We introduce a new Syntax-based Security Testing framework that uses a protocol specification to perform security testing on text-based communication protocols. A protocol specification of a particular text-based protocol under test represents its syntactic grammar and static constraints. The specification is used to generate test cases by mutating valid messages, breaking the syntax and constraints of the protocol. The framework is demonstrated using a toy web application and the open source application KOrganizer. Copyright © 2012 John Wiley & Sons, Ltd.