Strengthening Web Application Security: A Penetration Regression Test Selection Algorithm for Early Detection of Buffer Overflow Vulnerability
Keywords:
Branch coverage, Buffer overflow, Code coverage, Penetration testing, Regression testing, Regression test selection, Security testing, VulnerabilityAbstract
Web applications are prime targets for security breaches, making rigorous regression testing essential to prevent adverse impacts from modifications or enhancements. The aim of regression testing is to ensure that improvements or modifications to a program's functionality do not adversely affect its current operations. Regression testing is essential as it reduces the size of the test suite, thus reducing the time and effort for testing as a system or application is modified. Regression test selection methods are used widely in functional testing but not addressed in context with penetration or security testing. The traditional regression testing techniques and code coverage (branch coverage) based test adequacy measurements, are found to be inadequate. This paper proposes a novel algorithm for penetration regression test selection along with extended branch coverage criteria predominantly focusing on buffer overflow vulnerability. The algorithm is based on the control-flow structure of the program. Additionally this approach provides a systematic method to detect buffer overflow vulnerability in the unit testing phase of early software development life cycle for the practitioners.
Downloads
References
Xiaowei Li and Yuan Xue. A Survey on Server-Side Approaches to Securing Web Applications. ACM Computing Surveys (CSUR), 46 (4), Article 54, 1-30, 2014
Halfond, W., Choudhary, S. and Orso, A. Improving penetration testing through static and dynamic analysis- Software Testing, Verification and Reliability, 21(3), pp.195-214, 2011. http://doi.org/ 10.1002/stvr.450
Benjamin A.K., Carla E.B., Hilmi O., Vijaykumar T.N., Detection and Prevention of Stack Buffer Overflow Attacks, Communications of the Association of Computing Machinery, ACM, 48 (11), 2005, pp.50-56.
H. Do, Chapter Three - Recent Advances in Regression Testing Techniques, Editor(s): Atif M. Memon, Advances in Computers, Elsevier, Volume 103, 2016, Pages 53-77, ISSN 0065-2458, ISBN 9780128099414,https://doi.org/10.1016/bs.adcom.2016.04.004.
Emelie Engström, Per Runeson, Mats Skoglund, A systematic review on regression test selection techniques
Information and Software Technology, Volume 52, Issue 1, Pages 14-30, 2010, ISSN 0950-5849, https://doi.org/10.1016/j.infsof.2009.07.001.
Rahmani, Ani & Min, J & Maspupah, Asri. An empirical study of regression testing techniques. Journal of Physics: Conference Series. 2021. 1869. 012080. 10.1088/1742-6596/1869/1/012080.
J.Bhandari P and Singh A 2017 Review of object-oriented coupling based test case selection in model based testing Proc. 2017Int. Conf. Intell. Comput. Control Syst. ICICCS 2017 2018- Janua 1161–5
Banias O Test case selection-prioritization approach based on memoization dynamic programming algorithm Inf. Softw. Technol. 2019,115 119–30
Felderer, Michael & Fourneret, Elizabeta. A systematic classification of security regression testing approaches. International Journal on Software Tools for Technology Transfer. 2015.10.1007/s10009-015-0365-2.
Yoo, S., Harman, M.: Regression testing minimisation, selection and prioritisation: a survey. Softw. Test. Verif. Reliab. 1(1), 121–141 2010
Tarhini, Abbas, Zahi Ismail, and Nashat Mansour. "Regression Testing Web Applications". International Conference On Advanced Computer Theory And Engineering. New York: IEEE, 2008. 902-906. Print
Allahbaksh Asadullah, Richa Mishra, M. Basavaraju, and Nikita Jain. “A call trace based technique for regression test selection of enterprise web applications (SoRTEA)”. Proceedings of the 7th India Software Engineering Conference on ISEC '14.2014. DOI:http://dx.doi.org/10.1145/2590748.2590770
Graves, T.L., Harrold, M.J., Kim, J.M., Porter, A., Rothermel, G.:An empirical study of regression test selection techniques. ACM Trans. Softw. Eng. Methodol. 10, 184–208 2001
Sunidhi Puri, Abhishek Singhal, Abhay Bansal. “Study and Analysis of Regression Test Case Selection Techniques”. International Journal of Computer Applications. 101, 3 September 2014, 45-50. DOI=10.5120/17671-8504
Qurat Farooq. “Model-Based Regression Testing”. Emerging Technologies for the Evolution and Maintenance of Software Models. 2012. 10.4018/978-1-61350-438-3
Shahid, Dr Muhammad. “Code Coverage Information to Support Regression Testing”. The International Conference on Informatics and Applications (ICIA.2012). 233-239
Tao Y., Lingmin Z., Linzhang W., Xuandong L., An Empirical Study on Detecting and Fixing Buffer Overflow Bugs, IEEE International Conference on Software Testing, Verification and Validation (ICST), 2016. Chicago, IL, pp.91-101
Paul E.B., Irena B. Defeating Buffer Overflow: A Trivial but Dangerous Bug, IEEE IT Professional, 2016.Vol.18, Issue 6, pp.58-61
Khan, S.U.R., et al., A Systematic Review on Test Suite Reduction: Approaches, Experiment’s Quality Evaluation, and Guidelines. IEEE Access, 2018. 10
Bokil, P., P. Krishnan, and R. Venkatesh, Achieving Effective Test Suites for Reactive Systems using Specification Mining and Test Suite Reduction Techniques. ACM SIGSOFT Software Engineering Notes, 2015. 40(1): p.1-8
Beizer, B. “Software Testing Techniques”, Itp-Media, 2nd edition, 1990
Shahriar, H. and Zulkernine, M. “Mitigating Program Security Vulnerabilities: Approaches and Challenges”, Journal ACM Computing Surveys. 2012
Downloads
Published
How to Cite
Issue
Section
License
![Creative Commons License](http://i.creativecommons.org/l/by-sa/4.0/88x31.png)
This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.
All papers should be submitted electronically. All submitted manuscripts must be original work that is not under submission at another journal or under consideration for publication in another form, such as a monograph or chapter of a book. Authors of submitted papers are obligated not to submit their paper for publication elsewhere until an editorial decision is rendered on their submission. Further, authors of accepted papers are prohibited from publishing the results in other publications that appear before the paper is published in the Journal unless they receive approval for doing so from the Editor-In-Chief.
IJISAE open access articles are licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. This license lets the audience to give appropriate credit, provide a link to the license, and indicate if changes were made and if they remix, transform, or build upon the material, they must distribute contributions under the same license as the original.