{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,4,9]],"date-time":"2026-04-09T14:42:07Z","timestamp":1775745727275,"version":"3.50.1"},"reference-count":44,"publisher":"Springer Science and Business Media LLC","issue":"1","license":[{"start":{"date-parts":[[2020,3,1]],"date-time":"2020-03-01T00:00:00Z","timestamp":1583020800000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0"},{"start":{"date-parts":[[2020,3,9]],"date-time":"2020-03-09T00:00:00Z","timestamp":1583712000000},"content-version":"vor","delay-in-days":8,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0"}],"content-domain":{"domain":["link.springer.com"],"crossmark-restriction":false},"short-container-title":["Software Qual J"],"published-print":{"date-parts":[[2020,3]]},"abstract":"<jats:title>Abstract<\/jats:title><jats:p>Web applications are deployed on machines around the globe and offer almost universal accessibility. These applications assure functional interconnectivity between different components on a 24\/7 basis. One of the most important requirements is data confidentiality and secure authentication. However, implementation flaws and unfulfilled requirements often result in security leaks that malicious users eventually exploited. In this context, the application of different testing methods is of utmost importance in order to detect software defects during development and to prevent unauthorized access in advance. In this paper, we contribute to test automation for web applications. In particular, we focus on using planning for testing where we introduce underlying models covering attacks and their use in testing of web applications. The planning model offers a high degree of extendibility and configurability and as well overcomes limits of traditional graphical representations. New testing possibilities emerge that eventually lead to better vulnerability detection, therefore ensuring more secure web services and applications.<\/jats:p>","DOI":"10.1007\/s11219-019-09469-y","type":"journal-article","created":{"date-parts":[[2020,3,9]],"date-time":"2020-03-09T08:03:12Z","timestamp":1583740992000},"page":"307-334","update-policy":"https:\/\/doi.org\/10.1007\/springer_crossmark_policy","source":"Crossref","is-referenced-by-count":13,"title":["Planning-based security testing of web applications with attack grammars"],"prefix":"10.1007","volume":"28","author":[{"ORCID":"https:\/\/orcid.org\/0000-0001-6086-8846","authenticated-orcid":false,"given":"Josip","family":"Bozic","sequence":"first","affiliation":[]},{"ORCID":"https:\/\/orcid.org\/0000-0002-0462-2283","authenticated-orcid":false,"given":"Franz","family":"Wotawa","sequence":"additional","affiliation":[]}],"member":"297","published-online":{"date-parts":[[2020,3,9]]},"reference":[{"key":"9469_CR1","doi-asserted-by":"crossref","unstructured":"Anderson, J.S., & Fickas, S. (1989). A proposed perspective shift: viewing specification design as a planning problem. In Proceedings of the 5th international workshop on software specification and design (IWSSD\u201989).","DOI":"10.1145\/75199.75227"},{"key":"9469_CR2","unstructured":"Apache HttpComponents - HttpClient (2018) https:\/\/hc.apache.org\/httpcomponents-client-ga\/. Accessed 2 Feb 2018."},{"key":"9469_CR3","doi-asserted-by":"crossref","unstructured":"Appelt, D., Nguyen, C.D., Briand, L., Alshahwan, N. (2014). Automated testing for SQL injection vulnerabilities: an input mutation approach. In Proceedings of the 2014 international symposium on software testing and analysis (ISSTA\u201914).","DOI":"10.1145\/2610384.2610403"},{"key":"9469_CR4","unstructured":"Backes, M., Hoffmann, J., Kunnemann, R., Speicher, P., Steinmetz, M. (2017). Simulated penetration testing and mitigation analysis. arXiv:1705.05088 (2017)."