Practical External Interaction Vulnerability Testing for Web Applications
External Interaction Vulnerabilities (EIVs) are currently the most common vulnerability for web applications. These vulnerabilities allow attackers to use vulnerable web applications as a vessel to transmit malicious code to an external system that interact with the web applications. The malicious code will modify the semantic content of the information sent to the external application. Current vulnerability testing approaches are black-box oriented and cannot take advantage of the data flow information which is available in the source code. In this paper, we introduce a white-box approach called EIV testing to test for web applications' vulnerabilities. This strategy allows testers to accurately identify all inputs entering the web application and model the input as it reaches external systems acting as data sinks. A case study using a commercial, currently deployed, web application is presented to show the effectiveness of this testing strategy.