Posted by: Bernard Lelchuk | May 12, 2010

Security Testing Tips: Part II


This is a post I originally posted for uTest here
Posted on May 26th, 2009 in Guest PostsSoftware Testing TrendsTester CommunityTesting – Web Apps.

In the second part of his blog post “Security Testing Tips From a Bug Battle Winner”, uTester Bernard Lelchuk takes a closer look at some of the more effective tools to use when performing security testing.

There are quite a few attacking testing tools which can make security testing easier and more productive for both novice and veteran testing engineers alike. I will not list all of them here,  but rather cover the most essential, common and interesting FREE tools. So here they are, in no particular order:

Wireshark
A comprehensive yet easy-to-use protocol analyzer (sniffer) which will allow you to view, filter and analyze all network transmissions. (http://www.wireshark.org/)

Paros Proxy
Acts as a proxy which allows the tester to intercept and modify all HTTP/S data between server and client, including cookies and form fields. (http://www.parosproxy.org/index.shtml)

Burp Suite (Man-In-The-Middle)
Integrated platform for attacking web applications which contains several interfaces for handling HTTP requests, persistence, authentication, downstream proxies, logging, alerting and extensibility. Acts as a man-in-the-middle between client and server, thus allowing the tester to intercept and modify all HTTP requests between both parties. (http://portswigger.net/suite/)

WebScarab
Framework for analyzing and modifying all HTTP/S requests and responses between the browser and the server, which uses several plugins.  (http://www.owasp.org/index.php/OWASP_WebScarab_Project)

Here are a few Firefox add-ons that you may also find useful:

SQL Injection 1.2:
A component to transform check boxes, radio buttons, select elements to a input text and enable disabled elements from all forms in a page. It makes it easier to test and identify SQL injection vulnerabilities in web pages. (https://addons.mozilla.org/en-US/firefox/addon/6727)

Security Compass tools:
A set of 3 security testing attacking tools which are easy to execute at any time even with no early background in security testing. Just install and run each application on a website and review the generate report. This will give you a detailed report of all executed commands – just read and learn :)

Access Me
Accessing vulnerabilities in an application can allow an attacker to access those same resources without being authenticated. Access-Me is a Firefox extension used to test for these types of vulnerabilities. (https://addons.mozilla.org/en-US/firefox/addon/7595)

SQL Inject me
SQL Injection vulnerabilities can cause a lot of damage to a web application. A malicious user can possibly view records, delete records, drop tables or gain access to your server. SQL Inject-Me is Firefox Extension used to test for SQL Injection vulnerabilities.
https://addons.mozilla.org/en-US/firefox/addon/7597

XSS Me
Cross-Site Scripting (XSS) is a common flaw found in today’s web applications. XSS flaws can cause serious damage to a web application. Detecting XSS vulnerabilities early in the development process will help protect a web application from unnecessary flaws. XSS-Me is the Exploit-Me tool used to test for reflected XSS vulnerabilities.

https://addons.mozilla.org/en-US/firefox/addon/7598

Security Compass’s home page:
http://www.securitycompass.com/s

Tamper Data
View and modify HTTP/HTTPS headers and post parameters. It’s a similar tool to Burp suite, however, it features basic and limited data tampering capabilities directly via FF.
https://addons.mozilla.org/en-US/firefox/addon/966

Tool Selection:

Selecting a security testing tool from the list above (or an additional tool) should not be an hassle, no matter what your expertise level.

  • If you need to start out with monitoring traffic, then use the Wireshark tool, which I find to be the easiest and most productive tool in my daily work as a QA professional.
  • For tampering data, start with either BurpSuite or the FF add-on Tamper data if you feel more comfortable testing directly in your browser.
  • For injection attacks, just install the 3-pack of Security Compass and experiment with it.

As an extra, here are some nice security testing sources for you.

Sources:
http://www.isecom.org/
http://www.owasp.org/index.php/Main_Page
http://www.opensourcetesting.org/security.php
http://www.sqaforums.com/postlist.php?Cat=0&Board=UBB19
http://www.cigital.com/papers/download/bsi4-testing.pdf

I’d love to receive your comments, questions or experiences you may have had with security testing.

Happy testing!
Bernard Lelchuk

Advertisements

What do YOU think about this post?

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Categories

%d bloggers like this: