2012 Ninth IEEE International Conference on e-Business Engineering
Combinatorial Mutation Approach to Web Service Vulnerability Testing based on SOAP Message Mutations Qing Li1, Jinfu Chen1*, Yongzhao Zhan1, Chengying Mao2, Huanhuan Wang1 2. School of Software and Communication Engineering, Jiangxi University of Finance and Economics, 330013 Nanchang, China
1. School of Computer Science and Telecom. Eng., Jiangsu University, 212013 Zhenjiang, China
* Corresponding author e-mail:
[email protected]
In order to ensure the quality and credibility of Web services, adequate testing must be conducted as possible. The contents of testing Web service involves as follows: testing SOAP messages, testing WSDL documents, testing the publish, discovery and bind capabilities of a SOA, Web service consumer and producer emulation, testing the asynchronous notification and alert capabilities of Web services in addition to their synchronous RPC capabilities, testing SOAP intermediary capability, SLA (service-level agreement) and QoS (Quality of Service) monitoring, and testing Web services stress, and so forth [3]. The difficulties of testing Web services are mainly reflected in the following areas: 1) the differences between the development and application environments of services are very serious, 2) testing Web services is mainly designed and implemented based on service interfaces. Then automated testing methods must be used in testing process, therefore, compared with traditional testing methods which need for lots of manual interventions, a great difference exists, 3) due to the distributed features of Web services, there will be the case that a large number of users access a service through the different environments concurrently, therefore, the performance and scalability of Web services are the important aspects of testing Web services, 4) services and the publish, discovery and bind of services integration are dynamically finished, therefore, the difficulty of the test process is increased by the uncertainty and invisibility, 5) the security risks of the service are increased after the service access interfaces and access methods published. Then the opportunity to attack the system is increased too, and 6) the application of Web services usually involves service providers, publishers and users, which need to involved at different stages of the testing. Its distributed feature makes the activities such as testing organization, defect management, and outcome evaluation infeasible [1]. Existing studies are almost conducted overall testing scenarios based on the integrated framework of the Web service. For instance, reference [4] proposed a Web service testing technology based on contract design manner, reference [1] used multiple levels such as infrastructure, unit, integration services, and so on to verify and confirm the correctness of Web services, and focused on the performance testing research of Web services, and reference [5-8] implemented the data perturbation technology to test the
Abstract—Web services testing is one of the most important techniques used to assure the quality of Web services at present. Currently, Web service testing has been only focused on one mutant injected at one time. Thus, based on data perturbation and combinatorial testing techniques, this paper presents a set of mutation operators that can be combined, and defines corresponding combinatorial strategies. Multiple mutants are injected at one time. In order to improve the testing efficiency and effect, a combinatorial approach for testing Web service vulnerability is proposed. Firstly, based on WSDL (Web Service Description Language) documents and SOAP (Simple Object Access Protocol) messages, the initial test data are generated by perturbation techniques. Then CTCG (Combinatorial Testing Cases Generation) algorithm is proposed and called to generate the final combinatorial test data according to combinatorial strategies. Finally, some preliminary experiments are conducted in an integration testing platform to verify the applicability of the proposed approach. The experimental results show that the approach is more cost-effective. Keywords-Web service testing; SOAP message mutation; combinatorial testing; mutation operator; vulnerability testing
I.
INTRODUCTION
SOA (Service-Oriented Architecture) has become the major trend in Web-based distributed systems [1]. As one typical way to implement SOA, Web services have recently received more attention from industrial software. Web service, which takes XML (Extensible Markup Language), SOAP(Simple Object Access Protocol), WSDL(Web Service Description Language), and UDDI(Universal Description, Discovery and Integration) as the core technologies, has good encapsulation and strong integration capabilities, supports for open and dynamic interoperability model, and can greatly reduce system integration complexities and overheads [2]. However, compared with the common Web applications, the architecture and operational characteristics of Web services usually result in great probability involving the vulnerable faults in security. The vulnerabilities of Web services are summarized as the following two aspects: 1) the operational environment of clients that cannot be trusted brings in the vulnerability, and 2) the open of running state brings in the vulnerability.
