Zen and the art of Security Testing
-
Upload
test-huddle -
Category
Software
-
view
1.056 -
download
2
Transcript of Zen and the art of Security Testing
Zen and the Art of Security TestingTesting for security issues as a variation on what you already do
About CigitalUK and US consulting firm specializing in software security. Global leader in helping organizations build security in.
Over 20 years of research and successful software security consulting engagements throughout the world.
Offers consulting, training, mobile application security. Published in books, white papers, and articles.
About Me• Consultant 13 years
• Software security: code, design, risk• Financial, gaming, retail• Source code, architecture, security testing
• (ISC)² European Advisory Council• CISSP and CSSLP exam item author
• Author: 2 books + 1 chapter• OWASP Mobile Top Ten contributor• BS and MS in Computer Science• Passionate about software testers as an untapped
resource in software security
Inspirationwww.eurostarsoftwaretesting.com
The InspirationBefore one studies Zen, mountains are mountains and waters are waters;after a first glimpse into the truth of Zen, mountains are no longer mountains and waters are no longer waters;
Photo: © 2009 Abi Skipp, via Flickr
The MetaphorBefore one learns security testing, software is software and test cases are test cases;after a first glimpse into security testing, software is no longer software and test cases are no longer test cases;
Functional Testing vs.Security TestingTesting against the design/requirements is not enough:
Design specification & requirements
Actual implementation
Missing features(found in functional testing)
Potential security vulnerabilities(not found in functional tests)
Boundary condition analysis (edge and corner cases) Security testers
must think “outside the box”
Goals• Finding places in the user journey to do security testing
• Working that into user stories
• Working it into tests
• Modifying existing test cases to cover security• Use tools for intercepting and modifying web requests
www.eurostarsoftwaretesting.com
INJECTING SECURITY TESTS INTO USER STORIES
the fundamentalswww.eurostarsoftwaretesting.com
Agile User StoryAs a customer,I want to change my shipping
addressso that packages will come to
my new address
THOUGHTS UNDER
CONSTRUCTION
CAUTION
www.eurostarsoftwaretesting.com
Security User Stories
User StoryAs a customer, I want to track the shipment of my order so that I know when it will arrive.
Security StoryAs a fraudster, I want to see the details of an order that is not my own so that I can learn another person’s private information.
12
“Bad Guys” in Security User Stories
Bad Guys• Competitor• Misbehaving customer• Hacker• Journalist• Criminal• Vandal• Disgruntled employee
Goals• Learn private
information• Commit a fraudulent
transaction• Damage the company’s
brand• Prevent people from
doing their job• Sell valuable information
“Bad Guy” User Stories
Acceptance CriterionGiven that the user is logged in
And the session is validAnd the request is for an order that does not belong to the logged-in user,
When the user requests detailsThen display an error message
And ensure the user is no longer logged inAnd log an error to the application log.
As a criminal,I want to see the details of an order that is not mineSo that I can learn private information of another person
“Good Guys” in Security User StoriesUsers• Fraud Analyst• Customer Service Rep• System Operator• Well-behaved user• Manager• Auditor
Goals• Verify a transaction• Determine some
important information• Report on error
conditions• Display the status of
something 15
“Good Guy” User StoriesAs a security analyst,I want to see a list of sessions with unusal characteristicsSo that I can identify and terminate bot and fraud sessions
As a registered user,I want to receive a notification when a new device is added to my account So that I know how many devices are attached to my account
Goals of Security User Stories• Identify an important actor (developers, security
people, IT people are usually not important)• Identify an action or activity with tangible
outputs•An easy tangible output is an error message•Force the business to be engaged by getting them to
describe these output• Create test cases that exercise the software that
way•Can you make the error message appear?
www.eurostarsoftwaretesting.com
SECURITY TESTING TECHNIQUES
www.eurostarsoftwaretesting.com
Web Security Testing vs.Network Penetration TestingPenetration Testing• Finds services and open
ports• Checks for vulnerable or
misconfigured components
• Often targets standard software, COTS
Web Security Testing• Focuses on what is
running over HTTP(S)• System usually contains
custom-built code• Requires deeper
knowledge of business processes and rules
The IdeaFunctional Testers Know the Most!
