Thesis Progress Report - Minh Đạt - 2052062 - 13/4

Thesis Progress Report - Until 13/4 === [TOC] # Outcomes ## Related Work - Studied previous work on 2 main topic: "Automated Security Testing" & "Automated Test Case Generation" - Research on similar tools: - **Dynamic Security Testing Tool:** - Burp Suite - Nuclei - **Automated Test Case Generation Tool:** - EvoSuite - ScopeMaster Test Scenarios Generator - Randoop ## Approach - Revisit the problem and splits it into 3 smaller subproblems: - **Extract key information** from security requirements, - **Generate independent test cases** from key information, - Process independent test cases to become **executable**. - Sketch out a detailed version of system architecture: ![image](https://hackmd.io/_uploads/BkkPFuUxC.png) - System will consist of 3 modules: - Specifications Interpreter - Test Case Generator - Test Case Transformation ### Specifications Interpreter ![image](https://hackmd.io/_uploads/rJmwqOLlR.png) - **Subproblem:** Extract key information from security requirements - **Solution:** Define a formal language **Simplified Security Specifications** (SSS) to describe the security specifications and application flow. - Module breakdown: |Submodule|Function| |---|---| |SSS Parser|Parse SSS file to parse tree| |AST Generator|Simplify parse tree to AST| |Static Checker|Check for certain criteria on AST| |Extractor|Extract requirements and flow from AST| - Example input (SSS language file) ``` The flow comprises 4 steps: login, register, homepage, exit. Step login should be protected against SQLinjection, PrototypePollution; Step register should be protected against SQLinjection, PrototypePollution. Expected flow: 1. register 2. login 2.1 if cond1 then homepage 2.2 if cond2 then register 3. exit ``` ### Test Case Generator ![image](https://hackmd.io/_uploads/H1oYst8lA.png) - **Subproblem**: Generate independent test cases from key information - **Solution**: - For SQL Injection and Prototype Pollution, using a wrapper (e.g @SQLiPayload or @PPPayload) for processing in **Test Case Transformation** - Create a control-flow graph from the output of **Specifications Interpreter** - Apply McCabe's basis path testing to deduce **basis paths** of the system - Iterate through each path and perform the following mutations: - Remove up to [pathLen // 2] steps from each path (**Forced Browsing**) - Replay a step or its previous step, example: - a -> b -> c => a -> b -> b -> c (Replay step b, equivalent to using **refresh** button on browser) - a -> b -> c => a -> b -> a -> c (Replay step a, equivalent to using **going back** button on browser) - Permutate nodes on the path (Expensive) ### Test Case Transformation ![image](https://hackmd.io/_uploads/r1Eajt8lC.png) - **Subproblem:** Process independent test cases to become executable. - **Solution:** - Implement as an Burp Suite extension. - Receive System under test under 2 forms: - Plain HTTP request in textual file - Through GUI - For **Payload Database**, utilize [SQLMap](https://github.com/sqlmapproject/sqlmap) and [Prototype Pollution Scanner](https://github.com/PortSwigger/server-side-prototype-pollution) - Determine expected output (**test oracle**) by execute **correct flow**. - Execute generated test cases (flows) and compared to the expected output. Criteria: - HTTP Status Code - Set-Cookies Header - Response's JSON structure (fields, values of fields) - Generate a report on which test case may indicate vulnerability (3 level: **Not Vulnerable, Maybe Vulnerable, Vulnerable**) ## Implementation |Module|Technologies| |-----------------|---| |Specifications Interpreter|Python, Python library: antlr4, ANTLR4| |Test Case Generator|Python, Python library: graphviz| |Test Case Transformation|Java (Burp Suite Extender API), SQLMap, Prototype Pollution Scanner, Burp Suite| # Difficulties - Although determine the metrics for experiment (Requirement Coverage, Transition Coverage, Test Case Effectiveness), I struggled to find existing websites to test the tool. - A temporary approach is using labs of PortSwigger [SQLInjection](https://portswigger.net/web-security/sql-injection), [PrototypePollution](https://portswigger.net/web-security/prototype-pollution), [Business Logic](https://portswigger.net/web-security/logic-flaws/examples). # Plan For Next Week - Complete GUI implementation of module **Test Case Transformation** - Setup, run and evaluate experiments - Start to write thesis report