Ankita- Hacker Proof your app using Functional Tests

www.unicomlearning.com

Next Gen Testing Summit-201413th Nov, 2014 - Delhi

Hacker Proof Your App using Functional Tests

Ankita Gupta

Software Engineer, Quality

Linkedin

www.nextgentesting.org

http://www.unicomlearning.com/

http://www.nextgentesting.org/

UNICOM Presents

Next Gen Testing Summit-2014www.nextgentesting.org

Importance of Web app Security


UNICOM Presents


Importance of Web app Security

• Web Application breach can lead to:– Theft of data– Malware infection– Loss of consumer confidence– Failure to meet regulatory requirements– Eventual loss of hundreds of thousands, even millions of

dollars.

• According to studies 8 out of 10 sites are Vulnerable.


UNICOM Presents


Types of Attack

• SQL Injection• Cross Site Scripting• Denial of Service• Code Execution• Cross Site Request Forgery And many more …


UNICOM Presents



UNICOM Presents



UNICOM Presents


Find Security Bugs

Security Experts– Expensive– Time consuming


UNICOM Presents


Find Security Bugs

Automated Scanning using Web Security Scanners

Scanner :• A program which interacts to web application like an User.

• It performs Black box testing.

• It find misconfigurations and code level Vulnerabilities.– Cheap– runs 24*7


UNICOM Presents


How Scanner Works

• Crawls site and find injection points.

• Test Each point for Security problem by injecting different payloads.

• Payloads are not random text, predefined possible values for Security problems.

• For each security we have corresponding input.


UNICOM Presents


How Scanner Works

• Each scanner has their own algorithm– What payloads , Analysis

• Passive Approach – It will look at request and response and tries to identify

security problems.


UNICOM Presents


Challenges of Automated Scanning


UNICOM Presents


Challenges of Automated Scanning


UNICOM Presents


HOW?..??


UNICOM Presents


Solutions:

• Manually provide all possible input to Scanner.• Time Consuming• Inefficient


UNICOM Presents


Better Approach

• Use Functional test cases automation.

• Enterprises use framework like Selenium to automate Functional testing.

How about we integrate Functional test cases and an Automated Scanner?


UNICOM Presents


Combine Selenium with IronWASP


UNICOM Presents


IronWASP

• IronWASP is an open source Web Security Scanner.

• Its one among best Scanners.

• Checks for more than 25 Vulnerabilities.

• It stands better than commercial scanner in some parameters.


UNICOM Presents


IronWASP is better than other Scanner


UNICOM Presents


Benefits

• Automated Scanner has valid inputs now for all possible cases.

• Follows Correct flow on web page.

• Time/Cost effective.


UNICOM Presents


Demo IronWasp


UNICOM Presents


A Simple Functional Test

public void test() throws InterruptedException {

WebDriver driver = new FirefoxDriver();

driver.get(“abc.com");System.out.println(driver.getTitle());driver.quit();

}


UNICOM Presents


Setup IronWasp Library

• Add Library to Build Path.

• Add IronWaspConfig.xml to <MainFolder>/resources/

AND WE ARE GOOD TO GO!!


UNICOM Presents


Routing Traffic to IronWasp

public static WebDriver createDriver() { FirefoxProfile profile = new FirefoxProfile(); profile.setPreference("network.proxy.type", 1); profile.setPreference("network.proxy.http", IronWasp.ipAddress); profile.setPreference("network.proxy.http_port", IronWasp.portNumber); profile.setPreference("network.proxy.ssl", IronWasp.ipAddress); profile.setPreference("network.proxy.ssl_port", IronWasp.portNumber); profile.setPreference("network.proxy.no_proxies_on",""); return driver = new FirefoxDriver(profile);}


UNICOM Presents


An IronWasp Integrated Test Case

public void test() throws InterruptedException { IronWasp.workflowStart(); WebDriver driver=FirefoxBrowser.createDriver(); driver.get(“abc.com"); System.out.println(driver.getTitle()); IronWasp.workflowEnd(); driver.quit();}


UNICOM Presents


Demo TestNG/Junit

• Create a wrapper for creating broswers.

• Create A base class which calls IronWasp Library in start and end of every test case.

• All test cases should inherit the Base class.


UNICOM Presents


Advantages

• No special Security Auditing needed.

• Easy understandable reports.

• Can fix Security Issues early in SDLC.

• Can prevent major design/architectural changes.

• No more ransom to Bug Bounty Hunters.


UNICOM Presents


Area of improvements• Speed and Effectiveness:

– Current system replays each test case repeatedly. Very time consuming.

– Current system does not work properly for JavaScript heavy websites.

• Coverage:– Current system does not test for client-side vulnerabilities.– Current system does not discover features that are not covered by the

test case.

• Reporting:– Current system only generates report, no integration with bug tracking

software.

Limitations


UNICOM Presents


Area of improvements• Management:– Current system needs to be started every time a test suite needs to be

run.– Bug Fix verification can only be done by manually comparing the

reports.– Cannot handle parallel functional testing traffic from multiple users.

• Configuration wise:– Configuring proxy settings in web driver.– Sending API calls at the start and end of each test case.

Limitations


UNICOM Presents


Issue Types

• Scanners are unable to find flaws in business logic.

• More complicated attacks are found by people.


UNICOM Presents


References

• IronWasp : http://ironwasp.net / http://ironwasp.org

• Github : http://github.com/Ankitagupta2309/IronWasp

• Special Thanks to Lavakumar Kuppan, Author@IronWasp

• Email : [email protected]

• Twitter : @_ankitag_


http://ironwasp.net/

http://ironwasp.org/

http://ironwasp.org/

http://github.com/Ankitagupta2309/IronWasp



mailto:[email protected]

http://twiiter.com/_ankitag



Ankita- Hacker Proof your app using Functional Tests

Documents

automatefunctional testing

gen testingsummit

black box testing

web security scannersscanner

anautomated scanner

better thancommercial

scanner works crawls

possible input