SPaCiTE – Web Application Testing Engine Matthias Büchler, Johan Oudinet, and Alexander Pretschner April 21, 2012
Motivation / Purpose of the Tool Web Application Secure Model: M ⊨ φ Is Web Application Secure ? How does a secure model help to answer this question?
Motivation / Purpose of the Tool Client Side Server Side
SPaCiTE Workflow • How SPaCiTE executes test cases (attack traces) based on secure models
Model-Based Flaw Injection Library <configuration> <ACflaw> <funcname>isAuthorizedTo*</funcname> </ACflaw> </configuration>
Model Checking Reuse AVANTSSAR Backends SATMC CL-ATSE OFMC
Abstract Attack Trace <tom> ->* webServer : login(tom,password(tom,webServer)) webServer -> <tom> : listStaffOf(tom) <tom> *-> webServer : viewProfileOf(jerry) webServer *->* <tom> : profileOf(jerry)
Transform AAT to WAAL • Configuration Information • How are abstract messages translated into actions How is a viewProfileOf message generated in the browser?
Transform AAT to WAAL • How are abstract messages translated into actions
Transform AAT to WAAL • Translate WAAL actions to Java source code • Embed them into a test execution engine skeleton
Execution • Execute the test case • Recovery actions might be needed
Conclusion • Semi-automatic security testing of web applications • Automatic at browser level • May request help from a test expert at HTTP level • Interesting abstract attack traces were generated by injecting relevant source code level faults into the model • Relevant fault = known vulnerability that have been exploited to violate any security goal in the secure model. • We were able to reproduce all 4 Abstract Attack Traces coming from 2 RBAC and 2 XSS models
Future Work • Target different vulnerabilities and security goals • Address side effects during recovery actions • Extend the tool when global observation is not possible • Integration work as part of SPaCiOS EU project www.spacios.eu * Demo on request, or visit: http://zvi.ipd.kit.edu/26_500.php
Model-Based Flaw Injection Library • Mutation Operator represent vulnerabilities at model level • They combine a security property and a vulnerability
Assumptions and Limitations • Secure model must exist • → If not, try to make use of model inference • Each abstract message must be mappable to WAAL actions • that means every abstract message must be expressed in terms of generating and/or verifying actions at browser level • that doesn’t imply that action must be performed in browser→ see Recovery Actions • → If not, WAAL actions can be bypassed and abstract message is directly mapped to protocol level messages (no guidance by SPaCiTE) • Used model checker considers the Dolev Yao Model for the intruder behavior • Intruder is the network (Every component must be wrapped by a Proxy to have global observation property) • No side effects during recovery actions • Deterministic system