Zen and the art of Security Testing

Zen and the Art of Security TestingTesting for security issues as a variation on what you already do

About CigitalUK and US consulting firm specializing in software security. Global leader in helping organizations build security in.

Over 20 years of research and successful software security consulting engagements throughout the world.

Offers consulting, training, mobile application security. Published in books, white papers, and articles.

About Me• Consultant 13 years

• Software security: code, design, risk• Financial, gaming, retail• Source code, architecture, security testing

• (ISC)² European Advisory Council• CISSP and CSSLP exam item author

• Author: 2 books + 1 chapter• OWASP Mobile Top Ten contributor• BS and MS in Computer Science• Passionate about software testers as an untapped

resource in software security

Inspirationwww.eurostarsoftwaretesting.com

The InspirationBefore one studies Zen, mountains are mountains and waters are waters;after a first glimpse into the truth of Zen, mountains are no longer mountains and waters are no longer waters;

Photo: © 2009 Abi Skipp, via Flickr

The MetaphorBefore one learns security testing, software is software and test cases are test cases;after a first glimpse into security testing, software is no longer software and test cases are no longer test cases;

Functional Testing vs.Security TestingTesting against the design/requirements is not enough:

Design specification & requirements

Actual implementation

Missing features(found in functional testing)

Potential security vulnerabilities(not found in functional tests)

Boundary condition analysis (edge and corner cases) Security testers

must think “outside the box”

Goals• Finding places in the user journey to do security testing

• Working that into user stories

• Working it into tests

• Modifying existing test cases to cover security• Use tools for intercepting and modifying web requests

www.eurostarsoftwaretesting.com

INJECTING SECURITY TESTS INTO USER STORIES

the fundamentalswww.eurostarsoftwaretesting.com

Agile User StoryAs a customer,I want to change my shipping

addressso that packages will come to

my new address

THOUGHTS UNDER

CONSTRUCTION

CAUTION


Security User Stories

User StoryAs a customer, I want to track the shipment of my order so that I know when it will arrive.

Security StoryAs a fraudster, I want to see the details of an order that is not my own so that I can learn another person’s private information.

12

“Bad Guys” in Security User Stories

Bad Guys• Competitor• Misbehaving customer• Hacker• Journalist• Criminal• Vandal• Disgruntled employee

Goals• Learn private

information• Commit a fraudulent

transaction• Damage the company’s

brand• Prevent people from

doing their job• Sell valuable information

“Bad Guy” User Stories

Acceptance CriterionGiven that the user is logged in

And the session is validAnd the request is for an order that does not belong to the logged-in user,

When the user requests detailsThen display an error message

And ensure the user is no longer logged inAnd log an error to the application log.

As a criminal,I want to see the details of an order that is not mineSo that I can learn private information of another person

“Good Guys” in Security User StoriesUsers• Fraud Analyst• Customer Service Rep• System Operator• Well-behaved user• Manager• Auditor

Goals• Verify a transaction• Determine some

important information• Report on error

conditions• Display the status of

something 15

“Good Guy” User StoriesAs a security analyst,I want to see a list of sessions with unusal characteristicsSo that I can identify and terminate bot and fraud sessions

As a registered user,I want to receive a notification when a new device is added to my account So that I know how many devices are attached to my account

Goals of Security User Stories• Identify an important actor (developers, security

people, IT people are usually not important)• Identify an action or activity with tangible

outputs•An easy tangible output is an error message•Force the business to be engaged by getting them to

describe these output• Create test cases that exercise the software that

way•Can you make the error message appear?


SECURITY TESTING TECHNIQUES


Web Security Testing vs.Network Penetration TestingPenetration Testing• Finds services and open

ports• Checks for vulnerable or

misconfigured components

• Often targets standard software, COTS

Web Security Testing• Focuses on what is

running over HTTP(S)• System usually contains

custom-built code• Requires deeper

knowledge of business processes and rules

The IdeaFunctional Testers Know the Most!

