Physical & Personnel Security Physical Security Personnel Security.
Security testautomation
-
Upload
linkesh-kanna-velu -
Category
Technology
-
view
160 -
download
0
Transcript of Security testautomation
What is Security Testing
• Security testing is the process that determines that confidential data stays confidential and users can perform only those tasks that they are authorized to perform.
• Security Testing is a type of software testing that intends to uncover vulnerabilities of the system and determine that its data and resources are protected from possible intruders.
Some key terms used in Security
Testing
• What is “Vulnerability”?
This is a weakness in the web application.
The cause of such a “weakness” can be
bugs in the application, an injection (SQL/
script code) or the presence of viruses.
• What is “Spoofing”?
The creation of hoax look-alike websites or
emails is called spoofing.
• What is “URL manipulation”?Some web applications communicate additional information between the client (browser) and the server in the URL. Changing some information in the URL may sometimes lead to unintended behavior by the server.
• What is “SQL injection”?This is the process of inserting SQL statements through the web application user interface into some query that is then executed by the server.
OWASP
• The Open Web Application Security
Project (OWASP) is an online community
dedicated to web application security.
• OWASP is a worldwide not-for-profit
charitable organization focused on
improving the security of software.
Few OWASP Recommended Tools
WEB APPLICATION RISK SECURITY UTILITY
A1: InjectionSQL Inject Me and
Zed Attack Proxy (ZAP)
A2: Broken Authentication and Session Management ZAP
A3: Cross-Site Scripting (XSS) ZAP
A4: Insecure Direct Object ReferencesHTTP Directory Traversal Scanner, Burp Suite and
ZAP
A5: Security Misconfiguration OpenVAS and WATOBO
A6: Sensitive Data Exposure Qualys SSL Server Test
A7: Missing Function Level Access Control OpenVAS
A8: Cross-Site Request Forgery (CSRF) Tamper Data (Samurai WTF), WebScarab or ZAP
A9: Using Components with Known Vulnerabilities OpenVAS
A10: Unvalidated Redirects and Forwards ZAP
What is IronWASP
• An environment for Web Application Security Testing
• Designed for optimum mix of Manual and Automated Testing
• Designed for Pentesters and QA folks
• Let’s you write a custom Security Scanner in a very short time
• Open Source and Open Architecture
• ƒGUI based & does not require installation
• Powerful and effective scanning engine
• Extensible via plug-ins or modules in Python, Ruby, C# or VB.NET
IronWASP – Key Components
• Built-in Crawler + Scan Manager + Proxy
• Python/Ruby based plug-ins
• Active plug-ins for Scanning
• Passive plug-ins for vulnerability detection
• Format plug-ins for defining data formats
• Session plug-ins to customise the scans
• Generate detailed report
Zed Attack Proxy [ZAP]
• An easy to use web application security testing tool
• Completely Free and Open Source
• An OWASP flagship project
• Ideal for Beginners
• But also used by Professionals
• Framework for advanced testing
• Ideal for Dev and QA. Especially for Test Automation Engineers
Integrating ZAP into the Build
• ANT Tasks
• Session management: New, Save and
Open
• Tasks: Spider and Active Attack
• Results: Ignoring rules and Failing the
build
Scan Results
• Password Autocomplete
• Application Error disclosure
• Cookie set without HttpOnly
Using the HttpOnly flag when generating a cookie helps mitigate the risk of client side script accessing the protected cookie
• X-Content-Type-Options header missing
Opens up a serious security vulnerability, in which, by confusing the MIME sniffing algorithm, the browser can be manipulated into interpreting data in a way that allows an attacker to carry out operations that are not expected by either the site operator or user, such as cross-site scripting
• X-Frame-Options header not set
Provides Clickjacking protection - “UI redress attack", is when an attacker uses multiple transparent or opaque layers to trick a user into clicking on a button or link on another page when they were intending to click on the the top level page. Thus, the attacker is "hijacking" clicks meant for their page and routing them to another page, most likely owned by another application, domain, or both
Advantages
• Additional ROI
• Great for Catching
1. Injection Based Attacks
2. HTTP header and Cookie issues
3. URL Redirect abuse
• No additional effort for vulnerability scan
• Can be integrated with your CI Builds
• Ignoring Low Priority Alerts
• No Code
• Big Surprise
References
• http://resources.infosecinstitute.com/owasp-top-ten-testing-and-tools-for-2013/
• http://istqbexamcertification.com/what-is-security-testing-in-software/
• https://www.owasp.org
• http://www.ironwasp.org/index.html• http://www.ironwasp.org/download.html• http://confengine.com/selenium-conf-
2014/schedule#session-218-info
• https://github.com/continuumsecurity/zap-webdriver
• https://code.google.com/p/zaproxy/wiki/RegTestsDemo