JCOMIX: a Search-based Tool to Detect XML Injection Vulnerabilities inWeb Applications: A search-based tool to detect XML injection vulnerabilities in web applications

Dimitri Michel Stallenberg; Annibale Panichella

doi:10.1145/3338906.3341178

JCOMIX: a Search-based Tool to Detect XML Injection Vulnerabilities inWeb Applications: A search-based tool to detect XML injection vulnerabilities in web applications

Dimitri Michel Stallenberg, Annibale Panichella

Software Engineering

Research output: Chapter in Book/Conference proceedings/Edited volume › Conference contribution › Scientific › peer-review

3 Citations (Scopus)

99 Downloads (Pure)

Abstract

Input sanitization and validation of user inputs are well-established protection mechanisms for microservice architectures against XML injection attacks (XMLi). The effectiveness of the protection mechanisms strongly depends on the quality of the sanitization and validation rule sets (e.g., regular expressions) and, therefore, security analysts have to test them thoroughly. In this demo, we introduce JCOMIX, a penetration testing tool that generates XMLi attacks (test cases) exposing XML vulnerabilities in front-end web applications. JCOMIX implements various search algorithms, including random search (traditional fuzzing), genetic algorithms (GAs), and the more recent co-operative, co-evolutionary algorithm designed explicitly for the XMLi testing (COMIX). We also show the results of an empirical study showing the effectiveness of JCOMIX in testing an open-source front-end web application.

Original language	English
Title of host publication	The 27th ACM Joint European Software Engineering Conference and Symposium on the Foundations of Software Engineering
Subtitle of host publication	Proceedings of the 2019 27th ACM Joint Meeting European Software Engineering Conference and Symposium on the Foundations of Software Engineering
Editors	Sven Apel, Marlon Dumas, Alessandra Russo, Dietmar Pfahl
Place of Publication	New York
Publisher	Association for Computing Machinery (ACM)
Pages	1090-1094
Number of pages	5
ISBN (Electronic)	978-1-4503-5572-8
DOIs	https://doi.org/10.1145/3338906.3341178
Publication status	Published - 2019
Event	27th ACM Joint European Software Engineering Conference and Symposium on the Foundations of Software Engineering, ESEC/FSE 2019: The 27th ACM Joint European Software Engineering Conference and Symposium on the Foundations of Software Engineering - Tallinn, Estonia Duration: 26 Aug 2019 → 30 Aug 2019

Conference

Conference	27th ACM Joint European Software Engineering Conference and Symposium on the Foundations of Software Engineering, ESEC/FSE 2019
Country/Territory	Estonia
City	Tallinn
Period	26/08/19 → 30/08/19

Keywords

Search-based Software Engineering
Security Testing
Test Case Generation
XML injection

Access to Document

10.1145/3338906.3341178

ESEC-FSE2019Accepted author manuscript, 679 KB

Cite this

Stallenberg, D. M., & Panichella, A. (2019). JCOMIX: a Search-based Tool to Detect XML Injection Vulnerabilities inWeb Applications: A search-based tool to detect XML injection vulnerabilities in web applications. In S. Apel, M. Dumas, A. Russo, & D. Pfahl (Eds.), The 27th ACM Joint European Software Engineering Conference and Symposium on the Foundations of Software Engineering : Proceedings of the 2019 27th ACM Joint Meeting European Software Engineering Conference and Symposium on the Foundations of Software Engineering (pp. 1090-1094). Association for Computing Machinery (ACM). https://doi.org/10.1145/3338906.3341178

Stallenberg, Dimitri Michel ; Panichella, Annibale. / JCOMIX: a Search-based Tool to Detect XML Injection Vulnerabilities inWeb Applications : A search-based tool to detect XML injection vulnerabilities in web applications. The 27th ACM Joint European Software Engineering Conference and Symposium on the Foundations of Software Engineering : Proceedings of the 2019 27th ACM Joint Meeting European Software Engineering Conference and Symposium on the Foundations of Software Engineering. editor / Sven Apel ; Marlon Dumas ; Alessandra Russo ; Dietmar Pfahl. New York : Association for Computing Machinery (ACM), 2019. pp. 1090-1094

@inproceedings{70acc8f16e5d4fcfacbdc6bacec61b06,

title = "JCOMIX: a Search-based Tool to Detect XML Injection Vulnerabilities inWeb Applications: A search-based tool to detect XML injection vulnerabilities in web applications",

abstract = "Input sanitization and validation of user inputs are well-established protection mechanisms for microservice architectures against XML injection attacks (XMLi). The effectiveness of the protection mechanisms strongly depends on the quality of the sanitization and validation rule sets (e.g., regular expressions) and, therefore, security analysts have to test them thoroughly. In this demo, we introduce JCOMIX, a penetration testing tool that generates XMLi attacks (test cases) exposing XML vulnerabilities in front-end web applications. JCOMIX implements various search algorithms, including random search (traditional fuzzing), genetic algorithms (GAs), and the more recent co-operative, co-evolutionary algorithm designed explicitly for the XMLi testing (COMIX). We also show the results of an empirical study showing the effectiveness of JCOMIX in testing an open-source front-end web application.",

keywords = "Search-based Software Engineering, Security Testing, Test Case Generation, XML injection",

author = "Stallenberg, {Dimitri Michel} and Annibale Panichella",

year = "2019",

doi = "10.1145/3338906.3341178",

language = "English",

pages = "1090--1094",

editor = "Sven Apel and Marlon Dumas and Alessandra Russo and Dietmar Pfahl",

booktitle = "The 27th ACM Joint European Software Engineering Conference and Symposium on the Foundations of Software Engineering",

publisher = "Association for Computing Machinery (ACM)",

address = "United States",

note = "27th ACM Joint European Software Engineering Conference and Symposium on the Foundations of Software Engineering, ESEC/FSE 2019 : The 27th ACM Joint European Software Engineering Conference and Symposium on the Foundations of Software Engineering ; Conference date: 26-08-2019 Through 30-08-2019",

