Security Test Automation

By Autobots

Disclaimer!

We are NOT Security Experts, but QA

Engineers Passionate about Quality

Security Test Automation

What is Security Testing

• Security testing is the process that determines that confidential data stays confidential and users can perform only those tasks that they are authorized to perform.

• Security Testing is a type of software testing that intends to uncover vulnerabilities of the system and determine that its data and resources are protected from possible intruders.

Some key terms used in Security

Testing

• What is “Vulnerability”?

This is a weakness in the web application.

The cause of such a “weakness” can be

bugs in the application, an injection (SQL/

script code) or the presence of viruses.

• What is “Spoofing”?

The creation of hoax look-alike websites or

emails is called spoofing.

• What is “URL manipulation”?Some web applications communicate additional information between the client (browser) and the server in the URL. Changing some information in the URL may sometimes lead to unintended behavior by the server.

• What is “SQL injection”?This is the process of inserting SQL statements through the web application user interface into some query that is then executed by the server.

OWASP

• The Open Web Application Security

Project (OWASP) is an online community

dedicated to web application security.

• OWASP is a worldwide not-for-profit

charitable organization focused on

improving the security of software.

Few OWASP Recommended Tools

WEB APPLICATION RISK SECURITY UTILITY

A1: InjectionSQL Inject Me and

Zed Attack Proxy (ZAP)

A2: Broken Authentication and Session Management ZAP

A3: Cross-Site Scripting (XSS) ZAP

A4: Insecure Direct Object ReferencesHTTP Directory Traversal Scanner, Burp Suite and

ZAP

A5: Security Misconfiguration OpenVAS and WATOBO

A6: Sensitive Data Exposure Qualys SSL Server Test

A7: Missing Function Level Access Control OpenVAS

A8: Cross-Site Request Forgery (CSRF) Tamper Data (Samurai WTF), WebScarab or ZAP

A9: Using Components with Known Vulnerabilities OpenVAS

A10: Unvalidated Redirects and Forwards ZAP

What is IronWASP

• An environment for Web Application Security Testing

• Designed for optimum mix of Manual and Automated Testing

• Designed for Pentesters and QA folks

• Let’s you write a custom Security Scanner in a very short time

• Open Source and Open Architecture

• ƒGUI based & does not require installation

• Powerful and effective scanning engine

• Extensible via plug-ins or modules in Python, Ruby, C# or VB.NET

IronWASP – Key Components

• Built-in Crawler + Scan Manager + Proxy

• Python/Ruby based plug-ins

• Active plug-ins for Scanning

• Passive plug-ins for vulnerability detection

• Format plug-ins for defining data formats

• Session plug-ins to customise the scans

• Generate detailed report

Zed Attack Proxy [ZAP]

• An easy to use web application security testing tool

• Completely Free and Open Source

• An OWASP flagship project

• Ideal for Beginners

• But also used by Professionals

• Framework for advanced testing

• Ideal for Dev and QA. Especially for Test Automation Engineers

Automation Workflow

Integrating ZAP into the Build

• ANT Tasks

• Session management: New, Save and

Open

• Tasks: Spider and Active Attack

• Results: Ignoring rules and Failing the

build

Scan Results

• Password Autocomplete

• Application Error disclosure

• Cookie set without HttpOnly

Using the HttpOnly flag when generating a cookie helps mitigate the risk of client side script accessing the protected cookie

• X-Content-Type-Options header missing

Opens up a serious security vulnerability, in which, by confusing the MIME sniffing algorithm, the browser can be manipulated into interpreting data in a way that allows an attacker to carry out operations that are not expected by either the site operator or user, such as cross-site scripting

• X-Frame-Options header not set

Provides Clickjacking protection - “UI redress attack", is when an attacker uses multiple transparent or opaque layers to trick a user into clicking on a button or link on another page when they were intending to click on the the top level page. Thus, the attacker is "hijacking" clicks meant for their page and routing them to another page, most likely owned by another application, domain, or both

Advantages

• Additional ROI

• Great for Catching

1. Injection Based Attacks

2. HTTP header and Cookie issues

3. URL Redirect abuse

• No additional effort for vulnerability scan

• Can be integrated with your CI Builds

• Ignoring Low Priority Alerts

• No Code

• Big Surprise

References

• http://resources.infosecinstitute.com/owasp-top-ten-testing-and-tools-for-2013/

• http://istqbexamcertification.com/what-is-security-testing-in-software/

• https://www.owasp.org

• http://www.ironwasp.org/index.html• http://www.ironwasp.org/download.html• http://confengine.com/selenium-conf-

2014/schedule#session-218-info

• https://github.com/continuumsecurity/zap-webdriver

• https://code.google.com/p/zaproxy/wiki/RegTestsDemo