(Georgia Institute of Technology, 2016-12)
Zhu, Zixiang
Penetration Testing emerged in the mid-1960s as an approach to exploit vulnerabilities of possible attacks of a software application by nefarious users. Traditional penetration testing is done manually, which is not only inefficient but also unstable in terms of reliability. In the recent decade, multiple automated penetration testing approaches have been proposed, including automatically test inputs generation based on genetic algorithms and neural networks learning. However, these black-box testing methods only have limited accuracy, and usually require a large number of data to train the agents before they can be used to do actual tests. To address this issue, we present a novel approach in which program static analysis is exploited. The proposed penetration testing system is able to not only estimate HTTP request data more precisely, but also discover dynamic interfaces exposed by the web applications. This research is focused on PHP web applications only.