![Page 1: Solving Some Modeling Challenges when Testing Rich Internet Applications for Security Software Security Research Group (SSRG), University of Ottawa In](https://reader035.vdocument.in/reader035/viewer/2022062423/56649e3b5503460f94b2da5f/html5/thumbnails/1.jpg)
Solving Some Modeling Challenges when
Testing Rich Internet Applications for
Security
Software Security Research Group (SSRG), University of Ottawa
In collaboration with IBM
![Page 2: Solving Some Modeling Challenges when Testing Rich Internet Applications for Security Software Security Research Group (SSRG), University of Ottawa In](https://reader035.vdocument.in/reader035/viewer/2022062423/56649e3b5503460f94b2da5f/html5/thumbnails/2.jpg)
SSRG Members
University of Ottawa• Prof. Guy-Vincent Jourdan• Prof. Gregor v. Bochmann• Suryakant Choudhary (Master student)• Emre Dincturk (PhD student)• Khaled Ben Hafaiedh (PhD student)• Seyed M. Mir Taheri (PhD student)• Ali Moosavi (Master student)
In collaboration with Research and Development, IBM® Security AppScan® Enterprise• Iosif Viorel Onut (PhD)
![Page 3: Solving Some Modeling Challenges when Testing Rich Internet Applications for Security Software Security Research Group (SSRG), University of Ottawa In](https://reader035.vdocument.in/reader035/viewer/2022062423/56649e3b5503460f94b2da5f/html5/thumbnails/3.jpg)
Introduction: Traditional Web Applications
• Navigation is achieved using the links (URLs)
• Synchronous communicationTraditional Synchronous Communication Pattern
User Interaction
Server Processing
Request Response
Full Page Refresh
User Waiting
User Interaction
Server Processing
Full Page Refresh
User Waiting
User Interaction
Request Response
![Page 4: Solving Some Modeling Challenges when Testing Rich Internet Applications for Security Software Security Research Group (SSRG), University of Ottawa In](https://reader035.vdocument.in/reader035/viewer/2022062423/56649e3b5503460f94b2da5f/html5/thumbnails/4.jpg)
Introduction : Rich Internet Applications
• More interactive and responsive web apps ▫Page changes via client-side code
(JavaScript)▫Asynchronous communication
Asynchronous Communication Pattern (in RIAs )
User Interaction Partial Page Update Partial Page UpdatePartial Page Update
Server Processing Server Processing
Request Request Request
Response
ResponseResponse
![Page 5: Solving Some Modeling Challenges when Testing Rich Internet Applications for Security Software Security Research Group (SSRG), University of Ottawa In](https://reader035.vdocument.in/reader035/viewer/2022062423/56649e3b5503460f94b2da5f/html5/thumbnails/5.jpg)
Crawling and web application security testing
•All parts of the application must be
discovered before we analyze for security.
•Why automatic crawling algorithm are
important for security testing ?
▫Most RIAs are too large for manual
exploration
▫Efficiency
▫Coverage
![Page 6: Solving Some Modeling Challenges when Testing Rich Internet Applications for Security Software Security Research Group (SSRG), University of Ottawa In](https://reader035.vdocument.in/reader035/viewer/2022062423/56649e3b5503460f94b2da5f/html5/thumbnails/6.jpg)
What we present…
• Techniques and Approaches to make web
application security assessment tools perform
better
• How to improve the performance?
▫Make them efficient by analysing only what’s
important and ignore irrelevant information
▫Making rich internet applications accessible to
them.
![Page 7: Solving Some Modeling Challenges when Testing Rich Internet Applications for Security Software Security Research Group (SSRG), University of Ottawa In](https://reader035.vdocument.in/reader035/viewer/2022062423/56649e3b5503460f94b2da5f/html5/thumbnails/7.jpg)
Web application crawlers
•Main components:
▫Crawling strategy
Algorithm which guides the crawler
▫State equivalence
Algorithm which indicates what should be
considered new
![Page 8: Solving Some Modeling Challenges when Testing Rich Internet Applications for Security Software Security Research Group (SSRG), University of Ottawa In](https://reader035.vdocument.in/reader035/viewer/2022062423/56649e3b5503460f94b2da5f/html5/thumbnails/8.jpg)
State Equivalence
•Client states
•Decides if two client states of an
application should be considered different
or the same.
•Why important?
