Input sanitization and validation of user inputs are well-established
protection mechanisms for microservice architectures against XML
injection attacks (XMLi). The effectiveness of the protection mechanisms
strongly depends on the quality of the sanitization and
validation rule sets (e.g., regular expressions) and, therefore, security
analysts have to test them thoroughly. In this demo, we
introduce JCOMIX, a penetration testing tool that generates XMLi
attacks (test cases) exposing XML vulnerabilities in front-end web
applications. JCOMIX implements various search algorithms, including
random search (traditional fuzzing), genetic algorithms
(GAs), and the more recent co-operative, co-evolutionary algorithm
designed explicitly for the XMLi testing (COMIX). We also show the
results of an empirical study showing the effectiveness of JCOMIX
in testing an open-source front-end web application.
Original languageEnglish
Title of host publicationThe 27th ACM Joint European Software Engineering Conference and Symposium on the Foundations of Software Engineering
Publication statusAccepted/In press - 24 Aug 2019

    Research areas

  • Search-based Software Engineering, Search-Based Software Testing, Security Testing, Web Application, Injection Attacks

ID: 54845758