A Model-Based Security Testing Approach for Web Applications

Penetration testing is the most common approach for testing the security of web applications, but model-based testing has been steadily maturing into a viable alternative and complementary approach. Penetration testing is very cost-efficient, in the sense that little pen-testing time usually is enough to reveal several bugs, but the experience of the security analyst is crucial; model-based testing relies on formal methods but the security analyst has to first create a suitable model of the application under test. In this thesis, I propose a formal and flexible model-based framework that supports a security analyst in carrying out security testing of web applications. The main idea underlying this framework is that the use of model-checking techniques can automate the research of possible vulnerable entry points in the web application, i.e., it permits an analyst to perform security testing without missing important checks. Moreover, the framework also al- lows for reuse: the analyst can collect her expertise into the framework and (re)use it during future tests on possibly different web applications, which may be carried out by her or by members of the testing group of the analyst’s organization, if any. In this way, the potentiality of a single test is not related to the expertise of the single analyst on a specific web application but to the expertise of the entire testing group. As concrete examples, I consider four case studies in order to show the suitability and flexibility of the framework. Tests for a variety of vulnerabilities has been performed and compared with the ones executed with three benchmark security tools.