▫Infinite runs or state explosion
▫Incomplete coverage of the application
![Page 9: Solving Some Modeling Challenges when Testing Rich Internet Applications for Security Software Security Research Group (SSRG), University of Ottawa In](https://reader035.vdocument.in/reader035/viewer/2022062423/56649e3b5503460f94b2da5f/html5/thumbnails/9.jpg)
Techniques
•Load-Reload: Discovering non-relevant dynamic content of web pages
• Identifying Session Variables and Parameters
![Page 10: Solving Some Modeling Challenges when Testing Rich Internet Applications for Security Software Security Research Group (SSRG), University of Ottawa In](https://reader035.vdocument.in/reader035/viewer/2022062423/56649e3b5503460f94b2da5f/html5/thumbnails/10.jpg)
1. Load-Reload: Discovering non-relevant dynamic content of web pages
• Extracting the relevant information from a page.
![Page 11: Solving Some Modeling Challenges when Testing Rich Internet Applications for Security Software Security Research Group (SSRG), University of Ottawa In](https://reader035.vdocument.in/reader035/viewer/2022062423/56649e3b5503460f94b2da5f/html5/thumbnails/11.jpg)
What we propose
•Reload the web page (URL) to determine the parts of the content that are relevant.
Calculate Delta (X): Content that changed between the two loads.
![Page 12: Solving Some Modeling Challenges when Testing Rich Internet Applications for Security Software Security Research Group (SSRG), University of Ottawa In](https://reader035.vdocument.in/reader035/viewer/2022062423/56649e3b5503460f94b2da5f/html5/thumbnails/12.jpg)
• Delta(X): X is any web page and Delta(X) is
collection of xpaths of the contents that are not
relevant
• E.g. Delta(X) = {html\body\div\, html\body\a\@href}
What we propose (2)
![Page 13: Solving Some Modeling Challenges when Testing Rich Internet Applications for Security Software Security Research Group (SSRG), University of Ottawa In](https://reader035.vdocument.in/reader035/viewer/2022062423/56649e3b5503460f94b2da5f/html5/thumbnails/13.jpg)
Example
![Page 14: Solving Some Modeling Challenges when Testing Rich Internet Applications for Security Software Security Research Group (SSRG), University of Ottawa In](https://reader035.vdocument.in/reader035/viewer/2022062423/56649e3b5503460f94b2da5f/html5/thumbnails/14.jpg)
Example (2)
![Page 15: Solving Some Modeling Challenges when Testing Rich Internet Applications for Security Software Security Research Group (SSRG), University of Ottawa In](https://reader035.vdocument.in/reader035/viewer/2022062423/56649e3b5503460f94b2da5f/html5/thumbnails/15.jpg)
2. Identifying Session Variables and Parameters
• What is a session?
▫A session is a conversation between the server
and a client.
▫Why should a session be maintained?
▫ HTTP is Stateless: When there is a series of
continuous request and response from a same
client to a server, the server cannot identify from
which client it is getting requests.
![Page 16: Solving Some Modeling Challenges when Testing Rich Internet Applications for Security Software Security Research Group (SSRG), University of Ottawa In](https://reader035.vdocument.in/reader035/viewer/2022062423/56649e3b5503460f94b2da5f/html5/thumbnails/16.jpg)
Identifying Session Variables and Parameters (2)• Session tracking methods:
▫ User authorization
▫ Hidden fields
▫ URL rewriting
▫ Cookies
▫ Session tracking API
• Problems that are addressed:
▫ Redundant crawling: Might result in crawler trap or infinite
runs.
▫ Session termination problem: Incomplete coverage of the
application if application requires session throughout the
access.
![Page 17: Solving Some Modeling Challenges when Testing Rich Internet Applications for Security Software Security Research Group (SSRG), University of Ottawa In](https://reader035.vdocument.in/reader035/viewer/2022062423/56649e3b5503460f94b2da5f/html5/thumbnails/17.jpg)
What we propose
• Two recordings
of the log-in
sequence are
done on the same
website, using
the same user
input (e.g. same
user name and
password) and
the same user
actions.
