InformationSecurity

Web Application Security

InformationSecurity

Security Test Automation in Software Development using Open Source Tools

InformationSecurity

About Smals vzw-asbl

One of Belgium's largest ICT-organisations:1750 people

"ICT for Society"Work: ex. Dimona-DmfA

Salary & labour prestations

Health: ex. eHealth-platformSecure exchange of medical data in Belgium

Family life: ex. VESTAHome care for elderly (financial / operational support)

In-house ICT-service, working exclusively for the governmentHigh priority for ICT Security & Privacy

InformationSecurity3

InformationSecurity

Introduction

Security Test Automation in Software Development using Open Source Tools Can we do it? What do we need?

Source code Working parts of the application Selenium tests for the functional part

3

InformationSecurity4

InformationSecurity

Application Security Disclaimer

Hacking is illegal and can be punished under the legal framework of the information criminality laws (Law issued on the 28 of november 2000 about informatica criminality). So the methods we show here are illegal if used without consent of the victim.

4

InformationSecurity

Hacking is illegal under Belgium Law

Article 550bis § 1A person who, while he knows that he is not yet entitled to it, gain access to a computer system, or in it maintains, shall be punished with imprisonment from three months to one year and a fine of twenty-six [euro] to twenty-five thousand [euro] or with one of these penalties. If the crime referred to in the first paragraph, committed with fraudulent intent, the maximum six months imprisonment to two years.

5

InformationSecurity

Security mythsFirewalls …

• Firewalls are always configured to allow web traffic -> HTTP(S)

• Attacker appears to the web application as a normal user

InformationSecurity7

InformationSecurity

Security mythsSSL secures the application…

• Server-side SSL only guarantees confidentiality on transport level

• Attacker also uses the SSL tunnel

InformationSecurity8

InformationSecurity

Security mythsThe Application framework solves that…

• Frameworks Don't Solve Security Issues

• Some frameworks facilitate, but not by default

• Some frameworks do, by default- Workarounds exist to develop the

security problems

OWASP Top Ten (2013 Edition)

A1: Injection

A2: Broken Authentication

and Session Management

A3: Cross-Site Scripting (XSS)

A4: Insecure Direct Object References

A5: Security Misconfiguration

A6: Sensitive Data Exposure

A7: Missing Function Level Access Control

A8: Cross Site Request Forgery

(CSRF)

A9: Using Known Vulnerable

Components

A10: Unvalidated Redirects and

Forwards

9

InformationSecurity

SQL Injection

User: Johnpassword: secret

SELECT user FROM users WHERE user='John' AND password='secret';

John

Welkom, John

User: xxxxpassword: ' or 1=1;--

SELECT user FROM users WHERE user='xxx' AND password='' or 1=1;--';

Aaron

Welkom, Aaron

InformationSecurity11

Stored XSS

Coming home at 5 o'clock

<script>Steal password</script>

passwords

InformationSecurity12

Reflected XSS

http://site.com/index?<script>steal password</script>

http://site.com/index?<script>steal password</script>

Error: reason (<script>steal password</script>) unknown

passwords

InformationSecurity13

InformationSecurity

Sensitive Data ExposureClear text transmission

• Confidential information is just sent back to the User- Improper web application implementation

- Secure and non-secure sections- Improper analysis of the information- Improper configuration

- Unsecured SESSION cookies

InformationSecurity14

InformationSecurity

Sensitive Data ExposureError messages

• Error messages for developers carry a lot information to find the problem causing the error message- Stack traces in JAVA- SQL Error messages from Database- PHP error messages- …

• Those error messages can give a lot information to the hacker, when displayed to him/her- Information of dataflow in the Web application- Database layout- Operating System information- Network information- Application frameworks used

InformationSecurity

Cross Site Request Forgery

http://bank.com/transaction?amount=10000&acc=001.1234567.27

http://bank.com/transaction?amount=10000&acc=001.1234567.27

Transaction successfull

Online to her bank

InformationSecurity16

InformationSecurity

Secure SDLC

Requirementsand use cases

Design Test plansCode

Testresults

Fieldfeedback

Securityrequirements

Riskanalysis

Risk-basedsecurity tests

Staticanalysis(tools)

Penetrationtesting

Design Review

Code Review

Which risks we take

What needs to be tests?

