SWaTEval: An Evaluation Framework for Stateful Web Application Testing

Anne Borcherding; Anne Borcherding; Nikolay Penkov; Mark Giraud; Jürgen Beyerer; Jürgen Beyerer; Jürgen Beyerer

doi:10.5220/0011652200003405

SWaTEval: An Evaluation Framework for Stateful Web Application Testing

Anne Borcherding, Anne Borcherding, Nikolay Penkov, Mark Giraud, Jürgen Beyerer, Jürgen Beyerer, Jürgen Beyerer

2023

Abstract

Web applications are an easily accessible and valuable target for attackers. Therefore, web applications need to be examined for vulnerabilities. Modern web applications usually behave in a stateful manner and hence have an underlying state machine that determines their behavior based on the current state. To thoroughly test a web application, it is necessary to consider all aspects of a web application, including its internal states. In a blackbox setting, which we presuppose for this work, however, the internal state machine must be inferred before it can be used for testing. For state machine inference it is necessary to choose a similarity measure for web pages. Some approaches for automated blackbox stateful testing for web applications have already been proposed. It is, however, unclear how these approaches perform in comparison. We therefore present our evaluation framework for stateful web application testing, SWaTEval. In our evaluation, we show that SWaTEval is able to reproduce evaluation results from literature, demonstrating that SWaTEval is suitable for conducting meaningful evaluations. Further, we use SWaTEval to evaluate various approaches to similarity measures for web pages, including a new method based on the euclidean distance that we propose in this paper. These similarity measures are an important part of the automated state machine inference necessary for stateful blackbox testing. We show that the choice of similarity measure has an impact on the performance of the state machine inference regarding the number of correctly identified states, and that our newly proposed similarity measure leads to the highest number of correctly identified states.

Download

Paper Citation

in Harvard Style

Borcherding A., Penkov N., Giraud M. and Beyerer J. (2023). SWaTEval: An Evaluation Framework for Stateful Web Application Testing. In Proceedings of the 9th International Conference on Information Systems Security and Privacy - Volume 1: ICISSP, ISBN 978-989-758-624-8, pages 430-441. DOI: 10.5220/0011652200003405

in Bibtex Style

@conference{icissp23,
author={Anne Borcherding and Nikolay Penkov and Mark Giraud and Jürgen Beyerer},
title={SWaTEval: An Evaluation Framework for Stateful Web Application Testing},
booktitle={Proceedings of the 9th International Conference on Information Systems Security and Privacy - Volume 1: ICISSP,},
year={2023},
pages={430-441},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0011652200003405},
isbn={978-989-758-624-8},
}

in EndNote Style

TY - CONF

JO - Proceedings of the 9th International Conference on Information Systems Security and Privacy - Volume 1: ICISSP,
TI - SWaTEval: An Evaluation Framework for Stateful Web Application Testing
SN - 978-989-758-624-8
AU - Borcherding A.
AU - Penkov N.
AU - Giraud M.
AU - Beyerer J.
PY - 2023
SP - 430
EP - 441
DO - 10.5220/0011652200003405