We introduce a new Syntax-based Security Testing (SST) framework that uses a protocol specification to perform security testing on text-based communication protocols. A protocol specification of a particular text-based protocol under-tested represents its syntactic grammar and static constraints. The specification is used to generate test cases by mutating valid messages, breaking the syntactic and constraints of the protocol. The framework is demonstrated using a toy Web application and the open source application KOrganizer.
Ben W. Y. Kam, Thomas R. Dean