Post on 27-Jul-2015
www.unicomlearning.com
Next Gen Testing Summit-201413th Nov, 2014 - Delhi
Hacker Proof Your App using Functional Tests
Ankita Gupta
Software Engineer, Quality
www.nextgentesting.org
UNICOM Presents
Next Gen Testing Summit-2014www.nextgentesting.org
Importance of Web app Security
UNICOM Presents
Next Gen Testing Summit-2014www.nextgentesting.org
Importance of Web app Security
• Web Application breach can lead to:– Theft of data– Malware infection– Loss of consumer confidence– Failure to meet regulatory requirements– Eventual loss of hundreds of thousands, even millions of
dollars.
• According to studies 8 out of 10 sites are Vulnerable.
UNICOM Presents
Next Gen Testing Summit-2014www.nextgentesting.org
Types of Attack
• SQL Injection• Cross Site Scripting• Denial of Service• Code Execution• Cross Site Request Forgery And many more …
UNICOM Presents
Next Gen Testing Summit-2014www.nextgentesting.org
Find Security Bugs
Security Experts– Expensive– Time consuming
UNICOM Presents
Next Gen Testing Summit-2014www.nextgentesting.org
Find Security Bugs
Automated Scanning using Web Security Scanners
Scanner :• A program which interacts to web application like an User.
• It performs Black box testing.
• It find misconfigurations and code level Vulnerabilities.– Cheap– runs 24*7
UNICOM Presents
Next Gen Testing Summit-2014www.nextgentesting.org
How Scanner Works
• Crawls site and find injection points.
• Test Each point for Security problem by injecting different payloads.
• Payloads are not random text, predefined possible values for Security problems.
• For each security we have corresponding input.
UNICOM Presents
Next Gen Testing Summit-2014www.nextgentesting.org
How Scanner Works
• Each scanner has their own algorithm– What payloads , Analysis
• Passive Approach – It will look at request and response and tries to identify
security problems.
UNICOM Presents
Next Gen Testing Summit-2014www.nextgentesting.org
Challenges of Automated Scanning
UNICOM Presents
Next Gen Testing Summit-2014www.nextgentesting.org
Challenges of Automated Scanning
UNICOM Presents
Next Gen Testing Summit-2014www.nextgentesting.org
HOW?..??
UNICOM Presents
Next Gen Testing Summit-2014www.nextgentesting.org
Solutions:
• Manually provide all possible input to Scanner.• Time Consuming• Inefficient
UNICOM Presents
Next Gen Testing Summit-2014www.nextgentesting.org
Better Approach
• Use Functional test cases automation.
• Enterprises use framework like Selenium to automate Functional testing.
How about we integrate Functional test cases and an Automated Scanner?
UNICOM Presents
Next Gen Testing Summit-2014www.nextgentesting.org
Combine Selenium with IronWASP
UNICOM Presents
Next Gen Testing Summit-2014www.nextgentesting.org
IronWASP
• IronWASP is an open source Web Security Scanner.
• Its one among best Scanners.
• Checks for more than 25 Vulnerabilities.
• It stands better than commercial scanner in some parameters.
UNICOM Presents
Next Gen Testing Summit-2014www.nextgentesting.org
IronWASP is better than other Scanner
UNICOM Presents
Next Gen Testing Summit-2014www.nextgentesting.org
Benefits
• Automated Scanner has valid inputs now for all possible cases.
• Follows Correct flow on web page.
• Time/Cost effective.
UNICOM Presents
Next Gen Testing Summit-2014www.nextgentesting.org
Demo IronWasp
UNICOM Presents
Next Gen Testing Summit-2014www.nextgentesting.org
A Simple Functional Test
public void test() throws InterruptedException {
WebDriver driver = new FirefoxDriver();
driver.get(“abc.com");System.out.println(driver.getTitle());driver.quit();
}
UNICOM Presents
Next Gen Testing Summit-2014www.nextgentesting.org
Setup IronWasp Library
• Add Library to Build Path.
• Add IronWaspConfig.xml to <MainFolder>/resources/
AND WE ARE GOOD TO GO!!
UNICOM Presents
Next Gen Testing Summit-2014www.nextgentesting.org
Routing Traffic to IronWasp
public static WebDriver createDriver() { FirefoxProfile profile = new FirefoxProfile(); profile.setPreference("network.proxy.type", 1); profile.setPreference("network.proxy.http", IronWasp.ipAddress); profile.setPreference("network.proxy.http_port", IronWasp.portNumber); profile.setPreference("network.proxy.ssl", IronWasp.ipAddress); profile.setPreference("network.proxy.ssl_port", IronWasp.portNumber); profile.setPreference("network.proxy.no_proxies_on",""); return driver = new FirefoxDriver(profile);}
UNICOM Presents
Next Gen Testing Summit-2014www.nextgentesting.org
An IronWasp Integrated Test Case
public void test() throws InterruptedException { IronWasp.workflowStart(); WebDriver driver=FirefoxBrowser.createDriver(); driver.get(“abc.com"); System.out.println(driver.getTitle()); IronWasp.workflowEnd(); driver.quit();}
UNICOM Presents
Next Gen Testing Summit-2014www.nextgentesting.org
Demo TestNG/Junit
• Create a wrapper for creating broswers.
• Create A base class which calls IronWasp Library in start and end of every test case.
• All test cases should inherit the Base class.
UNICOM Presents
Next Gen Testing Summit-2014www.nextgentesting.org
Advantages
• No special Security Auditing needed.
• Easy understandable reports.
• Can fix Security Issues early in SDLC.
• Can prevent major design/architectural changes.
• No more ransom to Bug Bounty Hunters.
UNICOM Presents
Next Gen Testing Summit-2014www.nextgentesting.org
Area of improvements• Speed and Effectiveness:
– Current system replays each test case repeatedly. Very time consuming.
– Current system does not work properly for JavaScript heavy websites.
• Coverage:– Current system does not test for client-side vulnerabilities.– Current system does not discover features that are not covered by the
test case.
• Reporting:– Current system only generates report, no integration with bug tracking
software.
Limitations
UNICOM Presents
Next Gen Testing Summit-2014www.nextgentesting.org
Area of improvements• Management:– Current system needs to be started every time a test suite needs to be
run.– Bug Fix verification can only be done by manually comparing the
reports.– Cannot handle parallel functional testing traffic from multiple users.
• Configuration wise:– Configuring proxy settings in web driver.– Sending API calls at the start and end of each test case.
Limitations
UNICOM Presents
Next Gen Testing Summit-2014www.nextgentesting.org
Issue Types
• Scanners are unable to find flaws in business logic.
• More complicated attacks are found by people.
UNICOM Presents
Next Gen Testing Summit-2014www.nextgentesting.org
References
• IronWasp : http://ironwasp.net / http://ironwasp.org
• Github : http://github.com/Ankitagupta2309/IronWasp
• Special Thanks to Lavakumar Kuppan, Author@IronWasp
• Email : ankitag@linkedin.com
• Twitter : @_ankitag_