20,775 research outputs found
Search-based multi-vulnerability testing of XML injections in web applications (vol 24, pg 3696, 2019): Search-based multi-vulnerability testing of XML injections in web applications (Empirical Software Engineering, (2019), 10.1007/s10664-019-09707-8)
The article Search-based multi-vulnerability testing of XML injections in web applications, written by Sadeeq Jan, Annibale Panichella, Andrea Arcuri, and Lionel Briand, was originally published electronically on the publisher’s internet portal (currently SpringerLink) on May 2019 without open access. With the author(s)’ decision to opt for Open Choice the copyright of the article changed on June 2019 toSoftware Engineerin
Automated and Effective Security Testing for XML-based Vulnerabilities
Nowadays, the External Markup Language (XML) is the most commonly used technology in web services for enabling service providers and consumers to exchange data. XML is also widely used to store data and configuration files that control the operation of software systems. Nevertheless, XML suffers from several well-known vulnerabilities such as XML Injections (XMLi). Any exploitation of these vulnerabilities might cause serious and undesirable consequences, e.g., denial of service and accessing or modifying highly-confidential data. Fuzz testing techniques have been investigated in the literature to detect XMLi vulnerabilities. However, their success rate tends to be very low since they cannot generate complex test inputs required for the detection of these vulnerabilities. Furthermore, these approaches are not effective for real-world complex XML-based enterprise systems, which are composed of several components including front-end web applications, XML gateway/firewall, and back-end web services.
In this dissertation, we propose several automated security testing strategies for detecting XML-based vulnerabilities. In particular, we tackle the challenges of security testing in an industrial context. Our proposed strategies, target various and complementary aspects of security testing for XML-based systems, e.g., test case generation for XML gateway/firewall. The development and evaluation of these strategies have been done in close collaboration with a leading financial service provider in Luxembourg/Switzerland, namely SIX Payment Services (formerly known as CETREL S.A.). SIX Payment Services processes several thousand financial transactions daily, providing a range of financial services, e.g., online payments, issuing of credit and debit cards.
The main research contributions of this dissertation are:
-A large-scale and systematic experimental assessment for detecting vulnerabilities in numerous widely-used XML parsers and the underlying systems using them. In particular, we targeted two common XML parser’s vulnerabilities: (i) XML Billion Laughs (BIL), and (ii) XML External Entities (XXE).
- A novel automated testing approach, that is based on constraint-solving and input mutation techniques, to detect XMLi vulnerabilities in XML gateway/firewall and back-end web services.
- A black-box search-based testing approach to detect XMLi vulnerabilities in front-end web applications. Genetic algorithms are used to search for inputs that can manipulate the application to generate malicious XML messages.
- An in-depth analysis of various search algorithms and fitness functions, to improve the search-based testing approach for front-end web applications.
- Extensive evaluations of our proposed testing strategies on numerous real-world industrial web services, XML gateway/firewall, and web applications as well as several open-source systems
Automated and Effective Testing of Web Services for XML Injection Attacks
peer reviewedXML is extensively used in web services for integration and data exchange. Its popularity and wide adoption make it an attractive target for attackers and a number of XML-based attack types have been reported recently. This raises the need for cost-effective, automated testing of web services to detect XML-related vulnerabilities, which is the focus of this paper. We discuss a taxonomy of the types of XML injection attacks and use it to derive four different ways to mutate XML messages, turning them into attacks (tests) automatically. Further, we consider domain constraints and attack grammars, and use a constraint solver to generate XML messages that are both malicious and valid, thus making it more difficult for any protection mechanism to recognise them. As a result, such messages have a better chance to detect vulnerabilities.
Our evaluation on an industrial case study has shown that a large proportion (78.86%) of the attacks generated using our approach could circumvent the first layer of security protection, an XML gateway (firewall), a result that is much better than what a state-of-the-art tool based on fuzz testing could achieve
A Search-based Testing Approach for XML Injection Vulnerabilities in Web Applications
peer reviewedIn most cases, web applications communicate with web services (SOAP and RESTful). The former act as a front-end to the latter, which contain the business logic. A hacker might not have direct access to those web services (e.g., they are not on public networks), but can still provide malicious inputs to the web application, thus potentially compromising related services. Typical examples are XML injection attacks that target SOAP communications. In this paper, we present a novel, search-based approach used to generate test data for a web application in an attempt to deliver malicious XML messages to web services.
