Floragasse 7 – 5th floor, 1040 Vienna
Subscribe to our Newsletter

News

IWCT 2021 – Bernhard Garn and Dimitris Simos @ 10th International Workshop on Combinatorial Testing

Bernhard Garn and Dimitris Simos from SBA’s MATRIS research group joined the 10th International Workshop on Combinatorial Testing (IWCT 2021) on Monday, April 12, 2021, in a virtual setting.

Dimitris served as the general chair of the workshop and was pleased with this year’s contributions dealing with new emerging technologies such as artificial intelligence and autonomous driving. He thanked the organizing committee for their intensive work making the workshop possible in a remote setting.

Bernhard presented the paper Combinatorially XSSing Web Application Firewalls, a joint work between Daniel Sebastian Lang (a former student at TU Wien working with MATRIS), Manuel Leithner (SBA Research), Rick Kuhn (US NIST), Raghu Kacker (US NIST) and Dimitris E. Simos (SBA Research). In  their  work,  the authors  evaluated  the  effectiveness  of  web application firewalls (WAFs)  to detect  XSS  exploits.  They  developed  an  attack  grammar  and  used  a combinatorial  testing  approach  to  generate  attack  vectors and compared  combinatorially generated XSS attack vectors  with  conventional  static list-based counterparts  for their ability  to  bypass  different  WAFs (including different versions of ModSecurity and NAXSI, as well as lua-resty-waf).  Their results  showed  that  the vectors  generated  with  combinatorial  testing  performed  equal  or better in almost all cases. This paper further confirmed that most of the rule sets evaluated there in can be bypassed by at least one of these crafted inputs.

Furthermore, another paper presented at this IWCT, An Environment for Benchmarking Combinatorial Test Suite Generators, by Andrea Bombarda, Edoardo Crippa and Angelo Gargantini, comes to the conclusion that CAgen, the combinatorial test generation tool developed by MATRIS research group, showed the best performance in a diverse and extensive benchmark setting.