},{"key":"9469_CR5","unstructured":"Backus, J.W. (1959). The antics of the proposed international algebraic language of the Zurich ACM-GAMM conference. In Proceedings of the international conference on information processing, UNESCO (pp. 125\u2013132)."},{"key":"9469_CR6","doi-asserted-by":"crossref","unstructured":"Blum, A., & Furst, M. (1995). Fast planning through planning graph analysis. In IJCAI95 (pp. 1636\u20131642).","DOI":"10.21236\/ADA303260"},{"key":"9469_CR7","unstructured":"Bozic, J., & Wotawa, F. (2012). Model-based testing - from safety to security. In Proceedings of the 9th workshop on systems testing and validation (STV\u201912) (pp. 9\u201316)."},{"key":"9469_CR8","unstructured":"Bozic, J., & Wotawa, F. (2014). Plan It! Automated security testing based on planning. In Proceedings of the 26th IFIP WG 6.1 IFIP international conference on testing software and systems (ICTSS\u201914) (pp. 48\u201362)."},{"key":"9469_CR9","doi-asserted-by":"crossref","unstructured":"Bozic, J., & Wotawa, F. (2015). PURITY: a planning-based secURITY testing tool. In 2015 IEEE international conference on software quality, reliability and security-companion (QRS-c) (pp. 46\u201355).","DOI":"10.1109\/QRS-C.2015.19"},{"key":"9469_CR10","doi-asserted-by":"crossref","unstructured":"Bozic, J., & Wotawa, F. (2018). Planning-based security testing of web applications. In Proceedings of the 13th international workshop on automation of software test (AST\u201918).","DOI":"10.1145\/3194733.3194738"},{"key":"9469_CR11","doi-asserted-by":"crossref","unstructured":"B\u00fcchler, M., Oudinet, J., Pretschner, A. (2012). Semi-automatic security testing of web applications from a secure model. In IEEE Sixth international conference on software security and reliability.","DOI":"10.1109\/SERE.2012.38"},{"key":"9469_CR12","volume-title":"SQL injection attacks and defense","author":"J Clarke","year":"2012","unstructured":"Clarke, J., Fowler, K., Oftedal, E., Alvarez, R.M., Hartley, D., Kornbrust, A., O\u2019Leary-Steele, G., Revelli, A., Siddharth, S., Slaviero, M. (2012). SQL injection attacks and defense, 2nd edn. Elsevier: Syngress.","edition":"2nd edn."},{"key":"9469_CR13","unstructured":"Duchene, F., Rawat, S., Richier, J.L., Groz, R. (2014). KameleonFuzz: evolutionary fuzzing for black-box XSS detection. In CODASPY (pp. 37\u201348): ACM."},{"key":"9469_CR14","unstructured":"Durkota, K., & Lisy, V. (2014). Computing optimal policies for attack graphs with action failures and costs. In 7th European starting AI researcher symposium (STAIRS\u201914)."},{"key":"9469_CR15","doi-asserted-by":"crossref","unstructured":"Felderer, M., Zech, P., Breu, R., B\u00fcchler, M., Pretschner, A. (2016). Model-based security testing: a taxonomy and systematic classification. In Software testing, verification and reliability, Vol. 26.","DOI":"10.1002\/stvr.1580"},{"key":"9469_CR16","doi-asserted-by":"crossref","unstructured":"Fikes, R.E., & Nilsson, N.J. (1971). STRIPS: a new approach to the application of theorem proving to problem solving. In Artificial intelligence (pp. 189\u2013208).","DOI":"10.1016\/0004-3702(71)90010-5"},{"key":"9469_CR17","doi-asserted-by":"crossref","unstructured":"Fogie, S., Grossman, J., Hansen, R., Rager, A., Petkov, P.D. (2007). XSS attacks: cross site scripting exploits and defense syngress.","DOI":"10.1016\/B978-159749154-9\/50005-6"},{"key":"9469_CR18","unstructured":"Ghallab, M., Nau, D., Traverso, P. (2004). Automated planning: theory and practice. In Morgan Kaufmann."