IWCT 2021 – Bernhard Garn and Dimitris Simos @ 10th International Workshop on Combinatorial Testing
Bernhard Garn and Dimitris Simos from SBA’s MATRIS research group joined the 10th International Workshop on Combinatorial Testing (IWCT 2021) on Monday, April 12, 2021, in a virtual setting.
Dimitris served as the general chair of the workshop and was pleased with this year’s contributions dealing with new emerging technologies such as artificial intelligence and autonomous driving. He thanked the organizing committee for their intensive work making the workshop possible in a remote setting.
Bernhard presented the paper Combinatorially XSSing Web Application Firewalls, a joint work between Daniel Sebastian Lang (a former student at TU Wien working with MATRIS), Manuel Leithner (SBA Research), Rick Kuhn (US NIST), Raghu Kacker (US NIST) and Dimitris E. Simos (SBA Research). In their work, the authors evaluated the effectiveness of web application firewalls (WAFs) to detect XSS exploits. They developed an attack grammar and used a combinatorial testing approach to generate attack vectors and compared combinatorially generated XSS attack vectors with conventional static list-based counterparts for their ability to bypass different WAFs (including different versions of ModSecurity and NAXSI, as well as lua-resty-waf). Their results showed that the vectors generated with combinatorial testing performed equal or better in almost all cases. This paper further confirmed that most of the rule sets evaluated there in can be bypassed by at least one of these crafted inputs.
Furthermore, another paper presented at this IWCT, An Environment for Benchmarking Combinatorial Test Suite Generators, by Andrea Bombarda, Edoardo Crippa and Angelo Gargantini, comes to the conclusion that CAgen, the combinatorial test generation tool developed by MATRIS research group, showed the best performance in a diverse and extensive benchmark setting.