978-0-7695-4809-8/12 $26.00 © 2012 IEEE DOI 10.1109/ICEBE.2012.34
156
Web service based on XML Schemas, and so forth. Existing researches on processing SOAP message mutations are almost one mutant injected at one time. While from the point of combinatorial mutation testing to test the Web service is a relatively new field to study [9]. However, extensive researches found that about 98% of failures in the software control of the health care systems were caused by the interaction between pairs of variables [10]. Therefore, the research of combinatorial mutation testing approach based on the SOAP message for Web service vulnerability testing has a profound significance. Firstly, a set of mutation operators which can be combined is presented. Then, a corresponding combinatorial strategy is also developed. A combinatorial test cases generation CTCG (Combinatorial Testing Cases Generation) algorithm based on SOAP message mutations is proposed finally. The remainder of this paper is organized as follows: Some related works about testing Web services are discussed in Section 2. In Section 3, the detailed steps of our approach are discussed. Section 4 reports some experiments to evaluate our approach. We discuss our future work and conclude this paper in Section 5. II.
[16] created an abstract model of the data type through WSDL firstly. Then according to WSDL document of Web service, the simple test data and final test data were generated automatically by the random method and the boundary value method. But the structure of complex data type was not taken into consideration, and the simple data could not be assembled into complex data effectively. In XML modeling field, Jeff Offutt[6] Working Group extended a set of models based on RTG(Regular Tree Grammar), and proposed a set of RPC mutation operators based on XML Schemas. Shortly, additional operators were pointed out, which could be roughly divided into three categories such as insert, delete, change in [7]. Based on [6] and [7], some SOAP message mutation operators were added and acted directly on the SOAP messages by Almeida et al. [8]. The advantages of this method are that it did not depend on XML schemas, directly modified the SOAP messages, and reduced the running time. On the basis of [6], reference [5] extended data value perturbation (adding an invalid value) and data communication perturbation (adding relationship strategies of minoccus, all and choice), and on the basis of [8], it added some new mutation operators and expanded the using scope of operators applied to both the RPC and Data Communications. Taking a panoramic view of the testing Web service situations, current studies mainly focus on the testing of WSDL specifications and XML documents. The study of the SOAP message parameters mutations has appeared, but it only considered a single mutant injected at one time. While a combinatorial mutation testing is hardly involved. However, extensive researches found that about 98% of failures in the software control of the health care systems were caused by the interaction between pairs of variables [10]. Therefore, the research of combinatorial mutation testing approach based on SOAP message for Web service vulnerability testing has a profound significance. Some researches based on component security testing fault injection model have been studied in our previous work. What is more, some foundation works on the minimum K factors combinatorial algorithm based on the solution matrix have also been done. Thus, the combinatorial explosion is solved effectively. In order to improve the testing efficiency and effect, a combinatorial approach for testing web service vulnerability is proposed. Firstly, a set of mutation operators which can be combined are presented. Then, a corresponding combinatorial strategy is also developed. A combinatorial test cases generation CTCG algorithm based on SOAP message mutations is proposed finally.
RELATED WORK
WSDL is an XML-based specification model in the Web service. It is used to expose Web services public interfaces. WSDL in fact is divided into two parts: service interfaces definitions (abstract interface contains , , , and ) and services implementation (specific endpoint contains , and ) [11]. An approach to extend the definition of the WSDL in order to enhance the description ability to test the Web service was proposed by W.T.Tsai et al. [12]. On the basis of above, a further study was embarked by Evan Martin et al. [13]. Then a testing tool was developed. Java client testing code could be generated from a WSDL file, and the encapsulated class which was generated by it was sent to the Java unit test data generation tool. Web service testing data was generated ultimately. M.Sneed et al. [14] extended WSDL to increase its description ability firstly, and then combined with the WSDL tree node, expanded facet constraints and pre-conditions to generate the corresponding test data. Jiang Ying et al. [4] presented a method of automated test data generation for web service. According to WSDL document of Web service, the initial test data were generated automatically by random method. Then after the test data are selected by contract mutation testing and greedy algorithm, the effective test data were obtained in a certain extent. But more computer resources were required, only three data types such as int, float and double were generated, and the type of boolean and string test data could not be generated either. Bai et al. [15] proposed a framework to automatically generate Web services test cases from the Web services description, which embeds the basic information of a service. Based on the service WSDL information, test data are generated for simple, aggregate and user-defined types. Operation sequences to be tested are also generated based on operation dependencies from the service description. Hanna S. et al.
