hacker proof web app using functional tests
Post on 14-Jun-2015
716 Views
Preview:
DESCRIPTION
TRANSCRIPT
HACKER-PROOF WEB APP USING FUNCTIONAL TESTSAnkita Gupta
Anamika Singh
Presenters
Ankita GuptaSoftware Engineer, QA@LinkendIn
@_ankitag_
Presenters
Anamika SinghProduct Analyst @ IronWASP Information Security Services
Author of WiHawk – Router Vulnerability Scanner
@_Anamikas_
Importance of Web app Security
Importance of Web app Security• Web Application breach can lead to:
• Theft of data• Malware infection• Loss of consumer confidence• Failure to meet regulatory requirements• Eventual loss of hundreds of thousands, even millions of dollars.
• According to studies 8 out of 10 sites are Vulnerable.
Types of Attack• SQL Injection• Cross Site Scripting• Denial of Service• Code Execution• Cross Site Request Forgery
And many more …
Find Security Bugs
Security Experts• Expensive• Time consuming
Find Security Bugs
Automated Scanning using Web Security Scanners
Scanner :• A program which interacts to web application like an User.
• It performs Black box testing.
• It find misconfigurations and code level Vulnerabilities.• Cheap• runs 24*7
How Scanner Works• Crawls site and find injection points.
• Test Each point for Security problem by injecting different payloads.
• Payloads are not random text, predefined possible values for Security problems.
• For each security we have corresponding input.
How Scanner Works• Each scanner has their own algorithm
• What payloads , Analysis
• Passive Approach • It will look at request and response and tries to identify security
problems.
Challenges of Automated Scanning
Challenges of Automated Scanning
Challenges of Automated Scanning
• Automated Login
• Infinite Web Site
• Multipage Sequence
HOW?..??
Solutions:
• Manually provide all possible input to Scanner.• Time Consuming• Inefficient
Better Approach
• Use Functional test cases automation.
• Enterprises use framework like Selenium to automate Functional testing.
How about we integrate Selenium test cases and Automated Scanner?
Combine Selenium with IronWASP
IronWASP
• IronWASP is an open source Web Security Scanner.
• Its one among best Scanners.
• Checks for more than 25 Vulnerabilities.
• It stands better than commercial scanner in some parameters.
IronWASP is better than other Scanner
Benefits
• Automated Scanner has valid inputs now for all possible cases.
• Follows Correct flow on web page.
• Time/Cost effective.
Demo IronWasp
A Simple Functional Test
public void test() throws InterruptedException {
WebDriver driver = new FirefoxDriver();
driver.get(“abc.com");System.out.println(driver.getTitle());driver.quit();
}
Setup IronWasp Library• Add Library to Build Path.
• Add IronWaspConfig.xml to <MainFolder>/resources/
• AND WE ARE GOOD TO GO!!
Routing Traffic to IronWasppublic static WebDriver createDriver() { FirefoxProfile profile = new FirefoxProfile(); profile.setPreference("network.proxy.type", 1); profile.setPreference("network.proxy.http", IronWasp.ipAddress); profile.setPreference("network.proxy.http_port", IronWasp.portNumber); profile.setPreference("network.proxy.ssl", IronWasp.ipAddress); profile.setPreference("network.proxy.ssl_port", IronWasp.portNumber); profile.setPreference("network.proxy.no_proxies_on",""); return driver = new FirefoxDriver(profile);}
An IronWasp Integrated Test Case
public void test() throws InterruptedException { IronWasp.workflowStart(); WebDriver driver=FirefoxBrowser.createDriver(); driver.get(“abc.com"); System.out.println(driver.getTitle()); IronWasp.workflowEnd(); driver.quit();}
Demo TestNG/Junit• Create a wrapper for creating broswers.
• Create A base class which calls IronWasp Library in start and end of every test case.
• All test cases should inherit the Base class.
Advantages• No special Security Auditing needed.
• Easy understandable reports.
• Can fix Security Issues early in SDLC.
• Can prevent major design/architectural changes.
• No more ransom to Bug Bounty Hunters.
Area of improvements• Speed and Effectiveness:
• Current system replays each test case repeatedly. Very time consuming.
• Current system does not work properly for JavaScript heavy websites.
• Coverage:• Current system does not test for client-side vulnerabilities.• Current system does not discover features that are not covered by
the test case.
• Reporting:• Current system only generates report, no integration with bug
tracking software.
Area of improvements• Management:
• Current system needs to be started every time a test suite needs to be run.
• If it crashes during a scan then it needs to be manually detected and restarted.
• Bug Fix verification can only be done by manually comparing the reports.
• Cannot handle parallel functional testing traffic from multiple users.
• Configuration wise:• Configuring proxy settings in web driver.• Sending API calls at the start and end of each test case.
Issue Types
• Scanners are unable to find flaws in business logic.
• More complicated attacks are found by people.
References• IronWasp : http://ironwasp.net / http://ironwasp.org
• Mutillidae : http://sourceforge.net/projects/mutillidae
• Github : https://github.com/Ankitagupta2309/IronWasp/
• Special Thanks to Lavakumar Kuppan, Author@IronWasp
top related