摘要
研制自动化的Web服务脆弱性测试工具对基于Web服务的软件工程有重大影响,并能提高软件的安全性和可靠性,是当前软件行业一个有意义的研究课题。针对广泛使用的Web服务,设计和实现了一个测试Web服务脆弱性的原型系统WSVTS(Web Service Vulnerability Testing System)。根据SOAP消息参数的个数和类型,实现了两种基于SOAP消息变异的Web服务脆弱性测试方法,分别是最坏差异输入变异方法(The Worst-input MutationApproach)和杂乱数据变异方法(Fuzz Data-input Mutation Approach)。测试系统融合这两种测试方法,实现了两种测试用例生成算法,分别是最远邻测试用例生成算法TCFN(Test Cases generation based on Farthest Neighbor)和杂乱数据输入变异算法FDMA(Fuzz Data-input Mutation Algorithm),然后,将算法产生的测试用例作用于SOAP请求消息,从客户端观察应答消息,来分析Web服务的脆弱性。
The automatic tool of testing Web service vulnerability brings great effect on Web service-based software en- gineering,and they can effectively ensure the security and reliability of Web service-based software. According to Web service which is used widely, a prototype system WSVTS(Web Service Vulnerability Testing System) was designed and implemented. Two mutation approaches of testing Web service vulnerability based on the input domain of SOAP mes- sage, namely the worst-input mutation approach and fuzz data-input mutation approach, were implemented. Based on the two approaches, two test cases generation algorithms which are Test Cases generation based on Farthest Neighbor (TCFN) and Fuzz Data-input Mutation Algorithm (FDMA) were also implemented. Then, the test cases generated by the algorithms were executed in the SOAP requesting message. The vulnerability of the Web services can be detected by the response message of the client.
出处
《计算机科学》
CSCD
北大核心
2013年第7期143-146,186,共5页
Computer Science
基金
国家自然科学基金项目(61202110
61063013)
教育部博士点专项基金项目(20103227120005)
江苏省自然科学基金项目(BK2012284)资助