III.
COMBINATORIAL MUTATION APPROACH
With the rapid development of technology and widespread use of Web services, the quality and credibility of Web services have attracted more attention than before. However, simple and effective set of test cases are one of the key factors to test software successfully and assure the quality of software. The key to generating test cases for mutation testing based on a SOAP message is the mutation operators design. However, the object and the purpose of mutation should be clear. Both WSDL and SOAP message
157
are based on an XML document. Therefore, the essence of the mutation object is the XML document. The defects of existing studies including redundancy of data in the SOAP message mutations testing, the low efficiency of the mutation operators and only one mutant injected at one time. As we all know, combinatorial mutation testing focuses on using combinations of at least two faulty input data parameter to find faults within the software. This paper proposes a combinatorial mutation testing approach which is based on SOAP message mutations for Web service vulnerability testing. The main ideas are as follows: Firstly, a set of operators that can be combined are presented. Then the SOAP message is obtained by parsing the WSDL file, and data perturbation techniques are adopted to generate simple initial test data. Finally, a combinatorial testing algorithm is developed. Complex combinatorial test data are generated to test Web service vulnerability according to the proposed CTCG algorithm. The overall structure chart of the test data generated by combinatorial mutation approach proposed in this paper is shown in Figure 1. TABLE I.
Figure 1. Steps to generate combinatorial data to Web service vulnerability testing
A. Mutation Operators Design The uncertainty and randomness of an initial object led to the data redundancy and low efficiency of the mutation operators which was introduced in [4] and [6-8] after mutating. Based on the previous research results, this paper presents the following two perturbation policies: data value and interaction perturbations. Both perturbation policies directly act on the SOAP message. The former one modifies values in SOAP messages according to their data types while the latter one may consider the data values and data relationships. All mutation operators presented here are shown in Table I. Part of the mutation operators bear double effects of data value and interaction perturbations. Whenever necessary, new mutation operators can be added into Table I.
MUTATION OPERATORS OF WEB SERVICE VULNERABILITY TESTING BASED ON THE SOAP MESSAGE
ID.
Operator
Brief description
Operator type
01
B
Set the value of n to be boundary value
data value perturbation
02
IPO
Insert parameter operator into the value assigned to a node n
data value perturbation
03
SNN
Set the value of n to be null
data value/interaction perturbation
04
SNS
Set the value of n to be ‘ ’
data value/interaction perturbation
05
IIV
Integer Irregular Value such as 0,+/-(1,28-1,28,28+1,216,216+1,216-1), and so on
data value perturbation
06
FIV
Float Irregular Value such as 0,1,-1,+/-1,5E-324,1.7E+308,pi,e, and so on
data value perturbation
07
CIV
Char Irregular Value such as' ', '','../','{','(','[',’\n’,’\0’,’\s’,’\d’
data value perturbation
08
BIV
Boolean Irregular Value such as 0,1,True,False
data value perturbation
09
SDN
Delete node n and its child nodes from the SOAP message
interaction perturbation
10
VEE
Exchange the order of values assigned to nodes
data value/interaction perturbation
11
EXE
Exchange the order of Nodes
interaction perturbation
12
ML
Modifies the length of the value assigned to node n
data value/interaction perturbation
13
SSV
SQL String Injection
interaction perturbation
The use of several mutation operators will be explained below: Example 1˖SDN perturbation
Example 2˖VEE perturbation Before mutating: s1008053 liqing After mutating: liqing s1008053
Before mutating: s1008053 liqing After mutating: liqing
158
Example 3: B perturbation (only three common data types are listed in Table II) TABLE II. Data type
String
Numeric Boolean
