[Owasp-testing] Brainstorming about the new Index

Mark Roxberry mark.roxberry at mpi.us.com
Tue Oct 10 12:14:00 EDT 2006


Both Compuware TestPartner and VS.NET 2005 have a "recording" tool to
actually record the tests to C# code and can target many different browsers
(I'm sure there are others out there).  I've used the output of these as a
final run in a continuous integration environment that automatically builds
and tests nightly.

 

-----Original Message-----
From: Stephen de Vries [mailto:stephen at corsaire.com] 
Sent: Tuesday, October 10, 2006 11:36 AM
To: Mark Roxberry
Cc: owasp-testing at lists.owasp.org
Subject: Re: [Owasp-testing] Brainstorming about the new Index


Some of the tools, particularly the functional testing tools, could be of a
lot of use to penetration testers too.
For example, the WATIR tool (http://wtr.rubyforge.org/) provides a ruby
interface to IE, so you can control an instance of IE from a script.
Here's an example of a simple test using WATIR that performs 2 SQL injection
tests in a login form:

require 'unittests/setup'
require 'watir'

$APP_HOME = 'http://localhost:8080/ispatula'
$USERNAME = 'corsaire1'
$PASSWORD = 'corsaire1'
$SQL_CONCAT_USERNAME = 'corsaire\'+\'1'

class SQL_Injection_Test < Test::Unit::TestCase
     include Watir

     def test_SQL_Blind_Injection()
         $ie.goto($APP_HOME)
         $ie.link(:url, /signonForm.do/).click
         $ie.text_field(:name, 'username').set($USERNAME+'\' OR 1=1--')
         $ie.form(:action, "/ispatula/shop/signon.do").submit
         assert($ie.contains_text('Signon failed'));
     end

     def test_SQL_Injection_String_Concat()
         $ie.goto($APP_HOME)
         $ie.link(:url, /signonForm.do/).click
         $ie.text_field(:name, 'username').set($SQL_CONCAT_USERNAME)
         $ie.text_field(:name, 'password').set($PASSWORD)
         $ie.form(:action, "/ispatula/shop/signon.do").submit
         assert($ie.contains_text('Signon failed'));
     end
end

HtmlUnit, Httpunit, jWebUnit and others provide similar functionality by
using their own HTTP client rather than IE.
I think these could very powerful tools in a security tester's hands, and
since they're quite intuitive to use you don't really need a strong
programming background.

regards,
Stephen


El 10 Oct 2006, a las 22:17, Mark Roxberry escribió:

