[QE 2018] Marek Puchalski – Web Application Security Test Automation
0 likes•457 views
The document discusses web application security testing automation, detailing practices, standards, and examples of security testing, particularly through the lens of the OWASP Application Security Verification Standard (ASVS). It highlights the importance of automating security tests, understanding HTTP traffic, and maintaining secure libraries and components. Additionally, it touches on specific security measures such as input validation, XSS protection, and TLS settings.
![Code
import static io.restassured.RestAssured.*;
(...)
String body = TEMPLATE.replace("<name>", "Marek")
.replace("<email>", "marek@test");
given(new RequestSpecBuilder()
.addHeader("X-Requested-With", "XMLHttpRequest")
.addHeader("Accept", "application/json, text/javascript, */*; q=0.01")
.addHeader("Content-Type", "application/x-www-form-urlencoded; charset=UTF-8")
.setBody(body)
.build()).
when()
.post("http://demoqa.com/contact/").
then()
.statusCode(200)
.body("mailSent", equalTo(false),
"invalids[0].message", equalTo("Email address seems invalid."));](https://image.slidesharecdn.com/qualityexcitessecuritytestautomationpuchalski-180702085346/85/QE-2018-Marek-Puchalski-Web-Application-Security-Test-Automation-28-320.jpg)
[QE 2018] Marek Puchalski – Web Application Security Test Automation
- 1. (Web Application) Security Test Automation Marek Puchalski [email protected] [email protected] @marek_devsec
- 2. About me
- 3. Security Testing in Projects Pentest Static Code Analysis Dynamic Code Analysis Unit Tests
- 4. Table of Contents • Waterfall VS Agile • OWASP ASVS • Examples
- 7. Waterfall
- 9. Agile
- 12. Best idea so far Automate security tests
- 13. OWASP ASVS
- 14. OWASP Application Security Verification Standard (ASVS) • Provides a list of requirements for secure development • Defines different security assurance levels (Opportunistic, Standard, Advanced, also called Level 1, 2, 3)
- 15. Example
- 17. EXAMPLES
- 18. Example 1, ASVS 11.8 Verify that the X-XSS-Protection: 1; mode=block header is in place. „ „
- 19. HTTP Communication Example GET http://oasp-ci.cloudapp.net/oasp4j- sample/services/rest/offermanagement/v1/offer HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:37.0) Gecko/20100101 Firefox/37.0 Accept: application/json, text/plain, */* Accept-Language: en-US,en;q=0.5 X-CSRF-TOKEN: fcbfc729-15d2-4f04-8e50-082f20cb2dfb Referer: http://oasp-ci.cloudapp.net/oasp4j- sample/jsclient/ Cookie: JSESSIONID=F340544E6AE9078812ECF61139D03C7B Connection: keep-alive Host: oasp-ci.cloudapp.net HTTP request HTTP/1.1 200 OK Date: Sat, 11 Jul 2015 20:28:36 GMT Server: Apache-Coyote/1.1 Content-Type: application/json;charset=UTF-8 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive [{"id":1,"modificationCounter":1,"revision":null,"name":null," description":"Schnitzel- Menü","number":null,"mealId":1,"drinkId":10,"sideDishId":5," state":"NORMAL","price":"6.99"},{"id":2,"modificationCounte r":1, (…) HTTP response
- 20. Why do we have to deal with HTTP? • It’s a trust boundary between the client and the server • It offers maximum flexibility by allowing request manipulation on the text/byte level • One can fabricate request the client side of application would never generate • This is what the hackers are doing :)
- 21. What does X-XSS-Protection do? • Offers (reflected) XSS protection • Turned on by default, but works in the sanitization mode • Turn the most rigorous mode on over X-XSS- Protection: 1; mode=block
- 22. Preferred type of test Source: https://blogs.msdn.microsoft.com/visualstudioalmrangers/2017/04/20/set-up-a-cicd-pipeline-to-run-automated-tests-efficiently/
- 24. Example 2, ASVS 5.5 Verify that input validation routines are enforced on the server side. „ „
- 26. Request
- 27. Response
- 28. Code import static io.restassured.RestAssured.*; (...) String body = TEMPLATE.replace("<name>", "Marek") .replace("<email>", "marek@test"); given(new RequestSpecBuilder() .addHeader("X-Requested-With", "XMLHttpRequest") .addHeader("Accept", "application/json, text/javascript, */*; q=0.01") .addHeader("Content-Type", "application/x-www-form-urlencoded; charset=UTF-8") .setBody(body) .build()). when() .post("http://demoqa.com/contact/"). then() .statusCode(200) .body("mailSent", equalTo(false), "invalids[0].message", equalTo("Email address seems invalid."));
- 29. Wait! Is this really this easy?
- 30. I would not call that „easy” • Understanding security requirements takes time • We need to deal with traffic on the HTTP level • Some technologies are easier to automate than others • We didn't show how to deal with authentication or CSRF protection • But yes, in many cases the code can still be sexy!
- 31. Example 3, ASVS 10.16 Verify that the TLS settings are in line with current leading practice, particularly as common configurations, ciphers, and algorithms become insecure. „ „
- 32. What is TLS? • It’s the „S” in HTTPS ;) • It’s actually much more than this, but let’s not complicate things, because…
- 33. Understanding TLS is hard • Understand: PKI, CA, MAC, OCSP, CSR, cipher suites, ... • Use: RSA, ECDHE, DHE, AES, GCM, CBC, SHA,... • Don't use: MD5, RC4, SSL, ... • Prevent: Drown, BEAST, padding oracle, CRIME, TIME, BREACH, Heartbleed, DUAL_EC_DRBG, ...
- 34. How to deal with it? Source: https://www.ssllabs.com/ssltest/
- 35. Code import io.beekeeper.ssllabs.junit.BaseSSLLabsTest; @RunWith(Parameterized.class) public class AppTest extends BaseSSLLabsTest { public AppTest(String host) { super(host); } @Parameters(name = "Host: {0}") public static Iterable<String> data() { return Arrays.asList("marek.puchal.ski", "www.poczta-polska.pl"); } } Source: https://github.com/beekpr/ssllabs
- 36. Example 4, ASVS 1.11 Verify that all application components, libraries, modules, frameworks, platform, and operating systems are free from known vulnerabilities. „ „
- 37. Case Equifax (STRUTS 2, CVE-2017-5638) BTW: Struts 2 had 15 known vulnerabilities in 2016 Source: https://www.imperva.com/blog/2017/03/cve-2017-5638-new-remote-code-execution-rce-vulnerability-in-apache-struts-2/
- 38. How to deal with it? • Update every library every release • Or use a library scanning tool – OWASP Dependency Check – Victims – Black Duck (Copilot) – Many other
- 41. Summary • First step to security assurance - know what is to be done • Don't fear HTTP – test implementation is not necessary hard • You can even deal with „special cases” like TLS validation and software composition analysis on the code level