},{"key":"9469_CR19","doi-asserted-by":"crossref","unstructured":"Godefroid, P., Kiezun, A., Levin, M.Y. (2008). Grammar-based whitebox fuzzing. In Proceedings of the ACM conference on programming language design and implementation (PLDI) (pp. 206\u2013215).","DOI":"10.1145\/1375581.1375607"},{"key":"9469_CR20","unstructured":"Google Gruyere - App Engine. (2018) https:\/\/google-gruyere.appspot.com\/. Accessed: 18 Jul 2018."},{"key":"9469_CR21","unstructured":"Grammar-solver. (2018) https:\/\/github.com\/bd21\/Grammar-Solver. Accessed: 13 Jul 2018."},{"key":"9469_CR22","unstructured":"Hoffmann, J., & Brafman, R. (2005). Contingent planning via heuristic forward search with implicit belief states. In Proceedings of the 15th international conference on automated planning and scheduling (ICAPS\u201905)."},{"key":"9469_CR23","unstructured":"HTML Tutorial. (2018) https:\/\/www.w3schools.com\/html\/. Accessed: 13 Jul 2018."},{"key":"9469_CR24","unstructured":"JavaGP - Java implementation of Graphplan. (2017) https:\/\/github.com\/pucrs-automated-planning\/javagp. Accessed: 11 Dec 2017."},{"key":"9469_CR25","unstructured":"jsoup: Java HTML Parser. (2018) https:\/\/jsoup.org\/. Accessed: 2 Feb 2018."},{"key":"9469_CR26","doi-asserted-by":"publisher","DOI":"10.1002\/9781119130161","volume-title":"Model-based testing essentials - guide to the ISTQB certified model-based tester : foundation level","author":"A Kr\u00e4mer","year":"2016","unstructured":"Kr\u00e4mer, A., & Legeard, B. (2016). Model-based testing essentials - guide to the ISTQB certified model-based tester : foundation level. New York: Wiley."},{"key":"9469_CR27","doi-asserted-by":"crossref","unstructured":"Kuhn, D.R., Bryce, R., Duan, F., Ghandehari, L.S., Lei, Y., Kacker, N.R. (2015). Combinatorial testing: theory and practice. In Advances in computers, Vol. 99.","DOI":"10.1016\/bs.adcom.2015.05.003"},{"key":"9469_CR28","unstructured":"McDermott, D., Ghallab, M., Howe, A., Knoblock, C., Ram, A., Veloso, M., Weld, D., Wilkins, D. (1998). PDDL - The planning domain definition language. In The AIPS-98 planning competition comitee."},{"key":"9469_CR29","unstructured":"Metric-FF. (2016) http:\/\/fai.cs.uni-saarland.de\/hoffmann\/metric-ff.html. Accessed: 2 Dec 2016."},{"key":"9469_CR30","unstructured":"Naur, P. (1960). Revised report on the algorithmic language ALGOL 60. In Communications of the ACM, (Vol. 3 pp. 299\u2013314)."},{"key":"9469_CR31","unstructured":"OWASP Mutillidae 2 Project. (2018) https:\/\/www.owasp.org\/index.php\/OWASP_Mutillidae_2_Project. Accessed: 4 Feb 2018."},{"key":"9469_CR32","unstructured":"OWASP Top Ten Project. (2018) https:\/\/www.owasp.org\/index.php\/Category:OWASP_Top_Ten_Project. Accessed: 31 Jan 2018."},{"key":"9469_CR33","doi-asserted-by":"crossref","unstructured":"Raunak, M., Kuhn, D., Kacker, R. (2017). Combinatorial testing of full text search in web applications. In 2017 IEEE international conference on software quality, reliability and security companion (QRS-c).","DOI":"10.1109\/QRS-C.2017.24"},{"key":"9469_CR34","volume-title":"Artificial intelligence: a modern approach","author":"SJ Russell","year":"1995","unstructured":"Russell, S.J., & Norvig, P. (1995). Artificial intelligence: a modern approach. Englewood Cliffs: Prentice Hall."},{"key":"9469_CR35","unstructured":"Shameli-Sendi, A., Dagenais, M., Wang, L. (2017). Realtime intrusion risk assessment model based on attack and service dependency graphs. In Computer communications."