HACKER-PROOF WEB APP USING FUNCTIONAL TESTSAnkita Gupta

Anamika Singh

Presenters

Ankita GuptaSoftware Engineer, QA@LinkendIn

@_ankitag_

Presenters

Anamika SinghProduct Analyst @ IronWASP Information Security Services

Author of WiHawk – Router Vulnerability Scanner

@_Anamikas_

Importance of Web app Security

Importance of Web app Security• Web Application breach can lead to:

• Theft of data• Malware infection• Loss of consumer confidence• Failure to meet regulatory requirements• Eventual loss of hundreds of thousands, even millions of dollars.

• According to studies 8 out of 10 sites are Vulnerable.

Types of Attack• SQL Injection• Cross Site Scripting• Denial of Service• Code Execution• Cross Site Request Forgery

And many more …

Find Security Bugs

Security Experts• Expensive• Time consuming

Find Security Bugs

Automated Scanning using Web Security Scanners

Scanner :• A program which interacts to web application like an User.

• It performs Black box testing.

• It find misconfigurations and code level Vulnerabilities.• Cheap• runs 24*7

How Scanner Works• Crawls site and find injection points.

• Test Each point for Security problem by injecting different payloads.

• Payloads are not random text, predefined possible values for Security problems.

• For each security we have corresponding input.

How Scanner Works• Each scanner has their own algorithm

• What payloads , Analysis

• Passive Approach • It will look at request and response and tries to identify security

problems.

Challenges of Automated Scanning

Challenges of Automated Scanning

Challenges of Automated Scanning

• Automated Login

• Infinite Web Site

• Multipage Sequence

HOW?..??

Solutions:

• Manually provide all possible input to Scanner.• Time Consuming• Inefficient

Better Approach

• Use Functional test cases automation.

• Enterprises use framework like Selenium to automate Functional testing.

How about we integrate Selenium test cases and Automated Scanner?

Combine Selenium with IronWASP

IronWASP

• IronWASP is an open source Web Security Scanner.

• Its one among best Scanners.

• Checks for more than 25 Vulnerabilities.

• It stands better than commercial scanner in some parameters.

IronWASP is better than other Scanner

Benefits

• Automated Scanner has valid inputs now for all possible cases.

• Follows Correct flow on web page.

• Time/Cost effective.

Demo IronWasp

A Simple Functional Test

public void test() throws InterruptedException {

WebDriver driver = new FirefoxDriver();

driver.get(“abc.com");System.out.println(driver.getTitle());driver.quit();

}

Setup IronWasp Library• Add Library to Build Path.

• Add IronWaspConfig.xml to <MainFolder>/resources/

• AND WE ARE GOOD TO GO!!

Routing Traffic to IronWasppublic static WebDriver createDriver() { FirefoxProfile profile = new FirefoxProfile(); profile.setPreference("network.proxy.type", 1); profile.setPreference("network.proxy.http", IronWasp.ipAddress); profile.setPreference("network.proxy.http_port", IronWasp.portNumber); profile.setPreference("network.proxy.ssl", IronWasp.ipAddress); profile.setPreference("network.proxy.ssl_port", IronWasp.portNumber); profile.setPreference("network.proxy.no_proxies_on",""); return driver = new FirefoxDriver(profile);}

An IronWasp Integrated Test Case

public void test() throws InterruptedException { IronWasp.workflowStart(); WebDriver driver=FirefoxBrowser.createDriver(); driver.get(“abc.com"); System.out.println(driver.getTitle()); IronWasp.workflowEnd(); driver.quit();}

Demo TestNG/Junit• Create a wrapper for creating broswers.

• Create A base class which calls IronWasp Library in start and end of every test case.

• All test cases should inherit the Base class.

Advantages• No special Security Auditing needed.

• Easy understandable reports.

• Can fix Security Issues early in SDLC.

• Can prevent major design/architectural changes.

• No more ransom to Bug Bounty Hunters.

Area of improvements• Speed and Effectiveness:

• Current system replays each test case repeatedly. Very time consuming.

• Current system does not work properly for JavaScript heavy websites.

• Coverage:• Current system does not test for client-side vulnerabilities.• Current system does not discover features that are not covered by

the test case.

• Reporting:• Current system only generates report, no integration with bug

tracking software.

Area of improvements• Management:

• Current system needs to be started every time a test suite needs to be run.

• If it crashes during a scan then it needs to be manually detected and restarted.

• Bug Fix verification can only be done by manually comparing the reports.

• Cannot handle parallel functional testing traffic from multiple users.

• Configuration wise:• Configuring proxy settings in web driver.• Sending API calls at the start and end of each test case.

Issue Types

• Scanners are unable to find flaws in business logic.

• More complicated attacks are found by people.

References• IronWasp : http://ironwasp.net / http://ironwasp.org

• Mutillidae : http://sourceforge.net/projects/mutillidae

• Github : https://github.com/Ankitagupta2309/IronWasp/

• Special Thanks to Lavakumar Kuppan, Author@IronWasp