number of parameter of m3 is j, denoted by q1,q2,Ă,qj, then the parameter set PS is formed, denoted by PS={p1,p2,Ă pi,q1,q2, Ă ,qj}. The specific combinatorial method is as follows: If data value perturbation is conducted, the available mutation operators are as follows: B, IPO, SNN, SNS, IIV, FIV, CIV, BIV, VEE and ML. For the PS, the combinatorial test data are generated by calling minimum K factors (K=2) combinatorial algorithm based on the solution matrix. If interaction perturbation is conducted, the available mutation operators are as follows: SNN, SNS, SDN, VEE, EXE, ML and SSV. The combinatorial method is as follows: Case VEE or EXE: For the PS, based on the faults generally occurring among the parameters of the adjacent groups of parameters are locality principle, gotten. Then randomly select two groups to conduct combinatorial mutation testing. Case SDN, SSV, SNN, SNS or ML: For the PS, based on the faults generally occurring among the parameters of the groups of parameters adjacent locality principle, are gotten. Then randomly select one group to conduct combinatorial mutation testing. Based on the combinatorial mutation testing strategy proposed above, combinatorial mutations CTCG algorithm to Web service vulnerability testing based on SOAP message mutations is proposed. The overall flow chart is shown in Figure 2.
BOUNDARY VALUE PERTURBATION
B Perturbation Length(MIN-1)ǃLength(MIN)ǃ Length(Random(MIN, MAX)ǃ Length(MAX)ǃ Length(MAX+1)ǃUpper caseǃ Lower caseǃRandom(int)ǃ0 MIN1,MIN,Random(MIN,MAX),MA X,MAX+1,0,Random(string) true, false
B. Combinatorial Testing Strategy Learning from some researches based on component security testing fault injection model, and according to the mutation operators designed by chapter 2.1, the main steps of the combinatorial testing strategy are developed below. Here assumed that each Web service contains limited web methods and parameters. Step 1: Analyze the Web service methods, and identify the associated Web service methods. The definition of associated Web service methods is partitioned two categories: directly associated methods and indirectly associated methods. The definition of directly associated methods is that there are direct associations among the parameters of Web service methods. For example, a Web service which calculates four fundamental operations of two integers, includes four Web methods such as Add (), Sub (), Mul () and Div (). The prototype of Add () and Sub () methods are int add (int x, int y) and int Sub (int a, int b) respectively. If the value of Sub () method parameters is the return value of Add () method. Then Add () and Sub () methods can be called directly associated methods. The definition of indirectly associated methods is that there are certain restrictions or limitations among the parameters of Web service methods. For example, a Web service which can freely provide weather conditions on the Internet, includes getSupportProvince(), getWeatherbyCityname(), getSupportCity() and getSupportDataSet() methods. The input parameter scope of getSupportProvince() method is the specified continent or domestic provinces, and the input parameter scope of getWeatherbyCityname() method is the urban Chinese name (or city code). While the parameters of getWeatherbyCityname() method is obviously restricted by the input parameters of getSupportProvince() method. Then getWeatherbyCityname() and getSupportProvince() methods can be called indirectly associated methods. After Step1, the scope of combinatorial parameters is greatly narrowed, hence the efficiency is improved of course. Step 2: For the associated Web service methods, invoke different sets of mutation operators according to the type of parameters, and then call the appropriate combinatorial testing approach to generate combinatorial test cases. Here assumed that there is an association between m1 and m3. The number of parameter of m1 is i, denoted by p1,p2,Ă,pi, the
Figure 2. The flow chart of CTCG Algorithm
Here the mutation object mainly contains three common data types such as numeric, string, and boolean. In Figure 2, n is the total number of parameters of associated Web service methods, MS1= {B, SNN, SNS, CIV, SDN, VEE, EXE, ML,
159
SSV}, MS2= {B, IPO, SNN, SNS, IIV, FIV, SDN, VEE, EXE}, and MS3= {B, IPO, SNN, SNS, CIV, SDN, VEE, EXE}.
