Pattern based Web Security Testing

This paper presents a Pattern Based Testing approach for testing security aspects of the applications under test (AUT). It describes the two security patterns which are the focus of this work ("Account Lockout" and "Authentication Enforcer") and the test strategies implemented to check if the applications are vulnerable or not regarding these patterns. The PBST (Pattern Based Security Testing) overall approach has two phases: exploration (to identify the web pages of the application under test) and testing (to execute the test strategies developed in order to detect vulnerabilities). An experiment is presented to validate the approach over five public web applications. The goal is to assess the behavior of the tool when varying the upper limit of pages to visit and assess its capacity to find real vulnerabilities. The results are promising. Indeed, it was possible to check that the vulnerabilities detected corresponded to real security problems.