Although the security testing of Web systems can be automated by generating crafted inputs, solutions to automate the test oracle, i.e., distinguishing correct from incorrect outputs, remain preliminary. Specifically, previous work has demonstrated the potential of metamorphic testing; indeed, security failures can be determined by metamorphic relations that turn valid inputs into malicious inputs. However, without further guidance, metamorphic relations are typically executed on a large set of inputs, which is time-consuming and thus makes metamorphic testing impractical. We propose AIM, an approach that automatically selects inputs to reduce testing costs while preserving vulnerability detection capabilities. AIM includes a clustering-based black box approach, to identify similar inputs based on their security properties. It also relies on a novel genetic algorithm able to efficiently select diverse inputs while minimizing their total cost. Further, it contains a problem-reduction component to reduce the search space and speed up the minimization process. We evaluated the effectiveness of AIM on two well-known Web systems, Jenkins and Joomla, with documented vulnerabilities. We compared AIM's results with four baselines. Overall, AIM reduced metamorphic testing time by 84% for Jenkins and 82% for Joomla, while preserving vulnerability detection. Furthermore, AIM outperformed all the considered baselines regarding vulnerability coverage.

翻译：尽管Web系统的安全测试可通过生成精心构造的输入实现自动化，但测试预言（即区分正确输出与错误输出）的自动化解决方案仍处于初步阶段。具体而言，已有研究展示了蜕变测试的潜力：通过将有效输入转化为恶意输入的蜕变关系，可判定安全失效。然而，缺乏进一步指导时，蜕变关系通常需在大量输入上执行，这耗时且使蜕变测试缺乏实用性。本文提出AIM方法，该方法能自动选择输入以降低测试成本，同时保持漏洞检测能力。AIM包含基于聚类的黑盒方法，可根据安全属性识别相似输入；同时依赖新型遗传算法，在最小化总成本的同时高效选择多样化输入。此外，该方法包含问题归约组件，以缩小搜索空间并加速最小化过程。我们在两个知名Web系统Jenkins和Joomla上，利用已记录的漏洞评估了AIM的有效性，并将AIM的结果与四个基线方法进行了对比。总体而言，AIM在保持漏洞检测能力的前提下，使Jenkins和Joomla的蜕变测试时间分别减少了84%和82%。此外，AIM在漏洞覆盖率方面优于所有基线方法。