computer Systems, vol 30, no. 10, pp. 1948-1951, 2009.
[28]
J. M. Voas and K. W. Miller, Predicting software’s minimum-time-to-hazard andmean-time-to-hazard for rare input events, presented at the 6th International Symposium on Software Reliability Engineering, Toulouse, France, 1995, pp. 229-238.
[29]
SoapUI, SmartBear software, http://www.soapui.org, 2012.
Tsinghua Science and Technology
Pages 429-441
Cite this article:
Chen J, Wang H, Towey D, et al. Worst-Input Mutation Approach to Web Services Vulnerability Testing Based on SOAP Messages. Tsinghua Science and Technology, 2014, 19(5): 429-441. https://doi.org/10.1109/TST.2014.6919819

660

Views

37

Downloads

7

Crossref

N/A

Web of Science

16

Scopus

0

CSCD

Altmetrics

Received: 01 April 2014
Revised: 14 July 2014
Accepted: 18 August 2014
Published: 13 October 2014
© The Author(s) 2014
Return