Security Testing with Selenium



Similar documents
ArcGIS Server Security Threats & Best Practices David Cordes Michael Young

Criteria for web application security check. Version

Web Application Security

OWASP and OWASP Top 10 (2007 Update) OWASP. The OWASP Foundation. Dave Wichers. The OWASP Foundation. OWASP Conferences Chair

Web Application Security. Vulnerabilities, Weakness and Countermeasures. Massimo Cotelli CISSP. Secure

Where every interaction matters.

How to break in. Tecniche avanzate di pen testing in ambito Web Application, Internal Network and Social Engineering

Web application security

Exploits: XSS, SQLI, Buffer Overflow

FINAL DoIT v.4 PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS APPLICATION DEVELOPMENT AND MAINTENANCE PROCEDURES

Hack Proof Your Webapps

elearning for Secure Application Development

1. Introduction. 2. Web Application. 3. Components. 4. Common Vulnerabilities. 5. Improving security in Web applications

Magento Security and Vulnerabilities. Roman Stepanov

(WAPT) Web Application Penetration Testing

The Top Web Application Attacks: Are you vulnerable?

WEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY

Web Application Guidelines

3. Broken Account and Session Management. 4. Cross-Site Scripting (XSS) Flaws. Web browsers execute code sent from websites. Account Management

MANAGED SECURITY TESTING

Web Application Penetration Testing

Network Security Exercise #8

Finding and Preventing Cross- Site Request Forgery. Tom Gallagher Security Test Lead, Microsoft

Hacking Web Apps. Detecting and Preventing Web Application Security Problems. Jorge Blanco Alcover. Mike Shema. Technical Editor SYNGRESS

Is Drupal secure? A high-level perspective on web vulnerabilities, Drupal s solutions, and how to maintain site security

Sitefinity Security and Best Practices

Top Ten Web Application Vulnerabilities in J2EE. Vincent Partington and Eelco Klaver Xebia

Web applications. Web security: web basics. HTTP requests. URLs. GET request. Myrto Arapinis School of Informatics University of Edinburgh

CSE598i - Web 2.0 Security OWASP Top 10: The Ten Most Critical Web Application Security Vulnerabilities

Creating Stronger, Safer, Web Facing Code. JPL IT Security Mary Rivera June 17, 2011

Architectural Design Patterns. Design and Use Cases for OWASP. Wei Zhang & Marco Morana OWASP Cincinnati, U.S.A.

Testing the OWASP Top 10 Security Issues

Detecting Web Application Vulnerabilities Using Open Source Means. OWASP 3rd Free / Libre / Open Source Software (FLOSS) Conference 27/5/2008

Last update: February 23, 2004

SERENA SOFTWARE Serena Service Manager Security

OWASP TOP 10 ILIA

OWASP Top Ten Tools and Tactics

What is Web Security? Motivation

Web-Application Security

WHITE PAPER. FortiWeb and the OWASP Top 10 Mitigating the most dangerous application security threats

Introduction:... 1 Security in SDLC:... 2 Penetration Testing Methodology: Case Study... 3

Security vulnerabilities in new web applications. Ing. Pavol Lupták, CISSP, CEH Lead Security Consultant

Hack-proof Your Drupal App. Key Habits of Secure Drupal Coding

Advanced Web Technology 10) XSS, CSRF and SQL Injection 2

Cross Site Scripting in Joomla Acajoom Component

Security Research Advisory IBM inotes 9 Active Content Filtering Bypass

Ruby on Rails Secure Coding Recommendations

Web Application Hacking (Penetration Testing) 5-day Hands-On Course

Testnet Summerschool. Web Application Security Testing. Dave van Stein

Secure Programming Lecture 12: Web Application Security III

FINAL DoIT v.8 APPLICATION SECURITY PROCEDURE

Project 2: Web Security Pitfalls

External Vulnerability Assessment. -Technical Summary- ABC ORGANIZATION

Hacking de aplicaciones Web

Security features of ZK Framework

Web Application Attacks And WAF Evasion

Adobe Systems Incorporated

BASELINE SECURITY TEST PLAN FOR EDUCATIONAL WEB AND MOBILE APPLICATIONS

Attack and Penetration Testing 101

Web Application Security Assessment and Vulnerability Mitigation Tests

Essential IT Security Testing

Annual Web Application Security Report 2011

Cross-Site Scripting

State of The Art: Automated Black Box Web Application Vulnerability Testing. Jason Bau, Elie Bursztein, Divij Gupta, John Mitchell

WHITE PAPER FORTIWEB WEB APPLICATION FIREWALL. Ensuring Compliance for PCI DSS 6.5 and 6.6

