Software Testing
Specialists
Security Testing Tools
Experiences and Recommendations
The Average security breach can cost a company between $90 and $305 per lost record, according to a new study from forrester research.
Security Testing Tools
Experiences and Recommendations
Software Testing
Specialists
Security Testing Tools
Experiences and Recommendations
Introduction
The new age enterprises face a relentless onslaught of security challenges ranging from DDoS attacks, Database compromise, Unauthorized entry, breach of access control, login flaws and vulnerabilities across sessions, multiple authentications, caches etc.
Security is one area which needs constant reinforcements, meticulous assessment and a one step ahead approach to minimize the scope of error. Hence, security testing is a combination of offensive procedures backed by CEHs and strategic reviews which block and cement the IT system against threats, inherent as well as directed. Security testing is a combination of attacks like fault injections, assessment of vulnerable areas like the presence of redundant, readable and download -able files on a web server. The combination of test approach depends on the size, scope and the coverage of the IT system.
This white paper is an incorporation of inputs from Gallop’s Security Testing team and is designed to help you understand the types of Security Testing, their requirement and the tools that enable testing.
In addition, the white paper explains scenarios which affect the security of an IT system. The white paper aims to predict, prevent and address the security issues with testing approaches that improve overall resilience.
55%
of IT practitioneerrs lack a formal strategy to govern moving data
61%
of organizations say data theft and cybercrime are the greatest threats to thgeri reputation
Software Testing
Specialists
Security Testing Tools
Experiences and Recommendations
Configuration Management Security Testing
Often analysis of the network infrastructure and web application architecture can reveal good amount of information such as source code, HTTP methods permit -ted, administrative functionality, authentication methods, infrastructural configurations etc. In present scenarios, complexity of interconnected and heteroge -neous web server infrastructure, which can count hundreds of servers, makes configuration management review and validation a fundamental step in testing. The application penetration test should include the checking of how infrastructure was deployed and secured. While the application may be secure, a small aspect of the configuration could still be at a default install stage and vulnerable to exploitation.
Testing for Configuration Management usually includes –
Usage of strong cipher algorithm and its proper implementation Security of DB listener port and component
web servers, database servers, authentication servers, software versions and its associated vulnerabilities Default configuration of application and its associated vulnerabilities
File extension handling configuration
Presence of redundant, readable and downloadable files on a web server Admin functionality usage by authorized users
Configuration of HTTP methods and its associated vulnerabilities
List of scanners tools that can identify vulnerabilities related to configurations are as
follows-The Average security breach can cost a company between
$
90
&$
305
per lost record,according to a new study from research.
Vulnerability Type Open Source /Free Tools Commercial Tools
Application Configuration
Weakness
W3AF,Nessus,Sandcat,Skipfish, arachni,
oedipus, iScan,N-Stalker,WSTool
IBM AppScan,WebInspect,Cenzic Hailstorm, Acunetix,Sandcat, Jsky, Netsparker, Grendel Scan,ParosPro,Webcruiser,Web Injection Scanner
HTTP Methods and XST W3AF,Nessus,Sandcat, arachni, ZAP, Oedipus,
Andiparos,Watobo, Jsky,N-Stalker,Skipfish
IBM AppScan,WebInspect,Cenzic Hailstorm, Acunetix,Sandcat, Jsky, Netsparker,Burpsuite, Vega, Grendel Scan,ParosPro,Paros Proxy, iScan Old,Backup and
Unreferencedfiles
W3AF, ZAP,Syhunt Mini,Wapiti,WATOBO,
Andiparos,Paros Proxy
IBM AppScan,WebInspect, Acunetix,Burp Suite Professional,NTO Spider, Syhunt Dynamic, QualysGuardWAS,Netsparker,ScantoSecure,N-Stalker
Software Testing
Specialists
Security Testing Tools
Experiences and Recommendations
Authentication Security Testing
Authentication is the process of attempting to verify the digital identity of the sender of a communication. The sender could be user, process or device. A common example of such a process is the logon process but authentication happens every time when we use our computers. Much of the authentication that happens is transparent to the user and handled via computer. Testing the authentication schema means understanding how the authentication process works and use that information to circumvent the authentication mechanism. As a Penetration Tester, it is valuable to be able to gain the trust of a system and bypass security as an authorized entity. The most common method by which people confirm their identity is something they know such as a password.
