1. Background

After the implementation of the Data Security Law, the national regulatory authorities have strengthened the supervision of corporate data security. Against this background, in order to ensure the safety of the logistics system and avoid safety risks in advance, the test team took the lead in formulating safety test process specifications and continued to promote the normalization of safety test.

2. Types and hazards of security vulnerabilities

1. Common types of security vulnerabilities

Unauthorized vulnerabilities, upload vulnerabilities, XSS vulnerabilities, CSRF vulnerabilities, SQL injection vulnerabilities, arbitrary file read vulnerabilities, deserialization vulnerabilities, CORS vulnerabilities, SSRF vulnerabilities, URL adjustment vulnerabilities, etc.

2. Security vulnerability hazards

1. Information Disclosure

Attackers can use vulnerabilities to invade enterprise systems and steal enterprise sensitive information, such as customer information and financial data. Once this information is leaked, it will bring huge losses to the company, and it will also damage the trust of customers and the corporate brand image.

2. System crash

Attackers may paralyze the entire system of the enterprise through vulnerability attacks. Such a result directly leads to the failure of the normal operation of the enterprise and has a great impact on the economic development of the enterprise.

3. Extortion

Attackers can encrypt enterprise data through vulnerability attacks and require the enterprise to pay a ransom before releasing the data. This type of extortion has the potential to leave businesses in financial straits

3. Status Analysis

Currently, the department receives and handles security issues through [Security Work Order]. The security work order is a work order issued by the Group Security Department, including the work order created by the security scan automatically triggered by J-ONE when the application is launched, and the work order created by the security department and external white hat manual testing to find security vulnerabilities. The security work order is notified by the department contact person to the person in charge of each application for follow-up processing.

1. Source of work order

1. White box scanning

2. Black box scanning

3. JSRC (white hat testing)

4. Other vulnerabilities

2. Vulnerability types of work orders

1. White box scanning is mainly aimed at component vulnerabilities

2. Black box scanning is mainly for configuration vulnerabilities

3. JSRC is mainly aimed at business logic vulnerabilities

4. Others: Business logic loopholes discovered by colleagues in the security group or new security detection rules added by the group

Way	Purpose and Coverage Vulnerability Types
assembly line	Purpose: White-box testing, code scanning, avoiding component vulnerabilities in advance Covering vulnerability types: source component vulnerabilities, XSS, injection vulnerabilities
black box platform	Purpose: Black-box testing, scanning hosts, avoiding configuration problems and open problems in advance Covering vulnerability types: configuration vulnerabilities, open violations, injection vulnerabilities, access forgery
manual testing	Purpose: To make up for the lack of tool scanning, to mine logical vulnerabilities Covering vulnerability types: Logical vulnerabilities, file operations
DCAP security policy	Purpose: Expose data security issues Coverage vulnerability type: Data security issues

3. Existing detection methods

1. White box scanning: security atoms are provided in the pipeline

2. Black box scanning: there are pages and interfaces, and regular scanning is possible

3. IAST platform

4. Analysis of departmental application

At present, there are about 200 secondary sector applications, among which the public network applications include Jingyi APP, Jingguanjia APP, external network carrier platform, communication-related applications, and cargo-line-related applications. Analysis of security work order data shows that the sources of business logic vulnerabilities are public network applications, and public network applications directly face customers, and the priority of security governance is the highest.

4. Formulation of safety test plan

1. Test method

For the existing logical vulnerability types, comprehensive coverage is carried out by means of tool access (white box, black box) + manual testing.

2. Logical vulnerability testing process

a. Test standard

All needs related to extranet
Intranet used by a large number of outsiders

b. Testing stage

During the requirements review phase, test initiation determines whether security testing is required

Test Evaluate whether it involves usage scenarios of extranet users
Product Evaluate whether it is an intranet system used by a large number of external personnel (more than 15 people are recommended)

c. Test schedule

It is scheduled at the same time as the functional test, and it goes online after the test

d. Exit standard

Go online after all security vulnerabilities are fixed

5. Implementation of security testing plan

1. Tool access

1. The pipeline is connected to the security atom, and the security scan is performed on the master branch

2. The scheduled task calls the black box platform api for security scanning

3. Configure the IAST plug-in for security scanning

2. Manual testing is carried out in stages

a. The first stage: Governance of stock security issues

1. Set up a security testing team

Invite colleagues from the security department to conduct training and learn security knowledge independently, so that specific people have security testing capabilities: including tool use, data leakage, horizontal overreach, vertical overreach and other vulnerability mining capabilities

2. Special management of extranet platforms

The analysis of the Changan work order shows that the main problem existing in the application of the external network is the problem of ultra vires, so special governance is carried out for the external network platform.