Sichere Software- Entwicklung für Java Entwickler

Web Application Vulnerability Testing with Nessus

SECURITY ADVISORY. December 2008 Barracuda Load Balancer admin login Cross-site Scripting

ASP.NET MVC Secure Coding 4-Day hands on Course. Course Syllabus

Thomas Röthlisberger IT Security Analyst

A Server and Browser-Transparent CSRF Defense for Web 2.0 Applications. Slides by Connor Schnaith

Attack Vector Detail Report Atlassian

APPLICATION SECURITY AND ITS IMPORTANCE

Columbia University Web Security Standards and Practices. Objective and Scope

Cloudy with a chance of 0-day

Cracking the Perimeter via Web Application Hacking. Zach Grace, CISSP, CEH January 17, Mega Conference

05.0 Application Development

Client logo placeholder XXX REPORT. Page 1 of 37

WHITE PAPER. FortiWeb Web Application Firewall Ensuring Compliance for PCI DSS 6.5 and 6.6

Web Application Report

Nuclear Regulatory Commission Computer Security Office Computer Security Standard

Secure Coding in Node.js

JVA-122. Secure Java Web Development

Chapter 1 Web Application (In)security 1

SAP: Session (Fixation) Attacks and Protections

Introduction. Two levels of security vulnerabilities:

PCI-DSS and Application Security Achieving PCI DSS Compliance with Seeker

Next Generation Clickjacking

Bank Hacking Live! Ofer Maor CTO, Hacktics Ltd. ATC-4, 12 Jun 2006, 4:30PM

Intrusion detection for web applications

Enterprise Application Security Workshop Series

Members of the UK cyber security forum. Soteria Health Check. A Cyber Security Health Check for SAP systems

Common Security Vulnerabilities in Online Payment Systems

Certified Secure Web Application Security Test Checklist

Web Application Worms & Browser Insecurity

Web Application Security Bootcamp. Christian Wenz

National Information Security Group The Top Web Application Hack Attacks. Danny Allan Director, Security Research

Revisiting SQL Injection Will we ever get it right? Michael Sutton, Security Evangelist

Transcription:

with Selenium Vidar Kongsli Montréal, October 25th, 2007 Versjon 1.0 Page 1

whois 127.0.0.1? Vidar Kongsli System architect & developer Head of security group Bekk Consulting Technology and Management Consulting Based in Oslo, Norway Focus on agile methodologies Page 2

Agenda Security in an agile project Misuse stories the evil counterparts of user stories Enter Selenium The demo application Examples Testing for cross site scripting (XSS) Testing for cross site request forgery (CSRF) Testing for insecure input handling Testing for session fixation Testing for information leakage Page 3

Agenda Security in an agile project Misuse stories the evil counterparts of user stories Enter Selenium The demo application Examples Testing for cross site scripting (XSS) Testing for cross site request forgery (CSRF) Testing for insecure input handling Testing for session fixation Testing for information leakage Page 4

Agility meets security Processes A: System design and implementation grows incrementally S: Security review typically after design and after implementation People A: Focused team, co-located in same office space S: Security reviews should be done by externals, not part of the develoment team Documentation Model A: Lean. More effective communication within team preferred S: Security reviews based on system documentation A: No modeling. Design emerges from test-driven development S: System, risk, theats, should be modeled Page 5

How can we address security in agile projects? Leverage Techniques and tools of agile projects Common ownership Automated testing. Page 6

Agenda Security in an agile project Misuse stories the evil counterparts of user stories Enter Selenium The demo application Examples Testing for cross site scripting (XSS) Testing for cross site request forgery (CSRF) Testing for insecure input handling Testing for session fixation Testing for information leakage Page 7

Introducing misuse stories What Describes illegal or non-normative use of the system How Derived from a user story or stories Question: how can this functionality be misused? Page 8

A misuse story... Misuse story: As a non-privileged anonymous user, I can create a new account with administrator privileges and use it User story: Flaw: As an anonymous user, I can create a user account Mass assignment allows a user to inject admin flag when submitting user account information. Page 9

Another misuse story... Misuse story: As a logged in user, I can insert JavaScript in my post which will be executed when another person reads my post User story: Flaw: As a logged in user, I can post to my blog No meta character escaping or white listing of legal HTML tags in posts in place. Page 10

Agenda Security in an agile project Misuse stories the evil counterparts of user stories Enter Selenium The demo application Examples Testing for cross site scripting (XSS) Testing for cross site request forgery (CSRF) Testing for insecure input handling Testing for session fixation Testing for information leakage Page 11

Enter Selenium Web testing JavaScript based Runs the application under test in an HTML frame Test cases Can be recorded Can be written in several languages Page 12

