This document discusses security test automation. It defines security testing and some key terms like vulnerability, spoofing, and SQL injection. It recommends tools from the OWASP project like ZAP and describes how to integrate ZAP into an automation workflow. An example workflow is described that uses ZAP to find issues like password autocomplete, application errors, and missing security headers. Integrating security scans with CI builds is advocated to improve security with little additional effort.

1. Security Test Automation
By Autobots

2. Disclaimer!
We are NOT Security Experts, but QA
Engineers Passionate about Quality

3. Security Test Automation

4. What is Security Testing
• Security testing is the process that
determines that confidential data stays
confidential and users can perform only
those tasks that they are authorized to
perform.
• Security Testing is a type of software testing
that intends to uncover vulnerabilities of the
system and determine that its data and
resources are protected from possible
intruders.

5. Some key terms used in Security
Testing
• What is “Vulnerability”?
This is a weakness in the web application.
The cause of such a “weakness” can be
bugs in the application, an injection (SQL/
script code) or the presence of viruses.
• What is “Spoofing”?
The creation of hoax look-alike websites or
emails is called spoofing.

6. • What is “URL manipulation”?
Some web applications communicate
additional information between the client
(browser) and the server in the URL.
Changing some information in the URL
may sometimes lead to unintended
behavior by the server.
• What is “SQL injection”?
This is the process of inserting SQL
statements through the web application
user interface into some query that is then
executed by the server.

7. OWASP
• The Open Web Application Security
Project (OWASP) is an online community
dedicated to web application security.
• OWASP is a worldwide not-for-profit
charitable organization focused on
improving the security of software.

8. Few OWASP Recommended Tools
WEB APPLICATION RISK SECURITY UTILITY
A1: Injection
SQL Inject Me and
Zed Attack Proxy (ZAP)
A2: Broken Authentication and Session Management ZAP
A3: Cross-Site Scripting (XSS) ZAP
A4: Insecure Direct Object References
HTTP Directory Traversal Scanner, Burp Suite and
ZAP
A5: Security Misconfiguration OpenVAS and WATOBO
A6: Sensitive Data Exposure Qualys SSL Server Test
A7: Missing Function Level Access Control OpenVAS
A8: Cross-Site Request Forgery (CSRF) Tamper Data (Samurai WTF), WebScarab or ZAP
A9: Using Components with Known Vulnerabilities OpenVAS
A10: Unvalidated Redirects and Forwards ZAP

9. What is IronWASP
• An environment for Web Application Security Testing
• Designed for optimum mix of Manual and Automated Testing
• Designed for Pentesters and QA folks
• Let’s you write a custom Security Scanner in a very short time
• Open Source and Open Architecture
• ƒGUI based & does not require installation
• Powerful and effective scanning engine
• Extensible via plug-ins or modules in Python, Ruby, C# or
VB.NET

10. IronWASP – Key Components
• Built-in Crawler + Scan Manager + Proxy
• Python/Ruby based plug-ins
• Active plug-ins for Scanning
• Passive plug-ins for vulnerability detection
• Format plug-ins for defining data formats
• Session plug-ins to customise the scans
• Generate detailed report

11. Zed Attack Proxy [ZAP]
• An easy to use web application security
testing tool
• Completely Free and Open Source
• An OWASP flagship project
• Ideal for Beginners
• But also used by Professionals
• Framework for advanced testing
• Ideal for Dev and QA. Especially for Test
Automation Engineers

12. Automation Workflow

13. Integrating ZAP into the Build
• ANT Tasks
• Session management: New, Save and
Open
• Tasks: Spider and Active Attack
• Results: Ignoring rules and Failing the
build

14. Scan Results
• Password Autocomplete
• Application Error disclosure
• Cookie set without HttpOnly
Using the HttpOnly flag when generating a cookie helps mitigate the risk of client side
script accessing the protected cookie
• X-Content-Type-Options header missing
Opens up a serious security vulnerability, in which, by confusing the MIME
sniffing algorithm, the browser can be manipulated into interpreting data in a
way that allows an attacker to carry out operations that are not expected by either
the site operator or user, such as cross-site scripting
• X-Frame-Options header not set
Provides Clickjacking protection - “UI redress attack", is when an attacker uses
multiple transparent or opaque layers to trick a user into clicking on a button or link on
another page when they were intending to click on the the top level page. Thus,
the attacker is "hijacking" clicks meant for their page and routing them to another
page, most likely owned by another application, domain, or both

15. Advantages
• Additional ROI
• Great for Catching
1. Injection Based Attacks
2. HTTP header and Cookie issues
3. URL Redirect abuse
• No additional effort for vulnerability scan
• Can be integrated with your CI Builds
• Ignoring Low Priority Alerts
• No Code
• Big Surprise

16. References
• http://resources.infosecinstitute.com/owasp-top-ten-
testing-and-tools-for-2013/
• http://istqbexamcertification.com/what-is-security-testing-
in-software/
• https://www.owasp.org
• http://www.ironwasp.org/index.html
• http://www.ironwasp.org/download.html
• http://confengine.com/selenium-conf-
2014/schedule#session-218-info
• https://github.com/continuumsecurity/zap-webdriver
• https://code.google.com/p/zaproxy/wiki/RegTestsDemo