Our goal is thus to detect XML injection vulnerabilities in web applications. The proposed approach is evaluated on two studies, including an industrial web application with millions of users. Results show that we are able to effectively generate test data (e.g., input values in an HTML form) that detect such vulnerabilities
Jan Kapr's contribution to contemporary music : an essay about a composer and teacher
This creative project is a treatise on a leading personality of Czechoslovakian musical life, the composer, Jan Kapr. The author discusses the following:1. The complicated development of Kapr's career and work, 2. Kapr's method of organization of musical material in a composition, as described in his book Constants,3. His former and current style which is demonstrated in two of his compositions, Concert Variations, for flute and string orchestra and Testimonies for four solo instruments,4. Two of his recent works, Exercises for Gydli and the Symphony No. 7, Country of Childhood.Thesis (M.A.
Going Beyond Counting First Authors in Author Co-citation Analysis
The present study examines one of the fundamental aspects of author co-citation analysis (ACA) - the way co-citation
counts are defined. Co-citation counting provides the data on which all subsequent statistical analyses and mappings
are based, and we compare ACA results based on two different types of co-citation counting - the traditional type that
only counts the first one among a cited work's authors on the one hand and a non-traditional type that takes into
account the first 5 authors of a cited work on the other hand. Results indicate that the picture produced through this non-traditional author co-citation counting contains more coherent author groups and is therefore considerably clearer. However, this picture represents fewer specialties in the research field being studied than that produced through the traditional first-author co-citation counting when the same number of top-ranked authors is selected and analyzed. Reasons for these effects are discussed
ELEVEN FACES OF JAN GOGOL, JR.
Author Jan Rendl in his thesis attempts to look at the world of ideas and educator Jan
Gogola ml. through the eleven chapters in which each chapter somehow characterizes itself by Jan Gogola ml. and each of them somehow determines its creative ideas of it through the metaphor of a football match when Jan Gogola, with its characters, movies himself a teammate, as well as defensively. It gives goals with their situations as well as occasionally digging his opponents ankles.
Jan Gogola ml. thus embodies one stage of the Department of Documentary Film at FAMU, which often stands at the intersection between teaching activities and Karel Vachek among students who applied by them during their seminars psychological methods that work must be peculiarly associated with the author of the film
Dr. Jan French – Faculty Author Interview
Dr. Jan French, Assistant Professor of Anthropology, discusses her new book, Legalizing Identities: Becoming Black or Indian in Brazil’s Northeast, which shows how law can successfully serve as the impetus for the transformation of cultural practices and collective identity
Jan Bernátek - organ works
This graduation thesis provides a more detailed view on compositoins of Jan Bernátek.The aim is to present this less well-known temporary czech author,who makes use of the organ in the majority of his work
The Theological Work of Jan Valerián Jirsík
Anglická anotace The theological work of Jan Valerian Jirsík Jan Hamberger This thesis deals with the theological work of the Czech 19th century author Jan Valerián Jirsík (1798-1883). Its first part consists of an introduction into the Czech historical context of the 19th century and the life of the author. Its second part presents a survey of the literary-theological work of Jirsík in three life phases: the first phase is demarked by his activity as chaplain and vicar, the second phase by his editorial activity for Casopis pro katolické duchovenstvo (trans. Magazine for catholic clergy) and the last phase by his pontifical years in the diocese of Southern Bohemia. His literary work is divided by theme into various periods, shortly described and characterized. The last and major section of this thesis deals with the most comprehensive and renown work of Jan Valerián Jirsík - Populární dogmatika (trans. Popular doctrine). This pivotal work of theologian Jirsík is discussed at large and analyzed by tractate, both apologetic and dogmatic. The conclusion expresses the prevailing character of the entire work of Jirsík and its significance. Key words: Theology Apologetic theology Dogmatic theology Theological literature Catholic Churc
- …
