T10 Track 5/7/2009 11:15:00 AM "Practical Security Testing for Web Applications" Presented by: Rafal Los Hewlett-Packard Application Security Center Presented at: 330 Corporate Way, Suite 300, Orange Park, FL 32073 888-268-8770 904-278-0524 sqeinfo@sqe.com www.sqe.com
Rafal Los Rafal Los is currently a Sr. Security Consultant with Hewlett-Packard s Application Security Center (ASC). Rafal has over 13 years of experience in network and system design, security policy and process design, risk analysis, penetration testing and consulting. Over the past eight years, he has focused on Information Security and Risk Management, leading security architecture teams and managing successful enterprise security programs for General Electric and other Fortune 100 companies, as well as SMB enterprises. Previously Rafal spent three years in-house with GE Consumer Finance, leading its security programs.
Practical Security Testing for Web Applications Rafal M. Los HP ASC Sr. Security Solutions Expert 1 Agenda Understanding the QA/Security Relationship Negative Testing 360 Building Negative Tests Implementation and Execution Looking Ahead 2 1 October 2003 Copyright 2006 HP corporate presentation. All rights reserved.
Agenda Understanding the QA/Security Relationship Negative Testing 360 Building Negative Tests Implementation and Execution Looking Ahead 3 Background Why do QA teams care about security? Traditionally security is left to the security team Security issues must be addressed throughout SDL QA teams add missing element QA teams are crucial to security Understand application test-cases Understand application workflows Security is a natural extension of quality 4 2 October 2003 Copyright 2006 HP corporate presentation. All rights reserved.
QA Security Relationship Similarities core principles Testing web application logic Functional testing on live code Specific data-sets used Differences outlying goals Stress-test vs. break test Positive vs. negative data sets Reinforcing positive vs. uncovering negative 5 The Hacker Mindset Why would anyone want to break an application? Fun Malice Profit Attack users Attack systems Mentality difference QA asks How does it perform? Hacker asks How can I break it? 6 3 October 2003 Copyright 2006 HP corporate presentation. All rights reserved.
Whose Problem is Security? Many components to the security problem Policy Development frameworks/standards Audit Metrics Security is a pillar of overall quality Does it function? Does it perform? Is it secure? 7 Agenda Understanding the QA/Security Relationship Negative Testing 360 Building Negative Tests Implementation and Execution Looking Ahead 8 4 October 2003 Copyright 2006 HP corporate presentation. All rights reserved.
Negative Testing Overview What is negative testing? Testing for unintended features Testing using unintended data sets Testing for unintended logic flow Negative testing involves understanding d the application, and finding ways to manipulate the code to perform in ways as to create unintended exposures 9 Negative Testing Overview Selection bias Confirmation bias Testing to confirm desired results Testing using known desired data and flows Testing which completely misses the point confirmation bias is a tendency to search for or interpret new information in a way that confirms one's preconceptions and to avoid information and interpretations which contradict prior beliefs 10 5 October 2003 Copyright 2006 HP corporate presentation. All rights reserved.
Negative Testing Mindset Traditional QA: proving the positive Prove certain activity functions as defined by business case Requirements are easily defined in application flow and function Negative testing: finding the negative Find negative (unintended) functions/results No way to clearly define bad stuff as a requirement to test against 11 Negative Testing - Data Types of negative data depends on purpose Exploit a client Client-side script or technology Corrupt or crash a system Database control characters Non-native character sets, system characters System commands Retrieve data from the system Database queries, control language System commands 12 6 October 2003 Copyright 2006 HP corporate presentation. All rights reserved.
Negative Testing - Flow Goal is to manipulate application logic Identify breakable application logic Create a race condition Break application control-flow Force an out of process action Inject a rogue process Test-cases based off of proper application logic flows Requires in-depth knowledge of application flow 13 Negative Testing - Tools Tools are an integral part of negative testing Manual tools Flow diagrams Data sets Logic charts Automated tools Black-box scanners Manu-matic framework tools 14 7 October 2003 Copyright 2006 HP corporate presentation. All rights reserved.
Negative Testing - Tools Automated tools *cannot* perform all testing Workflow-base vulnerabilities Human beings must Analyze the application logic and data Guide tools Interpret results 15 Agenda Understanding the QA/Security Relationship Negative Testing 360 Building Negative Tests Implementation and Execution Looking Ahead 16 8 October 2003 Copyright 2006 HP corporate presentation. All rights reserved.
