DOI

Input sanitization and validation of user inputs are well-established protection mechanisms for microservice architectures against XML injection attacks (XMLi). The effectiveness of the protection mechanisms strongly depends on the quality of the sanitization and validation rule sets (e.g., regular expressions) and, therefore, security analysts have to test them thoroughly. In this demo, we introduce JCOMIX, a penetration testing tool that generates XMLi attacks (test cases) exposing XML vulnerabilities in front-end web applications. JCOMIX implements various search algorithms, including random search (traditional fuzzing), genetic algorithms (GAs), and the more recent co-operative, co-evolutionary algorithm designed explicitly for the XMLi testing (COMIX). We also show the results of an empirical study showing the effectiveness of JCOMIX in testing an open-source front-end web application.

Original languageEnglish
Title of host publicationESEC/FSE 2019
Subtitle of host publicationProceedings of the 2019 27th ACM Joint Meeting European Software Engineering Conference and Symposium on the Foundations of Software Engineering
EditorsSven Apel, Marlon Dumas, Alessandra Russo, Dietmar Pfahl
Place of PublicationNew York
PublisherAssociation for Computing Machinery (ACM)
Pages1090-1094
Number of pages5
ISBN (Electronic)978-1-4503-5572-8
DOIs
Publication statusPublished - 2019
Event27th ACM Joint European Software Engineering Conference and Symposium on the Foundations of Software Engineering, ESEC/FSE 2019: The 27th ACM Joint European Software Engineering Conference and Symposium on the Foundations of Software Engineering - Tallinn, Estonia
Duration: 26 Aug 201930 Aug 2019

Conference

Conference27th ACM Joint European Software Engineering Conference and Symposium on the Foundations of Software Engineering, ESEC/FSE 2019
CountryEstonia
CityTallinn
Period26/08/1930/08/19

    Research areas

  • Search-based Software Engineering, Security Testing, Test Case Generation, XML injection

ID: 56952712