Multiple-path testing for cross site scripting using genetic algorithms

• Use path coverage as a test coverage criteria.
• Formalize the problem of test data generation as a search problem.
• Focus on cross site scripting, in short XSS, type of vulnerability.
• Propose an approach that uses genetic algorithms (GA) along with a database of XSS vulnerability patterns to generate multiple-path coverage for a script under test (SUT) against XSS vulnerability.
• Design genetic algorithms to allow the generation of multiple test data, in one run, to cover multiple vulnerable paths.

Web applications suffer from different security vulnerabilities that could be exploited by hackers to cause harm in a variety of ways. A number of approaches have been proposed to test for such vulnerabilities. However, some gaps are still to be addressed. In this paper, we address one of such gaps: the problem of automatically generating test data (i.e., possible attacks) to test for cross site scripting (XSS) type of vulnerability. The objective is to generate a set of test data to exercise candidate security-vulnerable paths in a given script. The desirable set of test data must be effective in the sense that it uncovers whether any path can indeed be exploited to launch an attack. We designed a genetic algorithm-based test data generator that uses a database of XSS attack patterns to generate possible attacks and assess whether the attack is successful. We considered different types of XSS vulnerability: stored, reflected and DOM based. We empirically validated our test data generator using case studies of Web applications developed using PHP and MySQL. Empirical results show that our test data generator is effective in generating, in one run, multiple test data to cover multiple target paths.