Safety testing brief / safety audit tool

The proportion of security testing is relatively small, generally in professional companies or apps that deal with money,

Introduction to Web Security Testing

Concept of
Web application ◆ Web application is composed of dynamic scripts, compiled code, etc.
◆ It is usually set up on a Web server, and users send requests on a Web browser. These requests use the HTTP protocol, and the web application communicates with the database and other dynamic content in the background of the enterprise.

Three-tier web application architecture
General security testing in the middle layer, especially the web layer to the application layer transmission, is the most prone to security issues

Daily network behaviors are always relevant to security
◆ Why do we often ask us to enter a verification code when we log in?
Prevent brute-forcing usernames and passwords through scripts. After all, you cannot know the verification code in advance.

◆ Why session fails when there is no operation on a website for a long time? It
is a post-verification test. It is afraid that the user's program computer will be attacked by hackers. So when the user has not operated for a certain period of time, he will have to leave it.

◆ Why are payment interfaces like Alipay all https?
Because http is encrypted during transmission, but your system is still insecure and still needs corresponding security testing.

Security model

Because due to the congestion, passengers may be pushed under the subway or the others crowded subway, or stampede Metro to open to open several station subway transformation: one into two current limiting (restricting the number of pit stops and the like) test Run to see if there are too many people sitting on the X line

Talking about vulnerability classification from WASC and OWASP

WASC
◆ Web Application Security Consortium
◆ It is an international group (public welfare organization) composed of security experts, industry consultants and representatives of many organizations. They are responsible for setting widely accepted application security standards for WWW. (The safety standards have been established for the current Internet)

◆ WASC divides web application security threats into six categories:
◆ Authentication (authentication): an attack method used to confirm the identity of a user, service, or application
(for login authentication, such as three core functions: register login and forget password)
SMS interception, verification code interception, etc. can avoid vulnerabilities

◆ Authorization (Authorization): used to determine whether a user, service or application has the necessary permission to perform the requested action
(mainly corresponding to the session, cookie, so pay attention to session encryption, whether it is easy to be intercepted during transmission Crack)

◆ Client-Side Attacks (Client-side Attacks): used to disrupt or detect attacks on Web site users
(for example, Taobao sellers sell the heart of the ocean to the buyer, the price is very expensive, and then the buyer through the client attack method To bypass, modify the corresponding amount and successfully pay, called a client attack)

◆ Command Execution (Command Execution): an attack method for executing remote commands on a Web site
(leaving some vulnerabilities that can be found by others on the site, you can remotely command yourself. It is also easy for others to drill leaks)

◆ Information Disclosure (information exposure): an attack method used to obtain specific system information of the Web site
(when the error information is displayed too detailed, and even shows the database user name, etc.)

◆ Logical Attacks (Logical Attacks): Attack methods used to disrupt or detect Web application logic processes
(not strictly security attacks, but these vulnerabilities are closely related to the business, but some vulnerabilities cannot be reflected in the business , Can only be analyzed from a safety perspective)

OWASP is actually a project
◆ Open Web Application Security Project
◆ Dedicated to discover and solve the root cause of insecure Web applications.

Maximum contribution: Discover and update the top ten security vulnerabilities in web security every year

WEB security testing process

Dismember the page, then test it, and then summarize

The project considers performing functional testing first, then automating, then security, and then performance testing.
Reason:
Security testing will involve a lot of code modifications, which will in turn affect the results of performance testing.

Safety testing is also divided into manual and automated testing

Security audit tool

It is not recommended to rely too much on security audit tools: the
reason is
1. Such security design tools will find many vulnerabilities, but you cannot know the meaning of these vulnerabilities, nor can you reproduce them, so these audit reports give test report results and require you Use your own technology to troubleshoot these vulnerabilities
2. It is not a true method of security testing, you cannot let yourself really learn security testing, and you cannot improve your abilities.

Automated audit tools (when the time is tight)
With the development and deepening of security testing, more and more companies have begun to adopt security testing. Due to factors such as the ability and time of testers, more such as AppScan, Security audit tools such as Weblnspect.

It saves time, but it also brings a lot of problems (misreported and missed reports, which may be missed in the session management of the verification mechanism, so you need to make up for it manually)

AppScan collaboration in the project team

◆ Developers
** Developers can use AppScan or special plug-ins during the development process to develop and test at any time, and ** maximize the security of personal development programs. The sooner the problem is discovered, the lower the cost of solving the problem, which provides the most solid basic guarantee for the security of Web applications.
◆ Testers During
system testing, testers use AppScan to comprehensively test the application . Once problems are found, defects can be quickly generated. Through CQ integration, defects can be tracked electronically, and then passed to developers to guide developers to quickly solve problems. . (The test is to take a look at what are the security vulnerabilities, and then give them to the developers)
** ◆ Auditor
This is the security quality level before the system goes online. ** Any system that goes online should go through strict online testing, which also minimizes the occurrence of problems after going online and avoids huge losses to the enterprise after the production system goes online.
◆ Audit and monitoring personnel after
going online The on-line system should be tested regularly. Once a problem occurs, it should be detected in time. The faster the problem is located, the smaller the loss will be.

The main scope of scanning is: web server, database, application

Scanning principle

Detection phase:(Similar to making a strategy selection, equivalent to a test plan) During the
detection process, the test strategy used can be selected from the default or custom, and different test strategies can be used. The test strategy library is built in Appscan, which can be defined For the combination you want, to detect the potential security risks that you most want to detect.
(Equivalent to the site information of the test website. Get the link we want to test)

◆ Imitate a user to probe the visited Web application or Web service site, and send or request to visit or fill in the links and form fields in the site to obtain the corresponding site information (Application Tree).
◆ Appscan analyzer will judge the response after each request sent by itself, find out any potential risks , and determine the test cases to be automatically generated for these potential risks .
◆ After the detection phase is completed, do these high-risk areas really imply security defects or should be better improved, and what level of these hidden risks are, it is only after the test execution is completed that it can be finally obtained Conclusion

Test phase: (Corresponding to the writing of test cases)
◆ After the detection phase, Appscan has analyzed the site model of potential security risks.
◆ AppScan also already knows how many test cases need to be generated in order to detect potential security hazards in these areas. The work at this time is mainly to generate these planned test cases.
Appscan is to generate corresponding comprehensive and complex test input through the detection rules for corresponding security risks in the test strategy library.

Scanning stage:(Corresponding to the test execution phase)
◆ A scanning phase, Appscan real work up, he will continue to send the service request on the phase of the generated test out
◆ then the detection result of the analysis and services in response to determining that the Whether the input of the test case has caused hidden dangers or problems.
◆ Then, through the strategy of test case generation, find out the description of the security problem and the solution to the problem, and also report the request sending and response results of relevant parameters.

Operation process

Not only do security testers have to find vulnerabilities, they also have to know how to solve the vulnerabilities, so as to guide developers to solve the vulnerabilities