Selenium Core Page 13

Agenda Security in an agile project Misuse stories the evil counterparts of user stories Enter Selenium The demo application Examples Testing for cross site scripting (XSS) Testing for cross site request forgery (CSRF) Testing for insecure input handling Testing for session fixation Testing for information leakage Page 14

The demo application Simple weblog application Register users Create blogs Write blog entries Written in Ruby on Rails Quick development Very good testability Not always secure lets you run with scissors Page 15

Agenda Security in an agile project Misuse stories the evil counterparts of user stories Enter Selenium The demo application Examples Testing for cross site scripting (XSS) Testing for cross site request forgery (CSRF) Testing for insecure input handling Testing for session fixation Testing for information leakage Page 16

Agenda Security in an agile project Misuse stories the evil counterparts of user stories Enter Selenium The demo application Examples Testing for cross site scripting (XSS) Testing for cross site request forgery (CSRF) Testing for insecure input handling Testing for session fixation Testing for information leakage Page 17

Cross site scripting (XSS) Type 2 (Source: Wikipedia) Bob hosts a web site which allows users to post messages and other content to the site for later viewing by other members. Mallory notices that Bob's website is vulnerable to a type 2 XSS attack. Mallory posts a message, controversial in nature, which may encourage many other users of the site to view it. Upon merely viewing the posted message, site users' session cookies or other credentials could be taken and sent to Mallory's webserver without their knowledge. Later, Mallory logs in as other site users and posts messages on their behalf... Page 18

Testing for cross site scripting (XSS) Test: Can I insert JavaScript code that is run when a victim views the page? Page 19

Agenda Security in an agile project Misuse stories the evil counterparts of user stories Enter Selenium The demo application Examples Testing for cross site scripting (XSS) Testing for cross site request forgery (CSRF) Testing for insecure input handling Testing for session fixation Testing for information leakage Page 20

Cross Site Request Forgery (CSRF) The following characteristics are common to CSRF: Involve sites that rely on a user's identity Exploit the site's trust in that identity Trick the user's browser into sending HTTP requests to a target site Involve HTTP requests that have side effects (Source: Wikipedia) Scenario in our demo app: Post a blog entry on behalf of another, logged in, user Countermeasures: Preventing XSS is a good start Including a secret, user specific ticket that is validated when the user submits the form Page 21

Testing for Cross Site Request Forgery Test: Can we post a form (postback) without reading it first? Page 22

Agenda Security in an agile project Misuse stories the evil counterparts of user stories Enter Selenium The demo application Examples Testing for cross site scripting (XSS) Testing for cross site request forgery (CSRF) Testing for insecure input handling Testing for session fixation Testing for information leakage Page 23

Testing for insecure input handling Test: Can I register a user that has administrator privileges? Page 24

Why did this work Database table contains a flag which tells if the user is an administrator Rails uses mass assignment where it automatically maps form parameters into database table by name For the test, I added an action in Selenium that inserts a hidden field into the form Test inserted a hidden admin field into the form before submitting it. Page 25

Agenda Security in an agile project Misuse stories the evil counterparts of user stories Enter Selenium The demo application Examples Testing for cross site scripting (XSS) Testing for cross site request forgery (CSRF) Testing for insecure input handling Testing for session fixation Testing for information leakage Page 26

Testing for session fixation Session fixation One person (attacker) sets (and exploits) another user s session id Test: If I set the id of the session cookie, will the application accept it? Page 27

Testing for session fixation (2) Test: When I log in (my privileges are elevated), will my session id change? Page 28

Agenda Security in an agile project Misuse stories the evil counterparts of user stories Enter Selenium The demo application Examples Testing for cross site scripting (XSS) Testing for cross site request forgery (CSRF) Testing for insecure input handling Testing for session fixation Testing for information leakage Page 29

Testing for information leakage Scan page source for words and phrases debug, filename, password, SQL Wrote a new Selenium assertion assertnotexists Word or phrase does not exist in the page source code (including comments) Page 30

Testing for information leakage (2) Partial tests reuse test code Page 31

Summary We have created rather simple tests that manifest vulnerabilities We have leveraged a general testing tool We have discovered, tested, and fixed security issues incrementally Page 32

Questions? Contact me: vidar.kongsli [at] bekk.no Page 33

Testing for insecure communications Test: Will SSL be enforced on pages where sensitive information is transferred? Page 34

Be aware Selenium (core) is JavaScript-based Sandbox model An insecure page (non-ssl) cannot access a secure page (SSL) A page can only interact with pages from the same origin as it self Alternative Use Selenium Remote Control (RC) Page 35

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information