> Steve -
>
> Great - I'll take a look at your presentation later today.  Your 
> points are correct.  I've trained several teams of devs and fought 
> battles with project managers to get security design and testing (unit 
> and functional) and so far have had no major security breaches with 
> those teams (yet).  I don't think this stuff though has made it the 
> general development population at large.
> They know to validate input - but not exactly why or what damage 
> incorrectly validated input causes.
>
> Regards,
>
> Mark
>
> -----Original Message-----
> From: Stephen de Vries [mailto:stephen at corsaire.com]
> Sent: Tuesday, October 10, 2006 10:42 AM
> To: mark.roxberry at mpi.us.com
> Cc: owasp-testing at lists.owasp.org
> Subject: Re: [Owasp-testing] Brainstorming about the new Index
>
>
> Hi Mark,
>
> I wrote a paper and a presentation on this very topic for the past 
> OWASP EU
> conference:
> http://www.owasp.org/index.php/
> Image:AutomatedSecurityTestingofWebApplications-StephendeVries.pdf
>
> Some of the main points:
> - Security testing is not that different from other software testing
> - Security testing can easily be integrated into unit testing, 
> integration testing and functional testing phases
> - There are a wealth of tools available for unit testing that can be 
> used for security testing, such as the unit testing frameworks, apache 
> cactus, htmlunit, httpunit, WATIR (for ruby), and more.
>
> I'd be glad to rework some of the material to fit into the guide, if 
> you decide it's appropriate.
>
> regards,
> Stephen
>
>
> El 10 Oct 2006, a las 21:18, Mark Roxberry escribió:
>
>> Hi everyone,
>>
>> I am new to the testing list, so please forgive my presumptuousness, 
>> but I think 3.4 Phase 3 absolutely needs to be here.  Moreover,  I 
>> believe UNIT TESTING needs to be added to 3.4 Phase 3.  In my 
>> opinion, it would be a mistake to *not* include a section for testing 
>> during development.  There are several tools for this, JUNIT, NUNIT, 
>> FxCOP that can be used to check for function bounds and any security 
>> rules.
>>
>> Regards,
>>
>> Mark
>>
>> Mark Roxberry, CISSP, CEH
>>
>>
>>
>> From: "Carlo Pelliccioni" <carlo.pelliccioni at gmail.com>
>> Sent: Tuesday, October 10, 2006 6:57 AM
>> To: owasp-testing at lists.owasp.org
>> Subject: Re: [Owasp-testing] Brainstorming about the new Index
>>
>> I'm sorry, I meant "3.4 Phase 3" (During development) and not Phase 
>> 4.
>>
>> Bye
>> Carlo
>>
>> On 10/10/06, Eoin < eoinkeary at gmail.com> wrote:Hi, If you fee that we 
>> could "Push" any of the sections into the code review guide or the 
>> Development guide please suggest.
>>
>>
>> On 10/10/06, Carlo Pelliccioni <carlo.pelliccioni at gmail.com> 
>> wrote:Hi,
>>
>> I think that the new index is good but the Phase 4 (During
>> development) is useless in this testing guide (I think).
>> How do you feel about this?
>>
>> Bye bye
>> Carlo
>>
>>
>>
>> On 10/10/06, Eoin <eoinkeary at gmail.com> wrote:
>> Hi,
>>
>> Sounds very promising but take into account that the Autumn of Code 
>> project is of a finite time.
>>
>> It is important to consider:
>>
>> In order to re-write all the chapters AND add the required new 
>> content shall take some time. The completion date is the 31st 
>> December 2006 which gives us about 11 weeks, not much time from my 
>> experience of developing the existing Testing guide.
>>
>> It would be better not to take too much on and miss the completion 
>> date. The guide shall be ever evolving and the aim of this AoC 
>> project is to consolidate the existing guide and NOT to perform a 
>> complete rewrite.
>>
>> So my concern is the amount of time we have to complete this project 
>> Vs the ever expanding scope of work.
>>
>> regards,
>>
>> Eoin,
>> OWASP Testing Guide Lead and coordinator.
>>
>>
>>
>>
>>
>> On 10/10/06, Matteo Meucci < matteo.meucci at gmail.com> wrote:
>>> Hi all,
>>> What do you think about the new Index?
>>> http://www.owasp.org/index.php/
>> OWASP_Testing_Guide_v2_Table_of_Contents
>>>
>>> 1) Look at the doc "OWASPTesting_PhaseOne"
>>> (http://sourceforge.net/project/showfiles.php?
>> group_id=64424&package_id=62285 )
>>> IMHO I think we have to insert the Chaper 2" Principle of testing" , 
>>> Chapter 3 "Testing techniques explained" and "The OWASP Testing 
>>> Framework" as first chapter of this guide.
>>>
>>> 2) I'd like to rename Chapter 4 from "Manual testing techniques" to 
>>> "Web Application Penetration Testing".
>>>
>>> 3) In accordance with Alberto Revelli, we think to create a new 
>>> template for Chapter 4:
>>> 1 Short Description of the Issue
>>> 2 How to Test
>>>     2.1 Black Box testing and example
>>>     2.2 White Box testing and example
>>> 3 References
>>>     Whitepapers
>>>     Tools
>>> What do you think about that? More, may be we have to rename
>> White Box
>>> in Gray box, so it is clear the difference between penetration
>> testing
>>> (Black and Gray Box) and Code Review (White Box) that is a different 
>>> OWASP Project.
>>>
>>> What are your feed back?
>>> Thanks,
>>> Mat
>>>
>>>
>>>
>>>
>>> --
>>> Matteo Meucci
>>> OWASP-Italy Chair, CISSP, CISA
>>> site: http://www.owasp.org/index.php/Italy
>>> mail: matteo.meucci at owasp.org
>>> ml: http://lists.owasp.org/mailman/listinfo/owasp-italy
>>> _______________________________________________
>>> Owasp-testing mailing list
>>> Owasp-testing at lists.owasp.org
>>> http://lists.owasp.org/mailman/listinfo/owasp-testing
>>>
>>
>>
>> --
>> Eoin Keary OWASP - Ireland
>> http://www.owasp.org/local/ireland.html
>>
>> OWASP Testing Project Lead
>> http://www.owasp.org/index.php/OWASP_Testing_Project
>>
>> OWASP Code Review Project Lead
>> http://www.owasp.org/index.php/OWASP_Code_Review_Project
>>
>> OWASP Live CD Lead
>>
>> _______________________________________________
>> Owasp-testing mailing list
>> Owasp-testing at lists.owasp.org
>> http://lists.owasp.org/mailman/listinfo/owasp-testing
>>
>>
>>
>>
>> _______________________________________________
>> Owasp-testing mailing list
>> Owasp-testing at lists.owasp.org
>> http://lists.owasp.org/mailman/listinfo/owasp-testing
>>
>>
>>
>>
>>
>> --
>> Eoin Keary OWASP - Ireland
>> http://www.owasp.org/local/ireland.html
>>
>> OWASP Testing Project Lead
>> http://www.owasp.org/index.php/OWASP_Testing_Project
>>
>> OWASP Code Review Project Lead
>> http://www.owasp.org/index.php/OWASP_Code_Review_Project
>>
>> OWASP Live CD Lead
>>
>>
>> _______________________________________________
>> Owasp-testing mailing list
>> Owasp-testing at lists.owasp.org
>> http://lists.owasp.org/mailman/listinfo/owasp-testing
>
> --
> Stephen de Vries
> Corsaire Ltd
> E-mail: stephen at corsaire.com
> Tel:	+44 1483 226014
> Fax: 	+44 1483 226068
> Web: 	http://www.corsaire.com
>
>
>
>
>
>
>

--
Stephen de Vries
Corsaire Ltd
E-mail: stephen at corsaire.com
Tel:	+44 1483 226014
Fax: 	+44 1483 226068
Web: 	http://www.corsaire.com










More information about the Owasp-testing mailing list