List of scanners tools that can identify vulnerabilities related to authentication are as follows-Testing for Authentication usually includes –
Vulnerability Type
Open Source / Free Tools
Commercial Tools
Bypassing Authentication
Schema
Nessus, WebScarab, WebGoat
IBM AppScan, WebInspect, Cenzic Hailstorm, NTOSpider, Grendel Scan
The enterprise security infrastructure market is projected to grow at an approximate compoung annual growth rate (CAGR) of
10.9%
into 2014 as companies continue to expand the technologies they use to improve their
over-all security. Understand if data travel unencrypted from the web browser to the server
Collecting set of valid user names and then trying brute force testing Trying default username and password of deployed application / server Retrieve a valid user account and password by trying to enumerate many
Bypassing the authentication schema by tampering with requests and tricking the application Flaw the “Remember Password” and “Password Reset” functions
Flaw the logout and caching functions CAPTCHA validation
Evaluating the strength of a “Multiple Factors Authentication System” like OTP (One Time Password) Testing for race condition, a situation difficult to test for
Software Testing
Specialists
Security Testing Tools
Experiences and Recommendations
Session Management Security Testing
Authentication and Session Management take care of all aspects of handling user authentication and managing active sessions. HTTP is a stateless protocol and hence even simple logic requires a user’s multiple requests to be associated with each other across a ‘session’. With regards to web applications, a session is the length of time users spend on a website. It is always advisable to manage authorized sessions duration prudently. The goal of penetration tester is to identify accounts that are permitted access to sessions with high-level privileges and unlimited time to access the web application.
Understand the existing Session Management schema Understand if cookies are protected
Access another user’s account through the active session (Session Fixation)
Retrieving Session Tokens whilst in transit between the Client browser and the application server Force an unknowing user to execute unwanted actions (Cross Site Request Forgery)
List of scanners tools that can identify vulnerabilities related to sessions are as follows-Testing for Session Management usually includes –
Vulnerability Type
Open Source / Free Tools
Commercial Tools
Session Identifier
Complexity Analysis
W3AF, Nessus, Sandcat, Jsky,
Webscarab
Cenzic Hailstorm, NTO Spider, Sandcat, Burpsuite, Grendel Scan
As much as
60%
of importantcorporate data resides on desktop & laptop computers that are not
Authorization Security Testing
Authorization is the concept of allowing access to resources only to those permitted to use them. While Authentication is about establishing and verifying user identity, Authorization is about permissions. Is an user allowed to perform the operation it is invoking? Testing for Authorization means understanding how the authorization process works and using that information to circumvent the authorization.
Execute a path traversal attack and access reserved information Bypassing the authorization schema
User can escalate his / her privilege within the application by himself
List of scanners tools that can identify vulnerabilities related to authorization are as follows-Testing for Authorization usually includes –
Vulnerability Type
Open Source / Free Tools
Commercial Tools
Path Traversal
W3AF, IronWASP, ZAP, arachni,
SkipFish, Wapiti, Vega, WATOBO,
safe3wvs, WebSecurify
IBM AppScan, WebInspect, Acunetix, Burp Suite Professional, NTO Spider,
Syhunt Dynamic, WAS, Netsparker, ScantoSecure, Jsky, N-Stalker,
Ammonite, ParosPro
Privilege Escalation
Webscarab
IBM AppScan, WebInspect, Cenzic Hailstorm, NTOSpider
Gartner predicts that revenue from security products and related service markets will increase from
Software Testing
Specialists
Security Testing Tools
Experiences and Recommendations
Business Logic Security Testing
Business logic can have security flaws that allow a user to do something that isn't allowed by the business. For example, Can a user make a purchase for a negative amount of money? Attacks on the business logic of an application are dangerous, difficult to detect and are usually specific to the application. This type of vulner -ability cannot be detected by a vulner-ability scanner and relies upon the skills and creativity of the penetration tester.
