Automatic website pen-testing with domain knowledge

Abstract

Penetration testing, also known as pen-testing, is a way of security assessment to safely exploit potential vulnerabilities on web applications. It is usually achieved manually by security expertise or automatically by a software. Compared to manual testing, automated pen-testing is much faster and more efficient since the performer doesn’t need to be an expert, people with least relevant knowledge can also operate the software. Nevertheless, automatic penetration testing has yet to be developed in detecting situational and logical risks, such as analysis on whether several less severe risks may lead to more significant vulnerability scenarios. An application programming interface, or API, is the interface that allows users to communicate with web applications. As the main object of penetration testing, research have been done on how to automatically discover the relation between different API requests, so that the software can have a systematic view of the whole web application. Most of these testing applications requires API documentation as an input to generate system-level test cases. Therefore, the completeness and accuracy of the API document largely determines the reliability of the testing results. However, we found that most of the publicly available API documents are either outdated or lack of detail. To address this problem, we presented a method to auto-generate API documents by analyzing traffic through it.