Security testing aims at verifying that the software meets its security properties. In modern Web systems, however, this often entails the verification of the outputs generated when exercising the system with a very large set of inputs. Full automation is thus required to lower costs and increase the effectiveness of security testing. Unfortunately, to achieve such automation, in addition to strategies for automatically deriving test inputs, we need to address the oracle problem, which refers to the challenge, given an input for a system, of distinguishing correct from incorrect behavior. In this paper, we propose Metamorphic Security Testing for Web-interactions (MST-wi), a metamorphic testing approach that integrates test input generation strategies inspired by mutational fuzzing and alleviates the oracle problem in security testing. It enables engineers to specify metamorphic relations (MRs) that capture many security properties of Web systems. To facilitate the specification of such MRs, we provide a domain-specific language accompanied by an Eclipse editor. MST-wi automatically collects the input data and transforms the MRs into executable Java code to automatically perform security testing. It automatically tests Web systems to detect vulnerabilities based on the relations and collected data. We provide a catalog of 76 system-agnostic MRs to automate security testing in Web systems. It covers 39% of the OWASP security testing activities not automated by state-of-the-art techniques; further, our MRs can automatically discover 102 different types of vulnerabilities, which correspond to 45% of the vulnerabilities due to violations of security design principles according to the MITRE CWE database. We also define guidelines that enable test engineers to improve the testability of the system under test with respect to our approach.

翻译：安全测试旨在验证软件是否满足其安全属性。然而，在现代Web系统中，这通常需要验证系统在大量输入下产生的输出。因此，必须实现完全自动化以降低成本和提升安全测试的有效性。遗憾的是，要实现这种自动化，除了自动生成测试输入的策略外，我们还需要解决预言机问题——即给定系统输入后，区分正确与错误行为的挑战。在本文中，我们提出面向Web交互的蜕变式安全测试（MST-wi），这是一种集成了受变异模糊测试启发的测试输入生成策略，并缓解了安全测试中预言机问题的蜕变测试方法。它使工程师能够指定捕获Web系统多项安全属性的蜕变关系（MRs）。为便于此类MR的规格说明，我们提供了一种领域特定语言，并配以Eclipse编辑器。MST-wi自动收集输入数据，并将MRs转化为可执行的Java代码，从而实现自动化的安全测试。它基于这些关系和收集的数据自动测试Web系统以检测漏洞。我们提供了一个包含76种与系统无关的MRs的目录，用于自动化Web系统的安全测试。这些MR覆盖了现有技术未能自动化的OWASP安全测试活动中的39%；此外，我们的MRs能自动发现102种不同类型的漏洞，这相当于根据MITRE CWE数据库，因违反安全设计原则而导致的漏洞中的45%。我们还定义了指南，使测试工程师能够针对我们的方法提高被测系统的可测试性。