![Page 18: Solving Some Modeling Challenges when Testing Rich Internet Applications for Security Software Security Research Group (SSRG), University of Ottawa In](https://reader035.vdocument.in/reader035/viewer/2022062423/56649e3b5503460f94b2da5f/html5/thumbnails/18.jpg)
Example
![Page 19: Solving Some Modeling Challenges when Testing Rich Internet Applications for Security Software Security Research Group (SSRG), University of Ottawa In](https://reader035.vdocument.in/reader035/viewer/2022062423/56649e3b5503460f94b2da5f/html5/thumbnails/19.jpg)
3. Crawling Strategies For RIAs
• Crawling extracts a “model” of the
application that consists of
▫ States, which are “distinct” web
pages
▫ Transitions are triggered by
event executions
• Strategy decides how the
application exploration should
proceed
![Page 20: Solving Some Modeling Challenges when Testing Rich Internet Applications for Security Software Security Research Group (SSRG), University of Ottawa In](https://reader035.vdocument.in/reader035/viewer/2022062423/56649e3b5503460f94b2da5f/html5/thumbnails/20.jpg)
Standard Crawling Strategies
•Breadth-First and Depth-First•They are not flexible
▫They do not adapt themselves to the application
•Breadth-First often goes back to the initial page▫Increases the number of reloads (loading
the URL)•Depth-First requires traversing long paths
▫Increases the number of event executions
![Page 21: Solving Some Modeling Challenges when Testing Rich Internet Applications for Security Software Security Research Group (SSRG), University of Ottawa In](https://reader035.vdocument.in/reader035/viewer/2022062423/56649e3b5503460f94b2da5f/html5/thumbnails/21.jpg)
What we propose
• Model Based Crawling
Model is an assumption about the structure of
the application
Specify a good strategy for crawling any
application that follows the model.
Specify how to adapt the crawling strategy in
case that the application being crawled deviates
from the model.
![Page 22: Solving Some Modeling Challenges when Testing Rich Internet Applications for Security Software Security Research Group (SSRG), University of Ottawa In](https://reader035.vdocument.in/reader035/viewer/2022062423/56649e3b5503460f94b2da5f/html5/thumbnails/22.jpg)
What we propose (2)
• Existing models:
▫Hypercube Model
1. Independent events
2. The set of enabled events at a state are the same
as the initial state except the ones executed to
reach it.
▫Probability Model
Statistics gathered about event execution results are
used to guide the application exploration strategy
e2e1
e1e2
{e1,e2}
{e2} {e1}
{}
![Page 23: Solving Some Modeling Challenges when Testing Rich Internet Applications for Security Software Security Research Group (SSRG), University of Ottawa In](https://reader035.vdocument.in/reader035/viewer/2022062423/56649e3b5503460f94b2da5f/html5/thumbnails/23.jpg)
Conclusion
•Crawling is essential for automated security testing of web applications
•We introduced two techniques to enhance security testing of web applications▫Identifying and ignoring irrelevant web
page contents▫Identifying and ignoring session information
•We have worked on new crawling algorithms
![Page 24: Solving Some Modeling Challenges when Testing Rich Internet Applications for Security Software Security Research Group (SSRG), University of Ottawa In](https://reader035.vdocument.in/reader035/viewer/2022062423/56649e3b5503460f94b2da5f/html5/thumbnails/24.jpg)
Thank You !
![Page 25: Solving Some Modeling Challenges when Testing Rich Internet Applications for Security Software Security Research Group (SSRG), University of Ottawa In](https://reader035.vdocument.in/reader035/viewer/2022062423/56649e3b5503460f94b2da5f/html5/thumbnails/25.jpg)
Demonstration
•Rich Internet Application Security Testing - IBM® Security AppScan® Enterprise
![Page 26: Solving Some Modeling Challenges when Testing Rich Internet Applications for Security Software Security Research Group (SSRG), University of Ottawa In](https://reader035.vdocument.in/reader035/viewer/2022062423/56649e3b5503460f94b2da5f/html5/thumbnails/26.jpg)
DEMO – IBM® Security AppScan® Enterprise
•IBM Security AppScan Enterprise is an
automated web application scanner
•We added RIA crawling capability on a
prototype of AppScan
•We will demo how the coverage of the tool
increases with RIA crawling capability
![Page 27: Solving Some Modeling Challenges when Testing Rich Internet Applications for Security Software Security Research Group (SSRG), University of Ottawa In](https://reader035.vdocument.in/reader035/viewer/2022062423/56649e3b5503460f94b2da5f/html5/thumbnails/27.jpg)
DEMO – Test Site (Altoro Mutual)
![Page 28: Solving Some Modeling Challenges when Testing Rich Internet Applications for Security Software Security Research Group (SSRG), University of Ottawa In](https://reader035.vdocument.in/reader035/viewer/2022062423/56649e3b5503460f94b2da5f/html5/thumbnails/28.jpg)
DEMO – Results
•Without RIA Crawling
![Page 29: Solving Some Modeling Challenges when Testing Rich Internet Applications for Security Software Security Research Group (SSRG), University of Ottawa In](https://reader035.vdocument.in/reader035/viewer/2022062423/56649e3b5503460f94b2da5f/html5/thumbnails/29.jpg)
DEMO - Results
•With RIA Crawling