There are no scanners tools that can identify vulnerabilities related to business logic as it is more context driven.
Data Validation Security Testing
One security weakness that leads to almost all of the vulnerabilities in web application such as XSS, SQL Injection etc. is erroneous data from external entity. The data from external entity can be tampered with by an attacker or unknowingly given by user and hence it is important to filter and sanitize all input data by the application before it is trusted and processed. Data Validation testing is the task of testing all possible form of input, to understand if the application scrutinize all data correctly or not.
Data Validation testing usually includes –
Make victim loading the offending URI (Reflected Cross-site Scripting) Store malicious code into the web page (Stored Cross-site Scripting) Controlling a DOM element (DOM Cross-site Scripting)
Vulnerabilities like DOM based Cross-site Scripting in flawed Flash application Injection of SQL query via the input data (SQL Injection)
Manipulating input parameters and passed to internal search, add and modify functions (LDAP Injection)
Inject a particular XML document into the application (XML Injection)
Inject code into HTML pages (SSI Injection)
Inject data into the application so that it executes user-controlled XPath queries (XPath Injection)
Inject arbitrary IMAP/SMTP commands into the mail servers (IMAP / SMTP Injection)
Inject into the application data that will be later executed by web server (Code Injection)
Inject an OS command through an HTTP request (OS Commanding)
Understand different types of buffer overflow vulnerabilities HTTP splitting and HTTP smuggling
Software Testing
Specialists
Security Testing Tools
Experiences and Recommendations
List of scanners tools that can identify vulnerabilities related to data input from external entities are as
follows-Vulnerability Type
Open Source / Free Tools
Commercial Tools
Buffer Overflow
W3AF, Nessus, Sandcat
IBM AppScan, WebInspect, Accunetix, Sandcat
Format String
W3AF, Nessus
IBM AppScan, WebInspect, Cenzic Hailstorm, Skipfish, Vega
Code Injection
Sandcat, arachini, Uber Web Security Scanner
IBM AppScan, Cenzic Hailstorm, Acunetix, SandcatCS, Skipfish,
Netsparker
DOM Based Cross Site
Scripting
W3AF, Watobo, arachini
IBM AppScan, Cenzic Hailstorm, Acunetix, NTO Spider
HTTP Splitting / Smuggling WebGoat, W3AF, Nessus, SandcatCS, arachini,
Wapiti, ZAP, PowerFuzzer, Andiparos, Paros Proxy,
Web Securify, WebScarab
IBM AppScan, WebInspect, Cenzic Hailstorm Professional,
Acunetix, NTOSpider, Sandcat Pro, Jsky, Netsparker,
Burpsuite, Vega, Grendel Scan, ParosPro
IMAP/SMTP Injection
W3AF, Sandcat CS
IBM AppScan, Acunetix, Sandcat
LDAP Injection
W3AF, SandcatCS, arachini, Wapiti, Power Fuzzer,
Uber Web Security Scanner
IBM AppScan, WebInspect, Cenzic Hailstorm Professional,
Acunetix, Sandcat Pro, Jsky, Burp Suite
OS Commanding
W3AF, Nessus, Sandcat, arachni, Wapiti,
PowerFuzzer, Oedipus
IBM AppScan, WebInspect, Cenzic Hailstorm, Acunetix, NTO
Spider, Sandcat, Skipfish, Jsky, Netsparker, Burpsuite, Vega
Reflected Cross Site Scripting W3AF, IronWASP, ZAP, arachni, Syhunt Mini
