A Web services vulnerability testing approach based on combinatorial mutation and SOAP message mutation
Tóm tắt
The testing of Web services is an essential aspect of their quality assurance, however, because this testing often involves injecting only one mutant at one time, some vulnerability faults cannot be detected. To address this, the current paper presents a set of mutation operators that can be combined and defines the corresponding combinatorial strategies based on data perturbation and combinatorial testing. Based on this, multiple mutants can be injected at one time to help uncover interactive faults. To improve testing efficiency and effectiveness, a combinatorial testing approach focusing on Web service vulnerability is proposed: Firstly, initial test data are generated with perturbation techniques based on Web Services Description Language documents and Simple Object Access Protocol messages. Then, a combinatorial testing cases generation (CTCG) algorithm is used to generate the final combinatorial test data according to the proposed strategies. Furthermore, for some special Web services in which there is only one parameter or one method in service interface, a fuzzy mutation approach algorithm, as a complementary approach to CTCG, is also proposed. Finally, some testing experiments are conducted to verify the effectiveness of the proposed approaches in an integrated testing platform. The experiments show that proposed approaches are both feasible and effective: They can find more vulnerability faults than the traditional approaches.
Tài liệu tham khảo
Samer H, Malcolm M (2007) An approach for specification-based test case generation for Web services. In: Proceeding of computer systems and applications, IEEE/ACS international conference, pp 16–23
Shaban MJ, Gillian D, Jing S (2009) Towards specification based testing for semantic Web services. In: Proceeding of 2009 Australian software engineering conference, pp 54–63
Bloomberg J (2002) Testing web services today and tomorrow. Ration Edge E-zine for the Rational Community
Jiang Y, Xin GM, Shan JH et al (2005) A method of automated test data generation for web service. J Comput 28(4):568–577
de Melo ACV, Silveira P (2011) Improving data perturbation testing techniques for web services. Inform Sci 181:600–619
Offutt J, Xu W (2004) Generating test cases for web services using data perturbation. ACM SIGSOFT Softw Eng Notes 29(5):1–10
Xu W, Offutt J, Luo J (2005) Testing web services by XML perturbation. In: Proceedings of the 16th IEEE international symposium on software reliability engineering (ISSRE’05), pp 257–266
LF Junior de Almeida, SR Vergilio (2006) Exploring perturbation based testing for Web services. In: Proceedings of the IEEE international conference on web services (ICWS’06), IEEE Computer Society. Washington, DC, USA pp 717–726
Watkins KZ (2010) Introducing fault-based combinatorial testing to Web services. In: Proceeding of the IEEE SoutheastCon (SoutheastCon), pp 131–134
Jorgensen PC (2008) Software testing: a Craftsman’s approach. Taylor & Francis Group, UK
Papazoglou MP (2012) Web services: principles and technology. Pearson Education Canada, Upper Saddle River
Tsai WT, Paul R, Wang Y et a1 (2002) Extending WSDL to facilitate Web services testing. In: Proceedings of the 7th IEEE international symposium on high assurance systems engineering, pp 171–172
Martin E, Basu S, Xie T (2007) Automated testing and response analysis of Web services. In: Proceedings of 2007 IEEE international conference on Web services (ICWS 2007), IEEE Computer Society, pp 647–654
Sneed HM, Huan S (2006) WSDLTest-A tool for testing Web services. In: Proceedings of eighth IEEE international symposium Web site evolution, IEEE Computer Society, pp 14–21
Bai X, Dong W, Tsai WT et al (2005) WSDL-based automatic test case generation for Web services testing. In: Proceeding of the 2005 IEEE international workshop on service-oriented system engineering (SOSE’05), pp 207–212
Hanna S, Munro M (2007) An approach for specification-based test case generation for Web services. In: Proceeding of IEEE/ACS international conference on computer systems and applications. Wasington, pp 16–23
Jinfu C, Yansheng L, Xiaodong X (2009) A fault injection model of component security testing. J Comput Res Dev 46(7):1127–1135
Kim HC, Choi YH, Lee DH (2011) Efficient file fuzz testing using automated analysis of binary file format. J Syst Archit 57(3):259–268
Miller BP, Koski D, Lee CP, Maganty V, Murthy R, Natarajan A, Steidl J (2000) Fuzz revisited: a re-examination of the reliability of UNIX utilities and services, vol 1. Computer Sciences Department, University of Wisconsin, Wisconsin
Sofia B, Chaouki B, Roland G, Laurent M (2011) Finding software vulnerabilities by smart fuzzing. In: Proceeding of the fourth IEEE international conference on software testing, verification and validation, pp 427–430
YH Choi, HC Kim, Lee DH (2007) Tag-aware text file fuzz testing for security of a software system. In: Proceedings of the convergence information technology, IEEE computer society, pp 2254–22
Bekrar S, Bekrar C, Groz R et al (2011) Finding software vulnerabilities by smart fuzzing. In The fourth IEEE international conference on software testing, verification and validation, Wasington, pp 427–430
SoapUI (2012) SmartBear Software. Available at http://www.soapui.org (last access Sept 2012)
WS-Security (2010) OASIS. Available at http://www.oasis-open.org/specs (last access May 2010)