Fault Model for Penetration Testing of Web Applications

Abstract

Web applications have gained much of attention in today's world of internet. Now a days web applications are integral part of almost every business. Therefore, security in web applications cannot be sidestepped anymore. Penetration testing is an important aspect for the quality of web security. Purpose of penetration testing is to successfully penetrate the system without causing any damage and find vulnerabilities in the system that can be exploited by hackers. To perform efficient penetration testing comprehensive fault model is required. Fault models help us in identify test scenarios systematically. In this thesis, we propose a fault model for penetration testing in web applications comprising of fault domain, fault types, coverage criteria and test generation. We provide 7 different test patterns to help drive abstract test cases. Further we provide template for traceability of test cases which helps in identify test coverage of specific system or testing cycle/activity. We specify physical location of faults as dimension and treat OWASP and NIST as baseline standards for classification of faults. For evaluation, we make use of real time projects as case studies. We generate test cases from our fault model and execute them against each case study. We selected two case studies Qalum guru and Pakistan testing service (PTS) for detailed execution. We also select Facebook and Dropbox for execution of selective test cases to show execution of fault model-based test cases on such applications. As we use real time projects as our case study, so we only execute nondestructive test cases on our applications. Proposed fault model-based test cases detect faults. Results of our case study shows that alone cannot detect all vulnerabilities in application whereas manual methods requiring a comprehensive list of fault domains, fault types and coverage criteria can prove more beneficial. Our reason to consider running applications is to show that there is penetration testing requirement even in commercial products and services already in use. We point out that the testing activity, done previously, was not motivated by presence of a fault model and resulting test patterns.