Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Security Testing of RESTful APIs With Test Case Mutation

Sebastien Salva, Jarod Sue

TL;DR

An automated approach to help developers generate test cases for experimenting with each service in isolation based upon the notion of test case mutation, which automatically generates new test cases from an original test case set is proposed.

Abstract

The focus of this paper is on automating the security testing of RESTful APIs. The testing stage of this specific kind of components is often performed manually, and this is yet considered as a long and difficult activity. This paper proposes an automated approach to help developers generate test cases for experimenting with each service in isolation. This approach is based upon the notion of test case mutation, which automatically generates new test cases from an original test case set. Test case mutation operators perform slight test case modifications to mimic possible failures or to test the component under test with new interactions. In this paper, we examine test case mutation operators for RESTful APIs and define 17 operators specialised in security testing. Then, we present our test case mutation algorithm. We evaluate its effectiveness and performance on four web service compositions.

Security Testing of RESTful APIs With Test Case Mutation

TL;DR

An automated approach to help developers generate test cases for experimenting with each service in isolation based upon the notion of test case mutation, which automatically generates new test cases from an original test case set is proposed.

Abstract

The focus of this paper is on automating the security testing of RESTful APIs. The testing stage of this specific kind of components is often performed manually, and this is yet considered as a long and difficult activity. This paper proposes an automated approach to help developers generate test cases for experimenting with each service in isolation. This approach is based upon the notion of test case mutation, which automatically generates new test cases from an original test case set. Test case mutation operators perform slight test case modifications to mimic possible failures or to test the component under test with new interactions. In this paper, we examine test case mutation operators for RESTful APIs and define 17 operators specialised in security testing. Then, we present our test case mutation algorithm. We evaluate its effectiveness and performance on four web service compositions.
Paper Structure (15 sections, 1 equation, 9 figures, 1 table, 1 algorithm)

This paper contains 15 sections, 1 equation, 9 figures, 1 table, 1 algorithm.

Table of Contents

  1. INTRODUCTION
  2. RELATED WORK
  3. TEST CASE MUTATION OPERATORS FOR RESTFUL APIS
  4. Assumptions
  5. IOTS Test Case Definition
  6. Mutation Operators For Security Testing
  7. TEST CASE MUTATION
  8. Test Mutation Operator Definition
  9. Test Case Generation
  10. Generation of Concrete Test Cases
  11. PRELIMINARY EVALUATION
  12. RQ1: how many mutants are generated?
  13. RQ2: Are the mutants effective?
  14. RQ3: what is the performance of our algorithm?
  15. CONCLUSION

Figures (9)

  • Figure 1: Black-box test architecture for experimenting RESTful API in isolation
  • Figure 2: IOTS Test Case example
  • Figure 3: Approach Overview
  • Figure 4: IOTS Mutated Test Case example
  • Figure 5: Example of test script for the service AccMan
  • ...and 4 more figures

Theorems & Definitions (5)

  • Definition 1
  • Definition 2: Mutation operator
  • Definition 3: Mutable Test Step
  • Definition 4: IOTS operator $mark$
  • Definition 5: IOTS operator $compl$