To theoretically analyze the complexity of the algorithm conveniently, the number of associated Web service methods is assumed as n, the average number of each parameter is p. The complexity of the CTCG algorithm is mainly determined by the TGSM algorithm. While the complexity of the TGSM is Om ( ×n× p3 +n3 + p+ p+ p3) =On ( 3 +n× pn+3) ,
Algorithm. CTCG Explanation: n is the total number of parameters of the is the associated Web service methods; number of parameters groups; mo denotes mutation operator; DVMS= {B, IPO, SNN, SNS, IIV, FIV, CIV, BIV, VEE, ML} Input˖nˈ the type of SOAP parameters Output˖the set of combinatorial mutation testing test cases S={e1, e2, ..., en}
p n . Thus, the complexity of the algorithm is O(n3 +n× pn+3) .
where m=
IV.
EXPERIMENT AND ANALYSIS
A. Experimental Implementation In order to validate the proposed combinatorial mutation strategy and combinatorial mutation CTCG algorithm, a Web service vulnerability testing system (WSVTS) is implemented in C# language, based on Visual Studio C++ 6.0, and Visual Studio.NET 2008. The experiment is performed on a PC with a 2 GB DDR3 memory, 500 GB compatible hard disk, and 2.26 GHz CPU. The WSVTS system has the following functions: 1) obtaining the interface information by parsing the uniform resource locator (URL) of the Web service, and 2) obtaining the SOAP message format by parsing the WSDL document. CTCG algorithm is then called after analyzing the type of parameters and the perturbation types of parameters, and the generated test cases directly act on the SOAP message. The security analysis and test results are given by observing the response message received from the client. The testing process is shown in Figure 3.
01 if (type is string) then 02 { 03 invoke MS1; 04 if(moęDVMS) then 05 call TGSM to generate combinatorial testing cases; 06 else if (moę{VEE,EXE}) then 07 randomly choose two groups for combinatorial testing; 08 else 09 randomly choose one group for combinatorial testing; 10 } 11 else if (type is numerical) then 12 { 13 invoke MS2; 14 if (moęDVMS) then 15 call the TGSM to generate combinatorial testing cases; 16 else if (moę{VEE,EXE}) then 17 randomly choose two groups for combinatorial testing; 18 else 19 randomly choose one group for combinatorial testing; 20 } 21 else 22 { 23 invoke MS3; 24 if(moęDVMS) then 25 call the TGSM to generate combinatorial testing cases; 26 else if (moę{VEE,EXE}) then 27 randomly choose two groups for combinatorial testing; 28 else 29 randomly choose one group for combinatorial testing; 30 }
Web Service
Identify associated Web service methods
Parse WSDL file
SOAP message 䯴 XMLDocument䯵 Combinatorial mutation strategy
Generate test cases
WSVTS System
Execute test cases
Vulnerability test report
The main idea of the TGSM algorithm is as follow: The solution matrix satisfied K factors cover is generated based on FIM (fault injection model). All lines of data of solution matrix build up fault injection test cases. Due to space limitations, the specific algorithm description is not listed here. It can be seen in [17].
Figure 3. Flow chart of the Web service vulnerability testing system
Some open Web services are analyzed in the experiments, and extra Web services are also written during the experimental procedures. A total of 5 Web Services have
160
been tested in detail. Due to space limitations, the description of each Web service is not introduced here. We only give out the testing results in Table III. TABLE III.
Figure 5 shows that when the number of test cases increases, the number of finding faults also goes up markedly. The number of faults found by combinatorial test cases is much more than that of single mutant. Moreover, when the number of test cases is identical, combinatorial test cases can find more faults. However, the number of faults has stabilized when a certain number of test cases is reached. Since the test cases increased afterwards are redundant ones.