},{"key":"9469_CR36","doi-asserted-by":"crossref","unstructured":"Shmaryahu, D., Shani, G., Hoffmann, J., Steinmetz, M. (2018). Simulated penetration testing as contingent planning. In Proceedings of the twenty-eighth international conference on automated planning and scheduling (ICAPS 2018).","DOI":"10.1609\/icaps.v28i1.13902"},{"key":"9469_CR37","unstructured":"Simos, D.E., Bozic, J., Garn, B., Leithner, M., Duan, F., Kleine, K., Lei, Y., Wotawa, F. (2018). Testing TLS using planning-based combinatorial methods and execution framework. In Software quality journal (2018)."},{"key":"9469_CR38","doi-asserted-by":"crossref","unstructured":"Simos, D.E., Kleine, K., Ghandehari, L.S.G., Garn, B., Lei, Y. (2016). A combinatorial approach to analyzing cross-site scripting (XSS) vulnerabilities in web application security testing. In IFIP international conference on testing software and systems (ICTSS\u201916).","DOI":"10.1007\/978-3-319-47443-4_5"},{"key":"9469_CR39","unstructured":"SQL Injection Bypassing WAF. (2018) https:\/\/www.owasp.org\/index.php\/SQL_Injection_Bypassing_WAF. Accessed: 13 Jul 2018."},{"key":"9469_CR40","doi-asserted-by":"crossref","unstructured":"Stephens, N., Grosen, J., Salls, C., Dutcher, A., Wang, R., Corbetta, J., Shoshitaishvili, Y., Kruegel, C., Vigna, G. (2016). Driller: augmenting fuzzing through selective symbolic execution. In NDSS\u201916.","DOI":"10.14722\/ndss.2016.23368"},{"key":"9469_CR41","doi-asserted-by":"crossref","unstructured":"Su, Z., & Wassermann, G. (2006). The essence of command injection attacks in web applications. In Symposium on principles of programming languages (pp. 372\u2013382).","DOI":"10.1145\/1111037.1111070"},{"key":"9469_CR42","doi-asserted-by":"crossref","unstructured":"Sudhodanan, A., Armando, A., Carbone, R., Compagna, L. (2016). Attack patterns for black-box security testing of multi-party web applications. In NDSS\u201916.","DOI":"10.14722\/ndss.2016.23286"},{"key":"9469_CR43","unstructured":"The Bodgeit Store. (2018) https:\/\/github.com\/psiinon\/bodgeit. Accessed: 27 Jul 2018."},{"key":"9469_CR44","unstructured":"XSS Filter Evasion Cheat Sheet. (2018) https:\/\/www.owasp.org\/index.php\/XSS_Filter_Evasion_Cheat_Sheet. Accessed: 13 Jul 2018."}],"container-title":["Software Quality Journal"],"original-title":[],"language":"en","link":[{"URL":"http:\/\/link.springer.com\/content\/pdf\/10.1007\/s11219-019-09469-y.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"text-mining"},{"URL":"http:\/\/link.springer.com\/article\/10.1007\/s11219-019-09469-y\/fulltext.html","content-type":"text\/html","content-version":"vor","intended-application":"text-mining"},{"URL":"http:\/\/link.springer.com\/content\/pdf\/10.1007\/s11219-019-09469-y.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2022,10,18]],"date-time":"2022-10-18T00:15:17Z","timestamp":1666052117000},"score":1,"resource":{"primary":{"URL":"http:\/\/link.springer.com\/10.1007\/s11219-019-09469-y"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2020,3]]},"references-count":44,"journal-issue":{"issue":"1","published-print":{"date-parts":[[2020,3]]}},"alternative-id":["9469"],"URL":"https:\/\/doi.org\/10.1007\/s11219-019-09469-y","relation":{},"ISSN":["0963-9314","1573-1367"],"issn-type":[{"value":"0963-9314","type":"print"},{"value":"1573-1367","type":"electronic"}],"subject":[],"published":{"date-parts":[[2020,3]]},"assertion":[{"value":"9 March 2020","order":1,"name":"first_online","label":"First Online","group":{"name":"ArticleHistory","label":"Article History"}}]}}