O'Reilly Media, Inc. Web Security Testing Cookbook, the image of a nutcracker Java applications, Adobe's PDF Reader, and most software. Download and Read Web Security Testing Cookbook Systematic Techniques To Find Problems Fast. Web Security Testing Cookbook Systematic. Techniques. Web Security Testing Cookbook. Web Designing Free Books Download PDF / Free Books Online / Free eBook Download PDF / Free eBook Download PDF.
|Language:||English, Spanish, German|
|Genre:||Science & Research|
|Distribution:||Free* [*Registration needed]|
Chapter 10, Mitigation of OWASP Top 10, shows that organizations hire penetration testers to attack their servers and applications with the goal of knowing what's wrong, in order to know what they should fix and how. This chapter covers that face of penetration testing by giving simple and direct guidelines on what to do to fix and prevent the most critical web application vulnerabilities according to OWASP Open Web Application Security Project.
Setting Up Kali Linux In this chapter, we will cover: Updating and upgrading Kali Linux Installing and running OWASP Mantra Setting up the Iceweasel browser Installing VirtualBox Creating a vulnerable virtual machine Creating a client virtual machine Configuring virtual machines for correct communication Getting to know web applications on a vulnerable VM Introduction In the first chapter, we will cover how to prepare our Kali Linux installation to be able to follow all the recipes in the book and set up a laboratory with vulnerable web applications using virtual machines.
Updating and upgrading Kali Linux Before we start testing web applications' security, we need to be sure that we have all the necessary up-to-date tools. This recipe covers the basic task of keeping Kali Linux and its tools at their most recent versions.
Setting Up Kali Linux Getting ready We start from having Kali Linux installed as the main operating system on a computer with Internet access; the version that we will be using through this book is 2. How to do it Once you have a working instance of Kali Linux up and running, perform the following steps: 1.
Log in as a root on Kali Linux; the default password is "toor", without the quotes. You can also use su to switch the user or sudo to execute single commands if using a regular user is preferred instead of root. Open a terminal. Run the apt-get update command. It can be considered a black box. It has inputs, it produces outputs. When you have a database, it makes an obvious component because its input is a SQL query, and its output is some data in response.
As applications become more complex, they are frequently broken down into more specialized components, with each handling a separate bit of the logic. A good hint, though not a rule, for finding components is to look at physical systems. In large, sophisticated multicomponent systems, each component usually executes on its own physically separate computer system.
Frequently components are separated logically in the network, also, with some components in more trusted network zones and other components in untrusted zones.
We will describe several architectures in terms of both the number of layers and what the components in those layers generally do. When arranged in a web application, these components take on a few pretty common roles. It also includes the decorations and graphics and interface logic. In the session and presentation component, there is some logic to issue, expire, and manage headers, cookies, and transmission security typically SSL.
It may also do presentation-layer jobs such as sending different visualizations to the user based on the detected web browser. The application layer, when present as a distinct layer, contains the bulk of the business logic.
The session component determines which HTTP connections belong to a given session. The application layer makes decisions regarding functionality and access control. When you have a separate data layer, you have explicitly assigned the job of storing data to a separate component in the software. Most commonly this is a database of some sort.
When the application needs to store or retrieve data, it uses the data component. Given the many components that are possible, the number of separate layers that are present in the system influence its complexity a great deal. They also serve as focal points or interfaces for testing.
You must make sure you test each component and know what sorts of tests make sense at each layer. An application that has a single layer puts all its business logic, data, and other resources in the same place. There is no explicit separation of duties between, say, handling the HTTP connection itself, session management, data management, and enforcing the business rules.
An example one-layer application would be a simple Java server page JSP or servlet that takes a few parameters as input and chooses to offer different files for download as a result. Imagine an application that simply stores thousands of files, each containing the current weather report for a given zip code.
When the user enters their zip code, the application displays the corresponding file. There is logic to test what if the user enters xyz as her zip code? There is only the one logic e. Finding an error means you look in just the one place. Since we are supposing that session tracking is performed right within the same logic, and we are not using any special data storage just files that are stored on the web server , there is no session or data layer in this example.
How do you test a one-layer web app? You have to identify its inputs and its outputs, as you would with any application, and perform your usual testing of positive, negative, and security values. This will contrast considerably with what you do in multilayer applications. Adding a database or sophisticated data storage mechanism is usually one of the first optimizations developers make to an application whose needs are expanding.
There are many applications built on this paradigm, and most are two-layer applications. Linux is not important for our purposes. It is mentioned here because it is part of the abbreviation. This allows expansion, replication, and redundancy because multiple independent systems can provide session and application logic while a different set of individual machines can provide MySQL data services.
Good examples of two-layer applications include any number of blogging, content-management, and website hosting packages. Access control and application functions are implemented in PHP code.
The use of a MySQL database allows it to easily deliver features like searching content, indexing content, and efficiently replicating it to multiple data stores. Knowing that you have a two-layer application means that you have to consider tests across the boundary between the layers. What can you find out about the data layer, the relationships in the data, and the way the application uses data? You will want to test for ways that the application can scramble the data, and ways that bad data can confuse the application.
When developers decide to divide their work into three or more layers, they have a lot of choices about which components they choose.
