SIMPA Tutorial

This tutorial explains the different steps to use SIMPA in order to infer an ASLan++ model of a Web application. In the following steps, we infer a model of the WebGoat Stored XSS lesson which is part of the WebGoat platform.
WebGoat can be downloaded from its website and run using one of the scripts available in the main folder (file .sh or .bat according to your operating system).


Expected results

  • An ASLan++ model of the stored XSS lesson.

Tutorial steps
Before inferring the model, you need to generate a test driver for the application.


    1. Using the SPaCIoS Tool menu, you create a new SIMPA test driver project as following:simpaand choose Generated test driver. This option allows you to use the driver generator.

      In the created project, a template of the configuration file for the generator is available. In this JSON file, you have to specify various information about the WebGoat lesson as it is depicted in the following figure:

      • Host and port depend on how you run the application. In this example, it is run locally ( using the port 8080.
      • Basic credentials to access the platform are guest:guest.
      • The noFollow option prevents the tool from browsing links that are outside of the lesson.
      • The reset URL is optional but may improve the crawling. For each WebGoat lesson, a reset URL is provided. (E.g.http://localhost:8080/WebGoat/attack?Screen=20&menu=900&Restart=20)
      • Sometimes, the different actions of the application are handled by only one page using a dedicated parameter. For WebGoat, the parameter is action. Therefore, we set actionByParameter to action.
      • We need to give at least one start URL. We give the URL of the stage 1 of the lesson (http://localhost:8080/WebGoat/attack?Screen=20&menu=900&stage=1).
      • The data part is a pool of parameter values. The crawler will pick from these values to browse the application. As the lesson is a small application, only a few values are needed.

      The complete configuration file is:

        "basicAuthUser" : "guest",
        "basicAuthPass" : "guest",
        "name" : "WebGoat_Stored_XSS",
        "limitSelector" : "#lesson_wrapper",
        "noFollow" : [ "^javascript:", "^http://" ],
        "cookies" : "JSESSIONID=BE48F7DCBA178BBE84206564",
        "reset" : "http://localhost:8080/WebGoat/attack?
        "actionByParameter" : "action",
        "mergeInputs" : false,
        "smallestSet" : false,
        "urls" : [ "http://localhost:8080/WebGoat/attack?
          Screen=20&menu=900&stage=1" ],
        "data" : {
          "manager" : ["110"],
          "employee_id" : ["111"],
          "password" : ["john"],
          "search_name" : ["Bruce"]


    1. Then, you run the generator using the SPaCIoS Tool menu. After some seconds, the abstraction of the application is created as a new XML file available in theabstraction folder. This XML file can be updated manually if the user wants to skip, or focus on, a part of the application.


    1. When this is done, you can execute the inference by selecting the abstraction file in the project and running it as a SIMPA test driver as in the following figure:simpaSIMPA recognizes the file as an abstraction and allows the user to run it. For this application, it takes around one minute to SIMPA to produce the corresponding ASLan++ model on an average laptop.


  1. After the execution, new directories are created containing the log file (log), a visual version of the model (out) and the ASLan++ model (model) as in the following figure:simpa