InformationSecurity
Web Application Security
InformationSecurity
Security Test Automation in Software Development using Open Source Tools
InformationSecurity
About Smals vzw-asbl
One of Belgium's largest ICT-organisations:1750 people
"ICT for Society"Work: ex. Dimona-DmfA
Salary & labour prestations
Health: ex. eHealth-platformSecure exchange of medical data in Belgium
Family life: ex. VESTAHome care for elderly (financial / operational support)
In-house ICT-service, working exclusively for the governmentHigh priority for ICT Security & Privacy
InformationSecurity3
InformationSecurity
Introduction
Security Test Automation in Software Development using Open Source Tools Can we do it? What do we need?
Source code Working parts of the application Selenium tests for the functional part
3
InformationSecurity4
InformationSecurity
Application Security Disclaimer
Hacking is illegal and can be punished under the legal framework of the information criminality laws (Law issued on the 28 of november 2000 about informatica criminality). So the methods we show here are illegal if used without consent of the victim.
4
InformationSecurity
Hacking is illegal under Belgium Law
Article 550bis § 1A person who, while he knows that he is not yet entitled to it, gain access to a computer system, or in it maintains, shall be punished with imprisonment from three months to one year and a fine of twenty-six [euro] to twenty-five thousand [euro] or with one of these penalties. If the crime referred to in the first paragraph, committed with fraudulent intent, the maximum six months imprisonment to two years.
5
InformationSecurity
Security mythsFirewalls …
• Firewalls are always configured to allow web traffic -> HTTP(S)
• Attacker appears to the web application as a normal user
InformationSecurity7
InformationSecurity
Security mythsSSL secures the application…
• Server-side SSL only guarantees confidentiality on transport level
• Attacker also uses the SSL tunnel
InformationSecurity8
InformationSecurity
Security mythsThe Application framework solves that…
• Frameworks Don't Solve Security Issues
• Some frameworks facilitate, but not by default
• Some frameworks do, by default- Workarounds exist to develop the
security problems
OWASP Top Ten (2013 Edition)
A1: Injection
A2: Broken Authentication
and Session Management
A3: Cross-Site Scripting (XSS)
A4: Insecure Direct Object References
A5: Security Misconfiguration
A6: Sensitive Data Exposure
A7: Missing Function Level Access Control
A8: Cross Site Request Forgery
(CSRF)
A9: Using Known Vulnerable
Components
A10: Unvalidated Redirects and
Forwards
9
InformationSecurity
SQL Injection
User: Johnpassword: secret
SELECT user FROM users WHERE user='John' AND password='secret';
John
Welkom, John
User: xxxxpassword: ' or 1=1;--
SELECT user FROM users WHERE user='xxx' AND password='' or 1=1;--';
Aaron
Welkom, Aaron
InformationSecurity11
Stored XSS
Coming home at 5 o'clock
<script>Steal password</script>
passwords
InformationSecurity12
Reflected XSS
http://site.com/index?<script>steal password</script>
http://site.com/index?<script>steal password</script>
Error: reason (<script>steal password</script>) unknown
passwords
InformationSecurity13
InformationSecurity
Sensitive Data ExposureClear text transmission
• Confidential information is just sent back to the User- Improper web application implementation
- Secure and non-secure sections- Improper analysis of the information- Improper configuration
- Unsecured SESSION cookies
InformationSecurity14
InformationSecurity
Sensitive Data ExposureError messages
• Error messages for developers carry a lot information to find the problem causing the error message- Stack traces in JAVA- SQL Error messages from Database- PHP error messages- …
• Those error messages can give a lot information to the hacker, when displayed to him/her- Information of dataflow in the Web application- Database layout- Operating System information- Network information- Application frameworks used
InformationSecurity
Cross Site Request Forgery
http://bank.com/transaction?amount=10000&acc=001.1234567.27
http://bank.com/transaction?amount=10000&acc=001.1234567.27
Transaction successfull
Online to her bank
InformationSecurity16
InformationSecurity
Secure SDLC
Requirementsand use cases
Design Test plansCode
Testresults
Fieldfeedback
Securityrequirements
Riskanalysis
Risk-basedsecurity tests
Staticanalysis(tools)
Penetrationtesting
Design Review
Code Review
Which risks we take
What needs to be tests?