TEST RESULT OF COMBINATORIAL MUTATION
WS
WS1
WS2
WS3
WS4
WS5
Total
Number of combinatorial test cases
107
136
140
158
139
680
Faults found
70
93
100
111
106
480
160 Single mutation 140
Table III shows the probability of finding faults by the combinatorial test cases generated by WSVTS is about 70.59%. It indicates that combinatorial test cases are able to effectively reveal some Web services vulnerability to a greater degree. Thus the CTCG algorithm proposed in this paper is relatively more cost-effective.
Combinatorial mutation
Faults Found No
120
B. Analysis and Comparison In order to validate efficiency of mutation operators presented in this paper, we defined the OE (operator efficiency) as the efficiency of an operator in finding faults. The OE is expressed as OE= EF TC , where EF is the number of faults found and TC is the total number of test cases generated by the operators. The efficiency of each test case applied to the Web service according to the candidate sets is shown in Figure 4. The results are presented with the number of faults found and the number of tests applied. Given the efficiency of each test case applied, some of the test cases may not be applicable to certain Web services.
80 60 40 20 0
30
60
90
120 150 180 Test-Cases No
210 240 270
Figure 5. Comparison of single and combinatorial mutation
We also compare the results obtained from WSVTS with that using the open source tool SOAPUI, in which the test cases are manually entered according to the SOAP message parameter type. The comparison results are shown in Figure 6.
0.6
SOAPUI
OE=EF/TC
WSVTS
160
0.5
140 120 Faults Found No
OE
0.4
0.3
0.2
100 80 60 40
0.1
20 0
0
B
0
IPO SNN SNS IIV FIV CIV BIV SDN VEE EXE ML SSV
50
100
150
200
250
300
Test-Cases No
mutation operators
Figure 6. Comparison of the SOAPUI and WSVTS tools
Figure 4. Efficiency of the mutation operator
The curve trend in Figure 6 indicates that when the number of test cases increases, the number of finding faults also goes up markedly. The fault-finding abilities of the SOAPUI and WSVTS approaches are greatly discrepant. From this figure, we can see that the test suit generated by our approach is always more efficient. The result of this experiment suggests that our approach can acquire quality test suits more efficient. Though, of course, due to the distributed nature of Web services, there is some delay time during Web services testing process. Whereas, this paper focuses on the Web
As shown in Figure 4, most of operators designed here have higher abilities in finding faults. Thus we can draw conclusions that the mutation operators presented in this paper are relatively efficient for certain Web services. To further validate the effectiveness of the CTCG algorithm proposed above, a number of Web services have been tested in experimental procedures. Then the results obtained from WSVTS are compared with that using single mutant testing in the same condition. The comparison results are shown in Figure 5.
161
[2]
services vulnerability testing, rather than functionality testing. More faults found are our ultimate goal. Moreover, as shown in Figure 4, 5 and 6, the OE defined above in our approach is also much higher and the fault-finding ability of that is also remarkable. These can confirm the efficiency of our approach. V.
[3] [4]
CONCLUSIONS AND FUTURE WORK
[5]
Due to the distributed features of Web services, a lot of running state behaviors are contained, therefore, the traditional software testing techniques cannot be completely adopted to test Web services. The test data generation is the important content of testing Web services. Based on the major defect of only one mutant injected at one time and data perturbation and combinatorial testing techniques, this paper presents a set of mutation operators that can be combined, and defines corresponding combinatorial strategies. Then multiple mutants are injected simultaneously by combinatorial approach proposed in this paper. The experimental results show that the approach is more costeffective than single mutant approach. However, the ability of CTCG algorithm in finding faults is also needed to be improved. Redundant test cases still exist. In future, we would continue our research in two directions: Firstly, we will investigate the possibility of combine the conditions of mutants which have different mutated locations. Secondly, Web Services Security (WSSecurity) [18], published by Advancing Open Standards for the Information Society (OASIS), is an initiative to establish standards to apply security to Web services. However, these standards have not been addressed by the techniques presented here and are subject of further studies.
