Using GUI testing to automate website security analysis

  • J Hoebert

Student thesis: Master's Thesis


This thesis examines the added value of GUI testing to the field of security analysis. Because in an increasingly digital world, software security is more important than ever. It is important to find those vulnerabilities before they are exploited. Unfortunately, using dedicated tooling to search for security vulnerabilities is not always within reach of the software developers. That is why implementing security analysis in GUI testing would enable developers to find vulnerabilities that otherwise would have gone unnoticed.
To enable security analysis, the GUI testing tool TESTAR was extended with the ability to detect SQL injection and XSS vulnerabilities, HTTPheader misconfigurations and session token invalidation. The performance of TESTAR’s security analysis was measured by running it against the OWASP benchmark. Code coverage was measured in a real world application using OpenCover. These results were compared to those of the dedicated security analysis tool OWASP ZAP. Token validation analysis was tested in a synthetic scenario created for this research, no comparison was made to dedicated tooling because none of them supported this scenario. Showing that TESTAR is able to do types of security analysis that are not feasible with dedicated security analysis tooling.
TESTAR was not able to beat the dedicated tools, but was able to match their performance for misconfigurations and performed sufficiently in others. The biggest limitation of this approach was the lack of attack services, because TESTAR is limited to the GUI. This research showed, that GUI testing is able to deliver added value to security analysis. In particular for applications that are analyzed with dedicated tooling at a late stage in their development or not analyzed at all.
Date of Award5 Sept 2022
Original languageEnglish
SupervisorHugo Jonker (Examiner) & Pekka Aho (Co-assessor)

Master's Degree

  • Master Software Engineering

Cite this