O slideshow foi denunciado.
Utilizamos seu perfil e dados de atividades no LinkedIn para personalizar e exibir anúncios mais relevantes. Altere suas preferências de anúncios quando desejar.
Security Test Automation
By Autobots
Disclaimer!
We are NOT Security Experts, but QA
Engineers Passionate about Quality
Security Test Automation
What is Security Testing
• Security testing is the process that
determines that confidential data stays
confidential and u...
Some key terms used in Security
Testing
• What is “Vulnerability”?
This is a weakness in the web application.
The cause of...
• What is “URL manipulation”?
Some web applications communicate
additional information between the client
(browser) and th...
OWASP
• The Open Web Application Security
Project (OWASP) is an online community
dedicated to web application security.
• ...
Few OWASP Recommended Tools
WEB APPLICATION RISK SECURITY UTILITY
A1: Injection
SQL Inject Me and
Zed Attack Proxy (ZAP)
A...
What is IronWASP
• An environment for Web Application Security Testing
• Designed for optimum mix of Manual and Automated ...
IronWASP – Key Components
• Built-in Crawler + Scan Manager + Proxy
• Python/Ruby based plug-ins
• Active plug-ins for Sca...
Zed Attack Proxy [ZAP]
• An easy to use web application security
testing tool
• Completely Free and Open Source
• An OWASP...
Automation Workflow
Integrating ZAP into the Build
• ANT Tasks
• Session management: New, Save and
Open
• Tasks: Spider and Active Attack
• Re...
Scan Results
• Password Autocomplete
• Application Error disclosure
• Cookie set without HttpOnly
Using the HttpOnly flag ...
Advantages
• Additional ROI
• Great for Catching
1. Injection Based Attacks
2. HTTP header and Cookie issues
3. URL Redire...
References
• http://resources.infosecinstitute.com/owasp-top-ten-
testing-and-tools-for-2013/
• http://istqbexamcertificat...
Security testautomation
Próximos SlideShares
Carregando em…5
×

Security testautomation

Security Testing Automation using Selenium

  • Entre para ver os comentários

Security testautomation

  1. 1. Security Test Automation By Autobots
  2. 2. Disclaimer! We are NOT Security Experts, but QA Engineers Passionate about Quality
  3. 3. Security Test Automation
  4. 4. What is Security Testing • Security testing is the process that determines that confidential data stays confidential and users can perform only those tasks that they are authorized to perform. • Security Testing is a type of software testing that intends to uncover vulnerabilities of the system and determine that its data and resources are protected from possible intruders.
  5. 5. Some key terms used in Security Testing • What is “Vulnerability”? This is a weakness in the web application. The cause of such a “weakness” can be bugs in the application, an injection (SQL/ script code) or the presence of viruses. • What is “Spoofing”? The creation of hoax look-alike websites or emails is called spoofing.
  6. 6. • What is “URL manipulation”? Some web applications communicate additional information between the client (browser) and the server in the URL. Changing some information in the URL may sometimes lead to unintended behavior by the server. • What is “SQL injection”? This is the process of inserting SQL statements through the web application user interface into some query that is then executed by the server.
  7. 7. OWASP • The Open Web Application Security Project (OWASP) is an online community dedicated to web application security. • OWASP is a worldwide not-for-profit charitable organization focused on improving the security of software.
  8. 8. Few OWASP Recommended Tools WEB APPLICATION RISK SECURITY UTILITY A1: Injection SQL Inject Me and Zed Attack Proxy (ZAP) A2: Broken Authentication and Session Management ZAP A3: Cross-Site Scripting (XSS) ZAP A4: Insecure Direct Object References HTTP Directory Traversal Scanner, Burp Suite and ZAP A5: Security Misconfiguration OpenVAS and WATOBO A6: Sensitive Data Exposure Qualys SSL Server Test A7: Missing Function Level Access Control OpenVAS A8: Cross-Site Request Forgery (CSRF) Tamper Data (Samurai WTF), WebScarab or ZAP A9: Using Components with Known Vulnerabilities OpenVAS A10: Unvalidated Redirects and Forwards ZAP
  9. 9. What is IronWASP • An environment for Web Application Security Testing • Designed for optimum mix of Manual and Automated Testing • Designed for Pentesters and QA folks • Let’s you write a custom Security Scanner in a very short time • Open Source and Open Architecture • ƒGUI based & does not require installation • Powerful and effective scanning engine • Extensible via plug-ins or modules in Python, Ruby, C# or VB.NET
  10. 10. IronWASP – Key Components • Built-in Crawler + Scan Manager + Proxy • Python/Ruby based plug-ins • Active plug-ins for Scanning • Passive plug-ins for vulnerability detection • Format plug-ins for defining data formats • Session plug-ins to customise the scans • Generate detailed report
  11. 11. Zed Attack Proxy [ZAP] • An easy to use web application security testing tool • Completely Free and Open Source • An OWASP flagship project • Ideal for Beginners • But also used by Professionals • Framework for advanced testing • Ideal for Dev and QA. Especially for Test Automation Engineers
  12. 12. Automation Workflow
  13. 13. Integrating ZAP into the Build • ANT Tasks • Session management: New, Save and Open • Tasks: Spider and Active Attack • Results: Ignoring rules and Failing the build
  14. 14. Scan Results • Password Autocomplete • Application Error disclosure • Cookie set without HttpOnly Using the HttpOnly flag when generating a cookie helps mitigate the risk of client side script accessing the protected cookie • X-Content-Type-Options header missing Opens up a serious security vulnerability, in which, by confusing the MIME sniffing algorithm, the browser can be manipulated into interpreting data in a way that allows an attacker to carry out operations that are not expected by either the site operator or user, such as cross-site scripting • X-Frame-Options header not set Provides Clickjacking protection - “UI redress attack", is when an attacker uses multiple transparent or opaque layers to trick a user into clicking on a button or link on another page when they were intending to click on the the top level page. Thus, the attacker is "hijacking" clicks meant for their page and routing them to another page, most likely owned by another application, domain, or both
  15. 15. Advantages • Additional ROI • Great for Catching 1. Injection Based Attacks 2. HTTP header and Cookie issues 3. URL Redirect abuse • No additional effort for vulnerability scan • Can be integrated with your CI Builds • Ignoring Low Priority Alerts • No Code • Big Surprise
  16. 16. References • http://resources.infosecinstitute.com/owasp-top-ten- testing-and-tools-for-2013/ • http://istqbexamcertification.com/what-is-security-testing- in-software/ • https://www.owasp.org • http://www.ironwasp.org/index.html • http://www.ironwasp.org/download.html • http://confengine.com/selenium-conf- 2014/schedule#session-218-info • https://github.com/continuumsecurity/zap-webdriver • https://code.google.com/p/zaproxy/wiki/RegTestsDemo

×