It seems like every week the press has yet another story about security breaches or stolen data at some of the world's largest companies or government agencies. Sometimes the responsibility for ensuring thorough security resides with an IT security group, and other times it gets outsourced altogether. The responsibility seldom falls to testing teams. However, this is changing. Having trained and experienced testers hunt for security bugs will make web applications safer from hackers and will further protect consumers, corporate assets, and brands.
Security testing techniques are not well known to many traditional functional testing teams because there are relatively few opportunities to learn them compared to learning functional testing. And, security testing is more difficult to perform than functional testing for reasons including: vague security requirements for many applications; low-level, technically challenging testing approaches; and security testing tools that are difficult to set up and configure.
A major consideration for any security testing strategy is that every architectural layer of an application is vulnerable in different ways�some are more easily penetrated and comexploited than others. These layers are known as the attack surface and will be different for different web applications because of the varying architecture, frameworks, and languages in use to develop them. Hackers trying to penetrate your web applications must know as much as possible about your application's attack surface. The attackers' methods are numerous and constantly evolving, so testers need to think in similar ways when approaching security testing. Approaching testing in a progressive and creative manner is perhaps one of the greatest challenges for security testers. To keep up with the efforts of hackers, testers must utilize not only traditional and time-tested tools but also the newest tools available.
This can be a daunting task because of the nature, variety, and number of tools available for security testing. This article covers a few of the basic freeware tools available for web application security testing. These tools can stand alone or serve as a foundation for the adoption of more mature tools within your organization. Building upon this small set of tools over time will ensure the widest possible set of protective mechanisms for your security testing certification process�the rigor that must be executed and passed prior to release.
Just as with other types of testing, it is important to know that you cannot prove the nonexistence of security defects. Exhaustive security testing is impossible, due to the diverse nature of the attack surface and the number of possible variables that can be manipulated across that surface. However, there are categories of attacks that tend to be more popular due to their effectiveness. Two specific web application vulnerabilities that you should be aware of are SQL injection and cross-site scripting (XSS). An excellent primer to these vulnerabilities can be found at the Open Web Application Security Project (OWASP) [1]. The OWASP testing guide [2] is one of the best resources available on web application security and vulnerability testing. It is several hundred pages long, so do not expect to master every testing mechanism right away.
Preparing for an effective security testing strategy includes getting familiar with a few core tools, such as the Firefox browser�yes, the same Firefox browser you use to verify the functional behavior of web applications. This browser is perhaps the best all-around beginner's tool that can be used to test the security of a web application. This is largely due to an ecosystem of browser plug-ins specifically built for security testing tasks, including two free Firefox add-ons that every security tester hunting for web-based vulnerabilities must have: SQL Inject Me and XSS Me.
SQL Inject Me allows you to test for SQL injection vulnerabilities that hackers can use to hijack your data and modify the contents of a database. Some of these vulnerabilities will even allow an attacker to execute administrative operations on the database, which is disastrous. Typically, the web applications that are the most vulnerable to SQL Injection are those written in PHP or ASP, but this vulnerability affects other languages as well. The XSS Me tool will check for XSS vulnerabilities that can allow a hacker to gain elevated privileges within your web application or within other applications connected to your web application. These two tools alone will not allow you to test for every type of SQL injection and XSS vulnerability, but they will allow you to establish foundational testing practices for both categories of vulnerabilities. Once you have mastered the functionality of these tools, you can adopt tools that expand this functionality, such as Metasploit and Nexpose, both of which have freeware versions available.
Once you have prepared a tool to perform SQL injection testing, you need to determine how best to formulate attack strings that you can feed through the tool. Some tools already have a library of such strings that the tools automatically feed into your application under test. For the tools that do not, you must prepare your own SQL language attacks. This is not a trivial task, as there are many types of SQL injection attacks. The SQL injection attack is a form of a code injection attack, which means that rogue or malicious code is injected into the database layer through the client application. There are many resources on the web for advice on how to test for SQL injection vulnerabilities. (ITSecTeam.com has a very good paper on it [3]).
The testing of XSS involves checking whether a malicious script can be injected into the parameter of a web request, such as an HTTP GET request. Initially, this attack is typically performed right in the browser's URL bar, which allows a hacker to determine quickly if your application is susceptible or not. There are actually two types of XSS attacks, reflected and stored. A reflected attack means that the injected code is reflected off of the web server and back to the user, typically via an email link that the user clicks. A stored attack means that the injected code is already sitting in a database or some other repository and the user inadvertently retrieves it when he fetches data from the database. The XSS Me tool will only help you test for reflected attacks. It will not help with stored attacks, so keep that in mind when planning your security testing strategy as you will want to adopt some other tool or penetration testing method to check for stored attacks.
When you are ready to adopt some advanced security testing tools, you should take advantage of another freeware tool called WebScarab. This tool is part of OWASP and has multiple features that will allow you to test for various categories of vulnerabilities. Its non-intuitive user interface is somewhat difficult to use, but it is a popular tool among the web application security testing community. The main benefit is that it allows for the interception and manipulation of HTTP traffic. This class of testing falls under the category of fault injection, which simply means that you are manually injecting carefully crafted faults into a request or a data stream. While WebScarab offers many diverse features for security testing, be aware that it will take some time to get familiar with and understand many of the features.
Many of these tools have features that need to be studied and understood before trying to utilize them. There is no sense trying to apply an advanced testing mechanism without knowing how to interpret the testing results on your particular application. It is best to start slow and master one or two testing features at a time before moving on.
Another free OWASP tool is Mantra, an open source, browser-based framework for penetration testing. Mantra offers a large number of plug-ins that can be used for various categories of testing, such as information gathering and application auditing. Both SQL Inject Me and XSS Me plug into the Mantra framework as well. In addition, Mantra offers tools that can interrogate network and proxy information. There are approximately fifty tools available as plug-ins to the Mantra framework. The best part about Mantra is that OWASP provides some very good documentation supporting the proper usage of each tool, which is valuable for beginning and intermediate testers alike.
Additionally, there are a number of free web application vulnerability scanners, such as Websecurify, Netsparker Community Edition, and w3af. These scanners allow you to identify common vulnerabilities through a scanning mechanism, interpret the results, and perform some deeper tests to further explore the vulnerabilities discovered. There are varying features across these tools and, again, it will take the beginner a while to come up to speed. Do the proper due diligence around each category of vulnerability that each tool helps identify so that you understand the severity and the risks.
Thorough security testing is a complicated and technical undertaking, but with some incremental first steps, testers can begin to master some critically important techniques and tools that increase the security of web applications and make it more difficult for hackers to gain access. Over time, your organization can develop a secure testing methodology that is complemented by a set of tools that act as a line of defense for your applications prior to release to production. As with many other aspects of testing, security testing is most effective when done by different individuals who specialize in certain types of testing methods. This allows for the development of a diverse set of tests from a diverse set of testers. The main objective for those taking on a security testing role is to develop a set of comprehensive security regression tests that can be iterated on and expanded over time to further protect your users and corporate brand from the risks of insecure software.
Security testing is a comprehensive discipline that requires a great deal of study and experimentation to master and, as noted above, there are literally hundreds of tools available to help. While you can achieve a foundational level of effectiveness by using the tools presented here, you will need to supplement them with a more comprehensive strategy. This could include outsourcing some security testing tasks to an expert testing organization or through your internal corporate IT security group. Learning a new testing discipline is a journey. Once you become familiar with some of the foundational techniques of security testing and the right tools, your testing organization will be well on its way to providing another safety net protecting your organization's consumers and corporate assets