Code review tools

Iterative approach

Pen testing tools

InformationSecurity17

InformationSecurity

Findbugs

Static Source code analyzer Works on Java byte code

Source must compile! Searches for bug patterns

Find bugs Find false warnings

Eclipse plugin By default almost all enabled

InformationSecurity18

InformationSecurity

Findbugs

For security patterns: DMI_CONSTANT_DB_PASSWORD

Hardcoded constant database password DMI_EMPTY_DB_PASSWORD

Empty database password EI_EXPOSE_REP

May expose internal representation by returning reference to mutable objects

EI_EXPOSE_REP2May expose internal representation by incorporating reference to mutable object

EI_EXPOSE_STATIC_REP2May expose internal static state by storing a mutable object into a static field

MS_EXPOSE_REPPublic static method may expose internal representation by returning array

InformationSecurity19

InformationSecurity

Findbugs

SQL_NONCONSTANT_STRING_PASSED_TO_EXECUTENonconstant string passed to execute method on an SQL statement 

SQL_PREPARED_STATEMENT_GENERATED_FROM_NONCONSTANT_STRINGA prepared statement is generated from a nonconstant String 

XSS_REQUEST_PARAMETER_TO_SEND_ERRORJSP reflected cross site scripting vulnerability

XSS_REQUEST_PARAMETER_TO_SERVLET_WRITERServlet reflected cross site scripting vulnerability in error page 

RCN_REDUNDANT_NULLCHECK_WOULD_HAVE_BEEN_A_NPENullcheck of value previously dereferenced

NP_NULL_ON_SOME_PATHPossible null pointer dereference

NP_NULL_ON_SOME_PATH_EXCEPTIONPossible null pointer dereference in method on exception path

InformationSecurity20

InformationSecurity

Demo Findbugs

Eclipse

InformationSecurity21

InformationSecurity

PMD

Static Source code analyzer Runs against the Java source code Also searches for bug patterns There are no real security patterns

included Gotham Digital Science has a security rule set

InformationSecurity22

InformationSecurity

PMD

For security patterns: ArrayIsStoredDirectly AvoidCatchingThrowable AvoidPrintStackTrace AvoidThrowingNullPointerException DoNotCallSystemExit ExceptionAsFlowControl MethodReturnsInternalArray MisplacedNullCheck

InformationSecurity23

InformationSecurity

Demo PMD

Eclipse

InformationSecurity24

InformationSecurity

Zed Attack Proxy

Intercepting Proxy Traditional and AJAX spiders Automated scanner Forced Browsing Fuzzer Dynamic SSL Certificates Smartcard and Client Digital Certificates

support

InformationSecurity25

InformationSecurity

Zed Attack Proxy

Web sockets support Support for wide range of scripting

languages Plug-n-Hack support Authentication and Session Support Powerful REST based API Automatic updating option Integrated and growing marketplace of

add-ons

InformationSecurity26

InformationSecurity

Demo Zaproxy

Eclipse

InformationSecurity27

InformationSecurity

Demo: Automatic Build Proces

Maven Findbugs PMD Zaproxy

InformationSecurity28

InformationSecurity

TODO’s

Maven Zed Attack Proxy and site phase integration

SONAR integration of Zed Attack Proxy How about Agile development?

Can we ingrate this process in TDD and BDD?

InformationSecurity29

InformationSecurity

Links

FindBugs™ - Find Bugs in Java Programs PMD – Don’t shoot the Messenger OWASP Zed Attack Proxy Project - OWASP ZAP Maven Plugin Automated

Security Testing of web applications using OWASP Zed Attack Proxy

Belgium - OWASP Gotham Digital Science

InformationSecurity30

InformationSecurity30

Resources …

• Books: Software Security Microsoft Secure Development Lifecycle Enterprise Security Architecture

InformationSecurity31

InformationSecurity

Reflection

Open Source Good start

Commercial Tools Are more integrated in their environment Perform better Comes with a price

Manual review by experts Best results Expensive Non constant reviews Very late in the process

InformationSecurity32

InformationSecurity

Questions