[6]
[7]
[8]
[9]
[10] [11] [12]
[13]
[14]
ACKNOWLEDGMENT This work was supported in part by the National Natural Science Foundation of China (NSFC) under Grant No. 61063013, Natural Science Foundation of Jiangsu Province under Grant No.SBK201241510 and the Research Fund for the Doctoral Program of Higher Education of China under Grant No. 2010322 7120005.
[15]
[16]
REFERENCES [1]
[17]
X.Y. Bai, C.C. Zhao, G.L. Dai, “Research on Web service Testing”, Computer Science,Vol. 33, No. 2, 2006, pp. 252-256㧚
[18]
162
K. Yue, X.L. Wang, A.Y. Zhou, “Underlying Techniques for Web Services: A Survey”, Journal of Software,Vol. 15, No. 3, 2004, pp.428-442. J. Bloomberg, “Testing Web services today and tomorrow”,Ration Edge E-zine for the Rational Community, 2002. Y. Jiang, G.M. Xin, J.H. Shan, et al. “A Method of Automated Test Data Generation for Web Service”, Journal of Computer, Vol. 28, No. 4, 2005, pp.568-577. C.V.A. de Melo, P. Silveira, “Improving data perturbation testing techniques for Web Services”, Information Sciences, Vol.181, No. 3, 2011, pp. 600-619. J.Offutt, W. Xu, “Generating Test Cases for Web Services Using Data Perturbation”, ACM SIGSOFT Software Engineering Notes, Vol. 29, No. 5, 2004, pp.1-10. W. Xu, J. Offutt, J. Luo, “Testing Web Services by XML Perturbation”, Proc. of the 16th IEEE International Symposium on Software Reliability Engineering (ISSRE’05), IEEE Computer Society, 2005, pp.257-266. F.L.J. de Almeida, R.S. Vergilio, “Exploring perturbation based testing for Web services”, Proc. of the IEEE International Conference on Web Services (ICWS’06), IEEE Computer Society, 2006, pp.717– 726. K.Z. Watkins, “Introducing Fault-Based Combinatorial Testing to Web Services”, Proc. of the IEEE SoutheastCon 2010 (SoutheastCon), 2010, pp.131-134. P. C. Jorgensen., “Software Testing: A Carftsman’s Approach”, Third Edition, CRC Press, USA, 2011, pp.315-324. M.P. Papazoglou, “Web Services Principles and Technology”, Pearson Prentice Hall, Holland, 2010, pp. 99-100. W.T. Tsai, R. Paul㧘Y. Wang, et a1 , “Extending WSDL to Facilitate Web Services Testing”, Proc. of the 7th IEEE International Symposium on High Assurance Systems Engineering (HASE’02), IEEE Computer Society, 2002, pp.171- 172. M. Evan, S. Bas, T. Xie, “Automated Testing and Response Analysis of Web Services”, 2007 IEEE International Conference on Web Services (ICWS 2007), IEEE Computer Society, 2007, pp.647-654. M.S. Harry, S.H. Huan, “WSDLTest-A Tool for Testing Web Services”, Proc. of the 8th IEEE International Symposium on Web Site Evolution (WSE’06), IEEE Computer Society, 2006, pp.14-21. X.Y. Bai, W.L. Dong, W.T. Tsai, Y. Chen, “WSDL-based Automatic Test Case Generation for Web Services Testing”, Proc. of the 2005 IEEE International Workshop on Service-oriented System Engineering (SOSE’05), IEEE Computer Society, 2005, pp.207-212. S. Hanna, M. Munro, “An Approach for Specification-based Test Case Generation for web Services”, 2007 IEEE/ACS International Conference on Computer Systems and Applications, Washington: IEEE, 2007, pp.16-23. J.F. Chen, Y.S. Lu, X.D. Xiao, “A Fault Injection Model of Component Security Testing”, Journal of Computer Research and Development, Vol. 46, No. 7, 2009, pp.1127-1135. WS-Security, OASIS, avalable at http://www.oasis-open.org/specs (last access May 2010).