Building the Test 17 Building Data-Negative Tests All possible inputs Letters Numbers Special characters Control characters Dataunknown (unknown impact) Situational Refinement Database SQLi Negative Test Data Client-side XSS XMLdb X-Path.i Allowed (positive) characters Case-specific malicious Cross-site scripting SQL Injection Overflows 18 9 October 2003 Copyright 2006 HP corporate presentation. All rights reserved.
Building Data-Negative Tests Manual human testing Must build test data sets manually Sniper approach (can be precise) Often very slow, methodical Identifies false-positives Tools-based testing Builds test data sets automatically Shotgun approach (not precise) Ability to be extremely fast Trouble with false-positives 19 Negative Data Sets Facts about negative data Negative data sets are best generated by tools if the tester is not a security expert Many pre-built negative data sets already exist Sla.ckers.org XSS cheat-sheet Tools can point click test Black-box testing tools save time & effort Humans must analyze results Must mix positive/negative data for completeness Workflows often require good data to proceed Automated negative-data testing fails without good data 20 10 October 2003 Copyright 2006 HP corporate presentation. All rights reserved.
Flow Analysis Testing Can a process step be bypassed? Submit quote Step 1 Step 2 for someone else? Step 3 Step 4 Verify Identity Request quote Receive quote Submit for purchase Can a process step be injected? Step 1 Step 2 Step 3 Step 4 Verify Identity Request quote Receive quote Submit for purchase Injected! Modify quote 21 Flow Analysis Testing Manual human testing Can analytically yidentify specific weak points Distinguishes between success/failure readily Often very slow, methodical Ability to tailor testing to situation/process Tools-based testing Attacks every point, cannot distinguish Difficulty distinguishing success/failure Ability to be extremely fast Cannot think therefore has limited abilities 22 11 October 2003 Copyright 2006 HP corporate presentation. All rights reserved.
Flow Analysis Testing Facts about flow analysis testing Tester must understand application flow Proper application flow to turn into negative Random manipulation rarely works Focus on application control-points Key points in application logic Don t leave your testing to tools-only Most tools can t identify control points, dive deep into flows Human analyst has an obvious advantage (critical thinking) 23 Agenda Understanding the QA/Security Relationship Negative Testing 360 Building Negative Tests Implementation and Execution Looking Ahead 24 12 October 2003 Copyright 2006 HP corporate presentation. All rights reserved.
Negative Testing Process Analyze Requirements Analyze Findings [3] Build Test Sets Test Negative Flow [2] Test Positive Data 25 Test Positive Flow Test Negative Data [1] Testing Negative Data 1. Identify all visible inputs (data source ) i. Input positive data Analyze behavior ii. Input negative data Analyze behavior 2. Identify all hidden fields (data source ) i. Input positive data Analyze behavior ii. Input negative data Analyze behavior 26 13 October 2003 Copyright 2006 HP corporate presentation. All rights reserved.
Testing Negative Flow as we ve learned this will be manual work Map out all control-flows Identify a potentially weak logic element Walk the positive-control flow path Ensure proper positive path is understood Map possible negative-control flow paths Execute negative-control flow paths Analyst difference between positive/negative i i attempts Repeat if necessary to adjust/adapt until satisfied Attempt at least 3-5 loop-repetitions 27 Identify Weaknesses How do you identify a weakness/defect Undesired application reaction Crash? Skip control step? Disclosure of unintended data Debug information Disclosure of internal data Disclosure of controlled data 28 14 October 2003 Copyright 2006 HP corporate presentation. All rights reserved.
Agenda Understanding the QA/Security Relationship Negative Testing 360 Building Negative Tests Implementation and Execution Looking Ahead 29 Looking Ahead Addressing deep defects Workflow-based security defects Traditionally cannot be scanned for (with automated tools) Analysis of Defects When is a critical defect not? QA expertise contextualized defects 30 15 October 2003 Copyright 2006 HP corporate presentation. All rights reserved.
Questions? Security Strategist Application Security Specialist Following the White Rabbit: http://www.communities.hp.com/securitysoftware/blogs/rafal Digital Security SoapBox: http://preachsecurity.blogspot.com/ Email: Rafal@hp.com Direct: (404) 606-6056 31 16 October 2003 Copyright 2006 HP corporate presentation. All rights reserved.