Code review tools
Iterative approach
Pen testing tools
InformationSecurity17
InformationSecurity
Findbugs
Static Source code analyzer Works on Java byte code
Source must compile! Searches for bug patterns
Find bugs Find false warnings
Eclipse plugin By default almost all enabled
InformationSecurity18
InformationSecurity
Findbugs
For security patterns: DMI_CONSTANT_DB_PASSWORD
Hardcoded constant database password DMI_EMPTY_DB_PASSWORD
Empty database password EI_EXPOSE_REP
May expose internal representation by returning reference to mutable objects
EI_EXPOSE_REP2May expose internal representation by incorporating reference to mutable object
EI_EXPOSE_STATIC_REP2May expose internal static state by storing a mutable object into a static field
MS_EXPOSE_REPPublic static method may expose internal representation by returning array
InformationSecurity19
InformationSecurity
Findbugs
SQL_NONCONSTANT_STRING_PASSED_TO_EXECUTENonconstant string passed to execute method on an SQL statement
SQL_PREPARED_STATEMENT_GENERATED_FROM_NONCONSTANT_STRINGA prepared statement is generated from a nonconstant String
XSS_REQUEST_PARAMETER_TO_SEND_ERRORJSP reflected cross site scripting vulnerability
XSS_REQUEST_PARAMETER_TO_SERVLET_WRITERServlet reflected cross site scripting vulnerability in error page
RCN_REDUNDANT_NULLCHECK_WOULD_HAVE_BEEN_A_NPENullcheck of value previously dereferenced
NP_NULL_ON_SOME_PATHPossible null pointer dereference
NP_NULL_ON_SOME_PATH_EXCEPTIONPossible null pointer dereference in method on exception path
InformationSecurity20
InformationSecurity
Demo Findbugs
Eclipse
InformationSecurity21
InformationSecurity
PMD
Static Source code analyzer Runs against the Java source code Also searches for bug patterns There are no real security patterns
included Gotham Digital Science has a security rule set
InformationSecurity22
InformationSecurity
PMD
For security patterns: ArrayIsStoredDirectly AvoidCatchingThrowable AvoidPrintStackTrace AvoidThrowingNullPointerException DoNotCallSystemExit ExceptionAsFlowControl MethodReturnsInternalArray MisplacedNullCheck
InformationSecurity23
InformationSecurity
Demo PMD
Eclipse
InformationSecurity24
InformationSecurity
Zed Attack Proxy
Intercepting Proxy Traditional and AJAX spiders Automated scanner Forced Browsing Fuzzer Dynamic SSL Certificates Smartcard and Client Digital Certificates
support
InformationSecurity25
InformationSecurity
Zed Attack Proxy
Web sockets support Support for wide range of scripting
languages Plug-n-Hack support Authentication and Session Support Powerful REST based API Automatic updating option Integrated and growing marketplace of
add-ons
InformationSecurity26
InformationSecurity
Demo Zaproxy
Eclipse
InformationSecurity27
InformationSecurity
Demo: Automatic Build Proces
Maven Findbugs PMD Zaproxy
InformationSecurity28
InformationSecurity
TODO’s
Maven Zed Attack Proxy and site phase integration
SONAR integration of Zed Attack Proxy How about Agile development?
Can we ingrate this process in TDD and BDD?
InformationSecurity29
InformationSecurity
Links
FindBugs™ - Find Bugs in Java Programs PMD – Don’t shoot the Messenger OWASP Zed Attack Proxy Project - OWASP ZAP Maven Plugin Automated
Security Testing of web applications using OWASP Zed Attack Proxy
Belgium - OWASP Gotham Digital Science
InformationSecurity30
InformationSecurity30
Resources …
• Books: Software Security Microsoft Secure Development Lifecycle Enterprise Security Architecture
InformationSecurity31
InformationSecurity
Reflection
Open Source Good start
Commercial Tools Are more integrated in their environment Perform better Comes with a price
Manual review by experts Best results Expensive Non constant reviews Very late in the process
InformationSecurity32
InformationSecurity
Questions
Recommended