• Test data to exercise this whole flow
• Insert security test data at each pointo SQL injection
o XML
o Cross-site scripting (XSS)
o JSON
o CSV
www.eurostarsoftwaretesting.com
Old Skool: Boundary Value Testing
Example Scenario• App allows you to share mobile
minutes• 1000 minutes across 3 lines• Inputs are non-negative, integer
minute values• Must sum to exactly 1000• 0 and 1000 are valid
ExamplesLine 1 250Line 2 250Line 3 500Total 1000
Line 1 0Line 2 1000Line 3 0Total 1000
Line 1 1Line 2 1Line 3 998Total 1000
www.eurostarsoftwaretesting.com
Old Skool: Boundary Value Testing
Boundary Values• One more, one less, and boundary
value• -1, 0, 1, 999, 1000, 1001• This is testing 101
A few other interesting ones• MAXINT• MININT
ExamplesLine 1 -1Line 2 0Line 3 1Total err
Line 1 999Line 2 1000Line 3 1001Total err
Line 1 -1Line 2 0Line 3 1001Total err
www.eurostarsoftwaretesting.com
Equivalence Class Partitioning
Sampling from Equivalence Classes• Negative numbers• Aphabetic characters• Character set, encoding variations
• Unicode UTF-8• Unicode UTF-16• Unicode ISO-8859-1
• Null / missing / empty
ExamplesLine 1 ABCDLine 2 500Line 3 500Total err
Line 1 完全な失敗Line 2 başarısızlıkLine 3 لشفTotal err
Line 1Line 2 1Line 3 998Total err
www.eurostarsoftwaretesting.com
Security andEquivalence Class PartitioningNew Equivalence Classes• SQL Injection
'or 1=1; -‐-‐' and 'A'='A';
• Cross-site scripting<script><img src="http://.../"…>
• Other encoding issues• URI encoding• HTTP encoding• Base64 misalignments• Etc.
ExamplesLine 1 ‘ or 1=1’;Line 2 ’ and a=a; --Line 3 ‘ group by --Total err
Line 1 <script>Line 2 <body
onload=>Line 3 <a
onmousover>Total err
www.eurostarsoftwaretesting.com
Where do I get thesetest data?• Cross-site Scripting (XSS)
• OWASP Cross Site Scripting Cheat Sheet• https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sh
eet• http://htmlpurifier.org/live/smoketests/xssAttacks.php
• SQL Injection• SQLNinja• SQLMap
• Kali Linux (many security tools built in)• HTML, XML, JSON
www.eurostarsoftwaretesting.com
SECURITY TOOLS FOR WEB TESTING
www.eurostarsoftwaretesting.com
Two Important Tools1.Firebug2.Burp
(don’t forget Selenium)
www.eurostarsoftwaretesting.com
Firebug• Add-on for Firefox (http://getfirebug.com/)• Views the DOM as it really is• Interactively manipulates the DOM• Great things to do:
• Undo disabled="true"• Identify
XPATHforSelenium
www.eurostarsoftwaretesting.com
Intercepting Traffic
• Local proxy acts as man-in-the-middle
• HTTPS traffic is decrypted and viewable in plain text in local proxy
• Insert data that you can’t put into a field via the browser
• See hidden fields, cookies, etc.
Even HTTPS traffic can be intercepted:Tester’s Machine
Server
Tester’s Browser
Tester’s Proxy
HTTPSTunnel 1
HTTPSTunnel 2
Burp Proxy
• Start local proxy and configure interface and port to listen to
• If necessary, configure upstream proxy server(s)
You can run a local HTTP proxy on your own machine:
Security TestingMonitor, intercept, and rewrite traffic in your local proxy:
Modify Parameters
www.eurostarsoftwaretesting.com
Bypassing All Client Side Checks
• After inputs are checked• Before they’re received by
the server
Works on Mobile Too
Tester’s Machine
Server
Tester’s Browser
Tester’s Proxy
Rewriteresponses?
Wrapping Up
Everyone whohas something to do with
SOFTWAREhas something to do with SOFTWARE SECURITY
Wrapping Up• User stories let us describe security behaviour
• Good Guys• Bad Guys• Error messages
• Put security test data into standard functional tests• Get test data ideas from OWASP• Get free tools and try them
• Use a proxy to intercept and modify HTTP communication
www.eurostarsoftwaretesting.com
37
The best time to plant an oak tree was twenty years ago.
The next best time is now.—Ancient Proverb
Paco Hope, CISSP, [email protected]: @pacohope