Generation of PHP vulnerability test cases for XSS and SQLi (NEXTA 2022 - 5th International Workshop on the Next Level of Test Automation )

Write a Blog >>

Mon 4 - Fri 8 April 2022

Who

Felix Schuckert, Basel Katt, Hanno Langweg

Track

NEXTA 2022

Time Zone

The program is currently displayed in (GMT+02:00) Amsterdam, Berlin, Bern, Rome, Stockholm, Vienna.

Use conference time zone: (GMT+02:00) Amsterdam, Berlin, Bern, Rome, Stockholm, ViennaSelect other time zone

The GMT offsets shown reflect the offsets at the moment of the conference.

Time Band

By setting a time band, the program will dim events that are outside this time window. This is useful for (virtual) conferences with a continuous program (with repeated sessions).
The time band will also limit the events that are included in the personal iCalendar subscription service.

Display full programSpecify a time band

Save

When

Fri 8 Apr 2022 14:20 - 14:40 at Marlyn Meltzer - NEXTA II Chair(s): Michael Felderer

Abstract

Synthetic static code analysis test suites are important to test the basic functionality of tools. We present a framework that uses different source code patterns to generate Cross Site Scripting and SQL injection test cases. A decision tree is used to determine if the test cases are vulnerable. The test cases are split into two test suites. The first test suite contains 258,432 test cases that have influence on the decision trees. The second test suite contains 20 vulnerable test cases with different data flow patterns. The test cases are scanned with two commercial static code analysis tools to show that they can be used to benchmark and identify problems of static code analysis tools. Expert interviews confirm that the decision tree is a solid way to determine the vulnerable test cases and that the test suites are relevant.

Felix Schuckert

HTWG Konstanz / NTNU Gjøvik

Germany

Basel Katt

Hanno Langweg