• Test data to exercise this whole flow

• Insert security test data at each pointo SQL injection

o XML

o Cross-site scripting (XSS)

o JSON

o CSV


Old Skool: Boundary Value Testing

Example Scenario• App allows you to share mobile

minutes• 1000 minutes across 3 lines• Inputs are non-negative, integer

minute values• Must sum to exactly 1000• 0 and 1000 are valid

ExamplesLine 1 250Line 2 250Line 3 500Total 1000

Line 1 0Line 2 1000Line 3 0Total 1000

Line 1 1Line 2 1Line 3 998Total 1000


Old Skool: Boundary Value Testing

Boundary Values• One more, one less, and boundary

value• -1, 0, 1, 999, 1000, 1001• This is testing 101

A few other interesting ones• MAXINT• MININT

ExamplesLine 1 -1Line 2 0Line 3 1Total err

Line 1 999Line 2 1000Line 3 1001Total err

Line 1 -1Line 2 0Line 3 1001Total err


Equivalence Class Partitioning

Sampling from Equivalence Classes• Negative numbers• Aphabetic characters• Character set, encoding variations

• Unicode UTF-8• Unicode UTF-16• Unicode ISO-8859-1

• Null / missing / empty

ExamplesLine 1 ABCDLine 2 500Line 3 500Total err

Line 1 完全な失敗Line 2 başarısızlıkLine 3 لشفTotal err

Line 1Line 2 1Line 3 998Total err


Security andEquivalence Class PartitioningNew Equivalence Classes• SQL Injection

'or 1=1; -‐-‐' and 'A'='A';

• Cross-site scripting<script><img src="http://.../"…>

• Other encoding issues• URI encoding• HTTP encoding• Base64 misalignments• Etc.

ExamplesLine 1 ‘ or 1=1’;Line 2 ’ and a=a; --Line 3 ‘ group by --Total err

Line 1 <script>Line 2 <body

onload=>Line 3 <a

onmousover>Total err


Where do I get thesetest data?• Cross-site Scripting (XSS)

• OWASP Cross Site Scripting Cheat Sheet• https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sh

eet• http://htmlpurifier.org/live/smoketests/xssAttacks.php

• SQL Injection• SQLNinja• SQLMap

• Kali Linux (many security tools built in)• HTML, XML, JSON


SECURITY TOOLS FOR WEB TESTING


Two Important Tools1.Firebug2.Burp

(don’t forget Selenium)


Firebug• Add-on for Firefox (http://getfirebug.com/)• Views the DOM as it really is• Interactively manipulates the DOM• Great things to do:

• Undo disabled="true"• Identify

XPATHforSelenium


Intercepting Traffic

• Local proxy acts as man-in-the-middle

• HTTPS traffic is decrypted and viewable in plain text in local proxy

• Insert data that you can’t put into a field via the browser

• See hidden fields, cookies, etc.

Even HTTPS traffic can be intercepted:Tester’s Machine

Server

Tester’s Browser

Tester’s Proxy

HTTPSTunnel 1

HTTPSTunnel 2

Burp Proxy

• Start local proxy and configure interface and port to listen to

• If necessary, configure upstream proxy server(s)

You can run a local HTTP proxy on your own machine:

Security TestingMonitor, intercept, and rewrite traffic in your local proxy:

Modify Parameters


Bypassing All Client Side Checks

• After inputs are checked• Before they’re received by

the server

Works on Mobile Too

Tester’s Machine

Server

Tester’s Browser

Tester’s Proxy

Rewriteresponses?

Wrapping Up

Everyone whohas something to do with

SOFTWAREhas something to do with SOFTWARE SECURITY

Wrapping Up• User stories let us describe security behaviour

• Good Guys• Bad Guys• Error messages

• Put security test data into standard functional tests• Get test data ideas from OWASP• Get free tools and try them

• Use a proxy to intercept and modify HTTP communication


37

The best time to plant an oak tree was twenty years ago.

The next best time is now.—Ancient Proverb

Paco Hope, CISSP, [email protected]: @pacohope

Zen and the art of Security Testing

Software

Transcript of Zen and the art of Security Testing