Most applications that are complex enough to have three components tend to use heavyweight frameworks like J2EE and. JSPs can serve as the session layer, while servlets implement the application layer. Finally, an additional data storage component, like an Oracle or SQL Server database implements the data layer. When you have several layers, you have several autonomous application programming interfaces APIs that you can test. For example, if the presentation layer handles sessions, you will want to see whether the application layer can be tricked into executing instructions for one session when it masquerades as another.
Knowing the relationships between the components in your application makes an important difference to your testing. The application is only going to fulfill its mission when all the components are working correctly. You already have several ways that you can examine your tests to evaluate their effectiveness.
Test coverage, for example, is measured in a variety of ways: How many requirements are covered by tests? How many known error conditions can we produce? Now that you understand the presence and function of architectural components, you can consider how many components of the application are tested.
The more information you, as a tester, can provide to a developer about the root cause or location of an error, the faster and more correctly the error can be fixed. Knowing that an error, for example, is in the session layer or data layer goes a long way towards pointing the developer in the right direction to solve it.
When the inevitable pressure comes to reduce the number of tests executed to verify a patch or change, you can factor in the architecture when making the decision on which tests are most important to execute. Did they make modifications to the data schema? Try to organize your tests around data-focused tests and focus on that component. Did they modify how sessions are handled?
Identify your session management tests and do those first. With functional testing, we are trying to provide evidence to our managers, business people, and customers that the software performs as advertised. With our security testing, we are trying to assure everyone that it continues to behave as advertised even in the face of adverse input.
We are trying to simulate real attacks and real vulnerabilities and yet fit those simulations into the finite world of our test plan. Web security testing, then, is using a variety of tools, both manual and automatic, to simulate and stimulate the activities of our web application. We will get malicious inputs like cross-site scripting attacks and use both manual and scripted methods to submit them to our web application.
We will use malicious SQL inputs in the same way, and submit them also.
It is our goal to produce repeatable, consistent tests that fit into our overall testing scheme, but that address the security side of web applications. When someone asks whether our application has been tested for security, we will be able to confidently say yes and point to specific test results to back up our claim. There are lots of books out there that try to tell you why to perform security tests, when to test, or what data to use in your tests.
This book arms you with tools for doing that testing. No discussion of security testing would be complete without considering automation, and that is what many of the tools in this book specifically promote. Each chapter will describe specific test cases and highlight automation possibilities and techniques. Every year millions of dollars and euros, pounds, yen, and rupees are spent developing, testing, defending, and fixing web applications that have security weaknesses.
Security experts have been warning about the impact of software failure for a long time. Organizations are now coming to recognize the value of security in the software development lifecycle. Different organizations react differently to the need for security, however, and no two organizations are the same.
We are not going to tell you much about why you should include security testing in your testing methodology. There are ample books trying to address that question. We are not going to provide you with a database of test data. The techniques presented in these recipes, however, will last a long time and will be helpful in delivering attacks of many kinds. This book does not present a methodology for assessing your application looking for weak spots.
Assessors come in and find problems. They do not bring the deep, internal knowledge of the application that the QA staff and developers have. External consultants do not fit into the software development lifecycle and apply tests at the unit, integration, and system level.
If you need an overall methodology on how to assess a web application from the ground up, there are many good books on how to do that.
Every organization will have to decide who will perform security testing. It might be and probably should be a combination of both developers and testers.
If security testing falls exclusively to the testing and quality side of the organization, then you will want someone with some software development skills. Although we are not developing a software product here, the scripts and test cases will be easier to use and reuse if you have experience with programming and scripting. Even operations staff might benefit from the recipes in this book.
How you decide whom to assign to these tasks, how you organize their work, and how you manage the security testing is beyond the scope of this book. Integrating security testing, like any other kind of specialized testing performance, fault tolerance, etc.
There will be additional smoke tests, unit tests, regression tests, and so on. Ideally these tests are mapped back to security requirements, which is yet one more place your lifecycle needs to change a little. It is difficult to develop security test cases when security requirements are not specified, but that is a topic for another book.
Instead, we are going to help you build the infrastructure for the test cases.
You will have to determine by experimenting or by changing your methodology where you want to insert them into your lifecycle. We are talking about software—source code, business logic—written by you, operated by you, or at least tested by you. The tests you build using the recipes in this book will help you find flaws in the source code itself—flaws in how it executes its business functions.
This is handy when you need to check the security of a web application but you do not have the source code for it e. The techniques are especially powerful when you have the source itself. Creating narrow, well-defined security tests allows you to facilitate root cause analysis right down to the lines of code that cause the problem. In this paper, we analyze and compare Agile Security Testing with two other common methodologies for Web application security testing, and then present an extension of this methodology.
Our working hypothesis is that the detection of vulnerabilities in Web applications will be significantly more efficient when using a structured security testing methodology specialized for Web applications, compared to existing ad hoc ways of performing security tests.
Our results show a clear indication that our hypothesis is on the right track. Keywords This is a preview of subscription content, log in to check access. Preview Unable to display preview. Download preview PDF. References 1. Jazayeri, M.
In: International Conference on Software Engineering, pp. McDonald, A. Kongsli, V. Ge, X. In: Proceedings of the 6th international conference on Web engineering. Chivers, H.