XSS Pattern for Attack Modeling in Testing Josip Bozic Institute for Software Technology Graz University of Technology A-8010 Graz, Austria jbozic@ist.tugraz.at Franz Wotawa Institute for Software Technology Graz University of Technology A-8010 Graz, Austria wotawa@ist.tugraz.at Abstract—Security issues of web applications are still a current topic of interest especially when considering the consequences of unintended behaviour. Such services might handle sensitive data about several thousands or millions of users. Hence, exploiting services or other undesired effects that cause harm on users has to be avoided. Therefore, for software developers of such applications one of the major tasks in providing security is to embed testing methodologies into the software development cycle, thus minimizing the subsequent damage resulting in debugging and time intensive upgrading. Model-based testing evolved as one of the methodologies which offer several theoretical and practical approaches in testing the system under test (SUT) that combine several input generation strategies like mutation testing, using of concrete and symbolic execution etc. by putting the emphasis on specification of the model of an application. In this work we propose an approach that makes use of an attack pattern model in form of a UML state machine for test case generation and execution. The paper also discusses the current implementation of our attack pattern testing tool using a XSS attack pattern and demonstrates the execution in a case study. Index Terms—Attack pattern model, cross-site scripting, model-based testing, security testing. I. I NTRODUCTION With higher complexity of modern days web applications, already known security breaching methods become more sophisticated. It remains the task of the developer to adapt on new circumstances by considering new detection and prevention mechanisms. A previous report [1] shows that the most common software exploitation methods are still cross- site scripting (XSS) and SQL injection (SQLI) despite the fact that several protection mechanisms are already discussed and implemented. The current research from the area of model-based testing offers several methods and solutions in order of how to for- malize and implement testing techniques that are able to detect potential security leaks in programs. These methods differ accordingly to the initial problem statement. For example, if the source code of the system under test (SUT) is unknown, black-box techniques like fuzz testing are the first choice. Fuzz testing is an optimizing random test case generation method that also makes use of underlying models like communication process models [2]. On the other hand, if a developer wants to test his or her own implementation having complete insights of the source code, white-box testing methods may be applied [3]. In this paper we focus on another direction and concentrate on specifying effective testing mechanisms in the domain of security that can be easily integrated into today’s software development processes. Actually, the most demanding and promising task is the complete automation of the testing process, i.e. ensuring the immunity of an application and liberating the tester from time-consuming manual testing work. In order to make automation possible, all attack vector information must be gathered and structured in one single representation. For this sake we propose the use of attack patterns, i.e. methods which describe all pre- and postcon- ditions, attack steps as well as the expected implications for an attack to be carried out successfully. We formalize the pattern using the UML state machine modeling language [4] and integrate the whole testing system into the Eclipse development environment. In our approach an attack pattern model is executed against the application, reporting a positive or negative feedback. In our running example, we specify a XSS attack pattern using UML state machines. Each execution step can be carried out accordingly to this model, branching through all conditional paths inside its structure. All operations are defined as parts of transitions and states and are called whenever activating one of the states when traversing through the model. If a path does not lead to vulnerability detection, another state is entered, thereby generating another input, which represents a new test case and is executed against the SUT again. Because test case generation depends solely upon predefined methods, a tester may add manually additional methods, thus extending the model whenever needed. When considering that the tester already knows the source code of the application, he or she is asked to add manually an expected postcondition inside the testing application as trigger events. II. RELATED WORK There are several papers dealing with attack modeling, automatic test generation and execution in the context of UML-based and security testing. Kim and colleagues [5] discuss the usage of UML state machines for class testing. In their approach, a set of coverage criteria is proposed according to the control and data flow in the model and the test cases are generated from the diagram by satisfying these criteria. The authors describe a method on how to transform the state machine into an extended finite