(Sandcat Mini), SkipFish, Wapiti, Sandcat, Vega,
Grendel Scan, WATOBO, Andiparos, PowerFuzzer,
Paros Proxy, Oedipus, Uber Web Security Scanner,
Jsky, safe3wvs, WebSecurify, Grabber, Netsparker,
WebCruiser, Proxy Strike, Acunetix WVS,
WebScarab, N-Stalker, XSSer, Gamja, Secubat,
IBM AppScan, WebInspect, Acunetix, Burp Suite Professional,
NTO Spider, Syhunt Dynamic, QualysGuard WAS, Netsparker,
ScantoSecure, Jsky, N-Stalker, Ammonite, ParosPro,
Software Testing
Specialists
Security Testing Tools
Experiences and Recommendations
List of scanners tools that can identify vulnerabilities related to data input from external entities are as
follows-Vulnerability Type Open Source / Free Tools Commercial Tools
SQL Injection W3AF, IronWASP, ZAP, arachni, Syhunt Mini
(Sandcat Mini), SkipFish, Wapiti, Sandcat, Vega, Grendel Scan, WATOBO, Andiparos, PowerFuzzer, Paros Proxy, Oedipus, Uber Web Security Scanner, Jsky, safe3wvs, WebSecurify, Grabber, Netsparker, WebCruiser, Proxy Strike, SQLiX, sqlmap, Gamja, Mini Mysqlator, Secubat, WSTool, DSSS, aidSQL, Scrawlr, LoverBoy, SQLID, VulnDetector,
openAcunetix, Priamos, Gamja, Secubat, XCobra, safe3wvs, iScan
IBM AppScan, WebInspect, Acunetix, Burp Suite Professional, NTO Spider, Syhunt Dynamic, QualysGuard WAS, Netsparker, ScantoSecure, Jsky, N-Stalker, Ammonite, ParosPro,
WebCruiser
SSI Injection W3AF, Nessus, ZAP, Andiparos, Paros Proxy, Proxy
Strike
IBM AppScan, WebInspect, Cenzic Hailstorm, ParosPro Stored Cross Site
Scripting
W3AF, Nessus, Wapiti, PowerFuzzer, XSSploit IBM AppScan, WebInspect, Cenzic Hailstorm, Acunetix, NTO
Spider, Skipfish, Netsparker, BurpSuite
XML Injection Nessus, Uber Web Security Scanner IBM AppScan, Skipfish, BurpSuite, Vega
Xpath Injection W3AF, SandcatCS, Sandcat, arachni, Wapiti,
Powerfuzzer, WebCruiser
IBM AppScan, WebInspect, Acunetix, Skipfish, Sandcat, Jsky, WebCruiser
Cross Site Scripting W3AF, IronWASP, ZAP, arachni, Syhunt Mini
(Sandcat Mini), SkipFish, Wapiti, Vega
IBM AppScan, WebInspect, Acunetix, Burp Suite Professional, NTO Spider, Syhunt Dynamic, Netsparker, ScantoSecure, Jsky, N-Stalker, Ammonite
Unvalidated Redirects and Forwards
W3AF, IronWASP, ZAP, arachni, Skipfish IBM AppScan, WebInspect, Acunetix, Burp Suite Professional,
N-Software Testing
Specialists
Security Testing Tools
Experiences and Recommendations
Denial of Service Security Testing
One of the most common and simplest forms of attack on a system is Denial of Service (DoS) attack. This attack does not attempt to intrude to the system or to obtain sensitive information; it simply aims to prevent legitimate users from accessing the system. DoS attacks can be on individual machines, on the network that connects the machines or all the machines simultaneously. It is based on the fact that any device has operational limits. Any computer system, web server or network can handle a finite load and simply overloading the system with requests will block serving the requests of legitimate users. In this section, focus will be attacks against availability that can be launched by just one malicious user on a single machine.
