[Owasp-testing] Brainstorming about the new Index

Stephen de Vries stephen at corsaire.com
Tue Oct 10 11:36:29 EDT 2006


Some of the tools, particularly the functional testing tools, could  
be of a lot of use to penetration testers too.
For example, the WATIR tool (http://wtr.rubyforge.org/) provides a  
ruby interface to IE, so you can control an instance of IE from a  
script.
Here's an example of a simple test using WATIR that performs 2 SQL  
injection tests in a login form:

require 'unittests/setup'
require 'watir'

$APP_HOME = 'http://localhost:8080/ispatula'
$USERNAME = 'corsaire1'
$PASSWORD = 'corsaire1'
$SQL_CONCAT_USERNAME = 'corsaire\'+\'1'

class SQL_Injection_Test < Test::Unit::TestCase
     include Watir

     def test_SQL_Blind_Injection()
         $ie.goto($APP_HOME)
         $ie.link(:url, /signonForm.do/).click
         $ie.text_field(:name, 'username').set($USERNAME+'\' OR 1=1--')
         $ie.form(:action, "/ispatula/shop/signon.do").submit
         assert($ie.contains_text('Signon failed'));
     end

     def test_SQL_Injection_String_Concat()
         $ie.goto($APP_HOME)
         $ie.link(:url, /signonForm.do/).click
         $ie.text_field(:name, 'username').set($SQL_CONCAT_USERNAME)
         $ie.text_field(:name, 'password').set($PASSWORD)
         $ie.form(:action, "/ispatula/shop/signon.do").submit
         assert($ie.contains_text('Signon failed'));
     end
end

HtmlUnit, Httpunit, jWebUnit and others provide similar functionality  
by using their own HTTP client rather than IE.
I think these could very powerful tools in a security tester's hands,  
and since they're quite intuitive to use you don't really need a  
strong programming background.

regards,
Stephen


El 10 Oct 2006, a las 22:17, Mark Roxberry escribió:

> Steve -
>
> Great - I'll take a look at your presentation later today.  Your  
> points are
> correct.  I've trained several teams of devs and fought battles  
> with project
> managers to get security design and testing (unit and functional)  
> and so far
> have had no major security breaches with those teams (yet).  I  
> don't think
> this stuff though has made it the general development population at  
> large.
> They know to validate input - but not exactly why or what damage  
> incorrectly
> validated input causes.
>
> Regards,
>
> Mark
>
> -----Original Message-----
> From: Stephen de Vries [mailto:stephen at corsaire.com]
> Sent: Tuesday, October 10, 2006 10:42 AM
> To: mark.roxberry at mpi.us.com
> Cc: owasp-testing at lists.owasp.org
> Subject: Re: [Owasp-testing] Brainstorming about the new Index
>
>
> Hi Mark,
>
> I wrote a paper and a presentation on this very topic for the past  
> OWASP EU
> conference:
> http://www.owasp.org/index.php/
> Image:AutomatedSecurityTestingofWebApplications-StephendeVries.pdf
>
> Some of the main points:
> - Security testing is not that different from other software testing
> - Security testing can easily be integrated into unit testing,  
> integration
> testing and functional testing phases
> - There are a wealth of tools available for unit testing that can  
> be used
> for security testing, such as the unit testing frameworks, apache  
> cactus,
> htmlunit, httpunit, WATIR (for ruby), and more.
>
> I'd be glad to rework some of the material to fit into the guide,  
> if you
> decide it's appropriate.
>
> regards,
> Stephen
>
>
> El 10 Oct 2006, a las 21:18, Mark Roxberry escribió:
>
>> Hi everyone,
>>
>> I am new to the testing list, so please forgive my presumptuousness,
>> but I think 3.4 Phase 3 absolutely needs to be here.  Moreover,  I
>> believe UNIT TESTING needs to be added to 3.4 Phase 3.  In my  
>> opinion,
>> it would be a mistake to *not* include a section for testing during
>> development.  There are several tools for this, JUNIT, NUNIT, FxCOP
>> that can be used to check for function bounds and any security rules.
>>
>> Regards,
>>
>> Mark
>>
>> Mark Roxberry, CISSP, CEH
>>
>>
>>
>> From: "Carlo Pelliccioni" <carlo.pelliccioni at gmail.com>
>> Sent: Tuesday, October 10, 2006 6:57 AM
>> To: owasp-testing at lists.owasp.org
>> Subject: Re: [Owasp-testing] Brainstorming about the new Index
>>
>> I'm sorry, I meant "3.4 Phase 3" (During development) and not  
>> Phase 4.
>>
>> Bye
>> Carlo
>>
>> On 10/10/06, Eoin < eoinkeary at gmail.com> wrote:Hi, If you fee that we
>> could "Push" any of the sections into the code review guide or the
>> Development guide please suggest.
>>
>>
>> On 10/10/06, Carlo Pelliccioni <carlo.pelliccioni at gmail.com>  
>> wrote:Hi,
>>
>> I think that the new index is good but the Phase 4 (During
>> development) is useless in this testing guide (I think).
>> How do you feel about this?
>>
>> Bye bye
>> Carlo
>>
>>
>>
>> On 10/10/06, Eoin <eoinkeary at gmail.com> wrote:
>> Hi,
>>
>> Sounds very promising but take into account that the Autumn of Code
>> project is of a finite time.
>>
>> It is important to consider:
>>
>> In order to re-write all the chapters AND add the required new  
>> content
>> shall take some time. The completion date is the 31st December 2006
>> which gives us about 11 weeks, not much time from my experience of
>> developing the existing Testing guide.
>>
>> It would be better not to take too much on and miss the completion
>> date. The guide shall be ever evolving and the aim of this AoC  
>> project
>> is to consolidate the existing guide and NOT to perform a complete
>> rewrite.
>>
>> So my concern is the amount of time we have to complete this project
>> Vs the ever expanding scope of work.
>>
>> regards,
>>
>> Eoin,
>> OWASP Testing Guide Lead and coordinator.
>>
>>
>>
>>
>>
>> On 10/10/06, Matteo Meucci < matteo.meucci at gmail.com> wrote:
>>> Hi all,
>>> What do you think about the new Index?
>>> http://www.owasp.org/index.php/
>> OWASP_Testing_Guide_v2_Table_of_Contents
>>>
>>> 1) Look at the doc "OWASPTesting_PhaseOne"
>>> (http://sourceforge.net/project/showfiles.php?
>> group_id=64424&package_id=62285 )
>>> IMHO I think we have to insert the Chaper 2" Principle of testing" ,
>>> Chapter 3 "Testing techniques explained" and "The OWASP Testing
>>> Framework" as first chapter of this guide.
>>>
>>> 2) I'd like to rename Chapter 4 from "Manual testing techniques" to
>>> "Web Application Penetration Testing".
>>>
>>> 3) In accordance with Alberto Revelli, we think to create a new
>>> template for Chapter 4:
>>> 1 Short Description of the Issue
>>> 2 How to Test
>>>     2.1 Black Box testing and example
>>>     2.2 White Box testing and example
>>> 3 References
>>>     Whitepapers
>>>     Tools
>>> What do you think about that? More, may be we have to rename
>> White Box
>>> in Gray box, so it is clear the difference between penetration
>> testing
>>> (Black and Gray Box) and Code Review (White Box) that is a different
>>> OWASP Project.
>>>
>>> What are your feed back?
>>> Thanks,
>>> Mat
>>>
>>>
>>>
>>>
>>> --
>>> Matteo Meucci
>>> OWASP-Italy Chair, CISSP, CISA
>>> site: http://www.owasp.org/index.php/Italy
>>> mail: matteo.meucci at owasp.org
>>> ml: http://lists.owasp.org/mailman/listinfo/owasp-italy
>>> _______________________________________________
>>> Owasp-testing mailing list
>>> Owasp-testing at lists.owasp.org
>>> http://lists.owasp.org/mailman/listinfo/owasp-testing
>>>
>>
>>
>> --
>> Eoin Keary OWASP - Ireland
>> http://www.owasp.org/local/ireland.html
>>
>> OWASP Testing Project Lead
>> http://www.owasp.org/index.php/OWASP_Testing_Project
>>
>> OWASP Code Review Project Lead
>> http://www.owasp.org/index.php/OWASP_Code_Review_Project
>>
>> OWASP Live CD Lead
>>
>> _______________________________________________
>> Owasp-testing mailing list
>> Owasp-testing at lists.owasp.org
>> http://lists.owasp.org/mailman/listinfo/owasp-testing
>>
>>
>>
>>
>> _______________________________________________
>> Owasp-testing mailing list
>> Owasp-testing at lists.owasp.org
>> http://lists.owasp.org/mailman/listinfo/owasp-testing
>>
>>
>>
>>
>>
>> --
>> Eoin Keary OWASP - Ireland
>> http://www.owasp.org/local/ireland.html
>>
>> OWASP Testing Project Lead
>> http://www.owasp.org/index.php/OWASP_Testing_Project
>>
>> OWASP Code Review Project Lead
>> http://www.owasp.org/index.php/OWASP_Code_Review_Project
>>
>> OWASP Live CD Lead
>>
>>
>> _______________________________________________
>> Owasp-testing mailing list
>> Owasp-testing at lists.owasp.org
>> http://lists.owasp.org/mailman/listinfo/owasp-testing
>
> --
> Stephen de Vries
> Corsaire Ltd
> E-mail: stephen at corsaire.com
> Tel:	+44 1483 226014
> Fax: 	+44 1483 226068
> Web: 	http://www.corsaire.com
>
>
>
>
>
>
>

-- 
Stephen de Vries
Corsaire Ltd
E-mail: stephen at corsaire.com
Tel:	+44 1483 226014
Fax: 	+44 1483 226068
Web: 	http://www.corsaire.com







More information about the Owasp-testing mailing list