Skip to Main content Skip to Navigation

Testing and Modeling Security Mechanisms in Web Applications

Abstract : This thesis focuses on the issue of security testing of web-applications, considering the internal part of a system (access control policies) and then its interfaces (bypass testing and shielding). The proposed approaches led to address the issue of modelling the security policies as well as the testing artifacts, using Model-Driven Engineering as the underlying technology to propose elements for a model-driven security process. Concerning the internal part of a system, we first study the differences between classical functional tests and test targeting the security mechanisms explicitly (so called security tests). In this context, we adapted mutation analysis to assess and qualify security tests. Then, we proposed three complementary approaches dealing with access control testing; the first one is based on pair-wise technique and allows access control tests to be generated automatically, while the second approach allows functional tests to be selected and transformed into security tests. Finally, the last approach focuses on detecting hidden access control mechanisms, which harm the flexibility and evolutivity of the access control mechanisms. To complete all these approaches which focus on the internal part of the application, we tackled the issue of testing the interface and more precisely bypass-testing. We leveraged the ideas of bypass-testing and used automated analysis of the web application to provide a new approach for testing and shielding web applications against bypass-attacks, which occur when malicious users bypass client-side input validation. The work on access control testing led us to focus on proposing new model-driven approaches for developing and integrating access control mechanisms in a way that guarantees better quality and testability. Two research directions were explored for this purpose. The first one is based on a metamodel and provides a complete MDE process for automatically specifying, and integrating (semi-automatically) access control policies. This approach takes into account testing at the early stage of modeling and provides a generic certification process based on mutation. Finally, the second approach is based on model composition and allows an automated integration of the access control policy, and more importantly the automated reconfiguration of the system when the access control policy needs to evolve.
Document type :
Complete list of metadatas

Cited literature [73 references]  Display  Hide  Download
Contributor : Benoit Baudry <>
Submitted on : Wednesday, December 8, 2010 - 10:25:21 AM
Last modification on : Friday, October 23, 2020 - 4:52:26 PM
Long-term archiving on: : Thursday, June 30, 2011 - 1:40:31 PM


  • HAL Id : tel-00544431, version 1


Tejeddine Mouelhi. Testing and Modeling Security Mechanisms in Web Applications. Software Engineering [cs.SE]. Institut National des Télécommunications, 2010. English. ⟨tel-00544431⟩



Record views


Files downloads