Forcing the underlying database to carry out CPU intensive queries by using several wildcards
Locking valid user accounts by repeatedly attempting to log in with a wrong password
Causing DoS attack by overflowing one or more data structure of the target application
Exhaust server resources by making it allocate a very high number of objects
Force the application to loop through a code segment that needs high computing resources
Fill the target disks by log data
Understand if application properly releases resources (memory or files) after their usage
Allocate big amount of data into a user session object
List of scanners tools that can identify vulnerabilities related to DoS attack are as followsDenial of Service (DoS) testing usually includes
-Vulnerability Type
Open Source / Free Tools
Commercial Tools
Regular Expression Denial
of Service
W3AF, Nessus, Wapiti, safe3wvs,
WebSecurify
WebInspect
According to Gartner one laptop is stolen every
Software Testing
Specialists
Security Testing Tools
Experiences and Recommendations
Web Service Security Testing
Web services are exposed to net like any other service but can be used on HTTP, FTP, SMTP and MQ among other transport protocols. The Web Services Frame -work utilizes the HTTP protocol in conjunction with XML, SOAP, REST, WSDL and UDDI technologies. The vulnerabilities in web services are similar to other vulner -abilities, such as SQL injection, information disclosure and leakage but Web Services also have unique XML / parser related vulnerabilities.
Understand the Web service entry point and the communication schema Invoke an operation that is not used in a standard SOAP Request
Sending very large or malformed XML messages
Attack the Web service by passing malicious content on the HTTP GET string
Attach binary files (executables, malware etc.) to Web service if it accepts attachments Conduct man-in-the-middle of the attack
List of scanners tools that can identify vulnerabilities related to web services are as followsWeb service security testing usually includes
-Vulnerability Type
Open Source / Free Tools
Commercial Tools
XML Content Level
WebScarab, Metasploit
-XML Structural
Webscarab
-50%
of organizations reported laptop or mobile device theft in 2007.
Software Testing
Specialists
Security Testing Tools
Experiences and Recommendations
AJAX Security Testing
AJAX uses XMLHttpRequest object and JavaScript to make asynchronous requests to the web server, parsing the responses and then updating the page DOM and CSS. AJAX application is more complicated because processing is done on both the client side and the server side. This complexity is avoided by having frame -work but that also result in situations where developers do not fully understand where the code will execute, and can lead to a situation where it is difficult to properly assess the risk associated with particular applications or features.
AJAX applications have same vulnerabilities like SQL injection, data validation etc. that a traditional web application can have. In addition, AJAX application can be vulnerable to new classes of attack such as Cross Site Request Forgery (XSRF). Testing AJAX applications can be challenging due to different encoding or serial -ization scheme used by developers while submitting POST data and make it difficult for testing tools to reliably create automated test requests. The use of web proxy tool is extremely helpful for analyzing the traffic.
List of scanners tools that can identify vulnerabilities related to AJAX are as
follows-Vulnerability Type
Open Source / Free Tools
Commercial Tools
AJAX Vulnerabilities
OWASP Sprajax, safe2wvs,
Sandcat, W3AF
Acunetix, Hailstorm, WebInspect, Watchfire, N-Stalker, Grabber, IBM
AppScan, Jsky, Netsparker, NTOSpider, ParosPro, Sandcat
75%
of IT risks impact customers satisfaction and brand reputation
Software Testing
Specialists
Security Testing Tools
Experiences and Recommendations
Disclaimer: This white paper is issued for information only. Gallop declines all responsibility for any errors and any loss or damage resulting from use of the contents of this White Paper. Gallop also declines responsibility for any infringement of any third party's Intellectual Property Rights but will be pleased to acknowledge any IPR and correct any infringement of which it is advised.
About the White Paper:
At Gallop, innovation is a continuous endeavor to ensure the best services in every engagement. As part of the Security Testing R&D, Gallop consolidates and communicates information that enriches Software Testing as a discipline.
The content is an incorporation of inputs and observations from Security Testing experts and business leaders with cross vertical experience in addressing some of the most complex and most gigantic software testing challenges. While the white paper details the standard procedures of Security testing, the procedures mentioned in the white paper have been simplified to cater to a wider audience for general reference.
For more details write to [email protected]
About Gallop
Gallop is a Pure play Independent Testing Services company since 2003. Gallop has 150+ career testers across North America.
In addition to Propriety Testing IP (ETAS) for enhanced productivity, Gallop has Partnerships & Alliances with leading Test Tool vendors. Gallop has a strong Executive Management Team with proven experience which has led us to become a Trusted QA Partner for leading ISVs and Enterprises.
