Abstract Broken access control (BAC) remains the most critical security risk (i.e., OWASP Top 10). Although BAC is commonly tested with dynamic white-box techniques, their effectiveness hinge on the strength of the underlying test cases; weak test cases leave exploitable risks on the software. Mutation testing is widely used and has been empirically shown to be highly sensitive and reliable for evaluating test case quality. Though it is also used in software security, it remains limited for testing BAC. This study aims to improve security test cases quality for two BAC vulnerabilities: Improper Pathname Limitation (IPL) and Cross-Site Request Forgery (CSRF). We introduce 15 novel mutation operators, systematically formulated through data flow analysis to understand the nature of those vulnerabilities. The proposed operator groups, including file access check and CSRF-token related mutation operators, to simulate realistic and possible semantic fallacies that lead to security vulnerabilities. The approach was evaluated using the Quality of mutant set Coverage (QCo) and measuring the test cases improvement using Mutation Score Indicator (MSI) on 29 security test cases. Experimental results show that all operators, implemented as infectious PHP extension, achieved QCo above 85%, while test case quality improved in CSRF from 5 to 12 test cases and in IPL from 8 to 17 test cases on a PHP-based dummy project, whereas on DVWA from 6 to 8 test cases for CSRF and from 4 to 7 test cases for IPL. These findings indicate that the proposed mutation operators substantially enable developers in strengthening security test cases to reveal BAC vulnerabilities.
Abdurrasyid et al. (Wed,) studied this question.