}

Stallenberg, DM & Panichella, A 2019, JCOMIX: a Search-based Tool to Detect XML Injection Vulnerabilities inWeb Applications: A search-based tool to detect XML injection vulnerabilities in web applications. in S Apel, M Dumas, A Russo & D Pfahl (eds), The 27th ACM Joint European Software Engineering Conference and Symposium on the Foundations of Software Engineering : Proceedings of the 2019 27th ACM Joint Meeting European Software Engineering Conference and Symposium on the Foundations of Software Engineering. Association for Computing Machinery (ACM), New York, pp. 1090-1094, 27th ACM Joint European Software Engineering Conference and Symposium on the Foundations of Software Engineering, ESEC/FSE 2019, Tallinn, Estonia, 26/08/19. https://doi.org/10.1145/3338906.3341178

JCOMIX: a Search-based Tool to Detect XML Injection Vulnerabilities inWeb Applications: A search-based tool to detect XML injection vulnerabilities in web applications. / Stallenberg, Dimitri Michel ; Panichella, Annibale.
The 27th ACM Joint European Software Engineering Conference and Symposium on the Foundations of Software Engineering : Proceedings of the 2019 27th ACM Joint Meeting European Software Engineering Conference and Symposium on the Foundations of Software Engineering. ed. / Sven Apel; Marlon Dumas; Alessandra Russo; Dietmar Pfahl. New York: Association for Computing Machinery (ACM), 2019. p. 1090-1094.

Research output: Chapter in Book/Conference proceedings/Edited volume › Conference contribution › Scientific › peer-review

TY - GEN

T1 - JCOMIX: a Search-based Tool to Detect XML Injection Vulnerabilities inWeb Applications

T2 - 27th ACM Joint European Software Engineering Conference and Symposium on the Foundations of Software Engineering, ESEC/FSE 2019

AU - Stallenberg, Dimitri Michel

AU - Panichella, Annibale

PY - 2019

Y1 - 2019

N2 - Input sanitization and validation of user inputs are well-established protection mechanisms for microservice architectures against XML injection attacks (XMLi). The effectiveness of the protection mechanisms strongly depends on the quality of the sanitization and validation rule sets (e.g., regular expressions) and, therefore, security analysts have to test them thoroughly. In this demo, we introduce JCOMIX, a penetration testing tool that generates XMLi attacks (test cases) exposing XML vulnerabilities in front-end web applications. JCOMIX implements various search algorithms, including random search (traditional fuzzing), genetic algorithms (GAs), and the more recent co-operative, co-evolutionary algorithm designed explicitly for the XMLi testing (COMIX). We also show the results of an empirical study showing the effectiveness of JCOMIX in testing an open-source front-end web application.

AB - Input sanitization and validation of user inputs are well-established protection mechanisms for microservice architectures against XML injection attacks (XMLi). The effectiveness of the protection mechanisms strongly depends on the quality of the sanitization and validation rule sets (e.g., regular expressions) and, therefore, security analysts have to test them thoroughly. In this demo, we introduce JCOMIX, a penetration testing tool that generates XMLi attacks (test cases) exposing XML vulnerabilities in front-end web applications. JCOMIX implements various search algorithms, including random search (traditional fuzzing), genetic algorithms (GAs), and the more recent co-operative, co-evolutionary algorithm designed explicitly for the XMLi testing (COMIX). We also show the results of an empirical study showing the effectiveness of JCOMIX in testing an open-source front-end web application.

KW - Search-based Software Engineering

KW - Security Testing

KW - Test Case Generation

KW - XML injection

UR - http://www.scopus.com/inward/record.url?scp=85071927996&partnerID=8YFLogxK

U2 - 10.1145/3338906.3341178

DO - 10.1145/3338906.3341178

M3 - Conference contribution

AN - SCOPUS:85071927996

SP - 1090

EP - 1094

BT - The 27th ACM Joint European Software Engineering Conference and Symposium on the Foundations of Software Engineering

A2 - Apel, Sven

A2 - Dumas, Marlon

A2 - Russo, Alessandra

A2 - Pfahl, Dietmar

PB - Association for Computing Machinery (ACM)

CY - New York

Y2 - 26 August 2019 through 30 August 2019

ER -

Stallenberg DM , Panichella A. JCOMIX: a Search-based Tool to Detect XML Injection Vulnerabilities inWeb Applications: A search-based tool to detect XML injection vulnerabilities in web applications. In Apel S, Dumas M, Russo A, Pfahl D, editors, The 27th ACM Joint European Software Engineering Conference and Symposium on the Foundations of Software Engineering : Proceedings of the 2019 27th ACM Joint Meeting European Software Engineering Conference and Symposium on the Foundations of Software Engineering. New York: Association for Computing Machinery (ACM). 2019. p. 1090-1094 doi: 10.1145/3338906.3341178

JCOMIX: a Search-based Tool to Detect XML Injection Vulnerabilities inWeb Applications: A search-based tool to detect XML injection vulnerabilities in web applications

Abstract

Conference

Keywords

Access to Document

Other files and links

Fingerprint

Cite this