External network application interface carding
First, manage the interface containing sensitive data (add Permisson annotations on the back end, and analyze the permission configuration of the logistics gateway)
Interfaces that do not contain sensitive data are then governed

b. The second stage: Incremental requirements for security testing

Regularly carry out safety testing sharing training in the group, so that everyone in the group has the ability of safety testing
Improve the knowledge about logic vulnerabilities, and expand the coverage of logic vulnerabilities to XSS, CSRF and other vulnerabilities

c. The third stage: the cultivation of security awareness

Product: During the requirements review process, a request for security testing is made for extranet applications
R&D: Follow the security testing specifications during the development process to avoid security issues
Testing: put forward security testing requirements for external network applications during the requirements review process; check whether there is permission verification or data encryption for permission classes and sensitive data classes during the code review process; cover commonly used security use cases during the security test process

3. Logical vulnerability mining experience

a. Tool use

BurpSuiteInstallation

b. General use cases and construction methods

use case name	step	wrong result	expected outcome	Principle introduction
Sensitive Data Validation	Requests to interfaces that contain sensitive data	Fields such as ID card, mobile phone number, and address are not encrypted	Sensitive data is encrypted and returned
vertical override check	① User A with menu authority logs in and requests the interface ② User B without menu authority logs in ③ User A's cookie is replaced with user B's cookie and the interface is resent	The interface returns successfully	The interface returns "no permission"
horizontal override check	① User A logs in and requests data with attributes ② User B logs in ③ User A's cookie is replaced with User B's cookie and the interface is resent	The interface returns successfully	The interface returns "no permission"
Reflected XSS validation	①Enter <script>alert('xss')</script> in the input box ②Click Submit	The page displays the 'xss' popup	No pop-up window on the page	XSS Vulnerability Principle Analysis and Practical Exercises for Logic Vulnerability Mining
Stored XSS validation	①Enter <script>alert('xss')</script> in the input box ②Click Submit	①Database drop data: <script>alert('xss')</script> ②Check the page containing the data again, the page pops up	①Escape the special characters and store them ②Check the page containing the data again, no pop-up window
CSRF verification	①User logs in to website A ②Logs in to website B without closing website A, and website B contains a structured interface request to website A	The interface returns successfully	The interface returns 401	Principle Analysis and Practical Exercise of CSRF Vulnerability in Logic Vulnerability Mining

c. Example analysis

1. Sensitive data

Problem description: Interface sensitive data is not encrypted

2. Vertical overreach

Description of the problem: A test account that does not have menu permissions can successfully return data after accessing the interface

3. Stored XSS

Description of the problem: There are actually two vulnerability locations, which are similar to iframe embedding, directly affecting two sites

Vulnerability proof: Send the following data packet to insert stored XSS

4. Reflected XSS

After entering the universal statement <script>alert()</script>, there is no pop-up window. Check the source code to see that <> is escaped

At the value of the input tag, the content we input is not strictly filtered, so manually close the value, and then execute the script "><script>alert()</script>

5. CSRF vulnerability

Description of the problem: Write html scripts, build a submit button, click the button to trigger an interface call, and the interface request does not require a cookie to make the request successful

6. Achievements

70% reduction in the number of business logic vulnerability type tickets in security tickets

1. The high-risk problems of pipeline scanning have all been resolved

2. The problems of horizontal and vertical overreach of external network applications have been completely resolved

3. A total of 45 logical loopholes have been excavated with the newly added requirements of iterations

Way	Purpose and Coverage Vulnerability Types	reach the situation	Remark
assembly line	Purpose: White-box testing, code scanning, avoiding component vulnerabilities in advance Covering vulnerability types: source component vulnerabilities, XSS, injection vulnerabilities	44 applications have been connected to the pipeline, and all high-risk security issues have been resolved
black box platform	Purpose: Black-box testing, scanning hosts, avoiding configuration problems and open problems in advance Covering vulnerability types: configuration vulnerabilities, open violations, injection vulnerabilities, access forgery	Black box scanning has been added to the external network platform, and all scanning problems have been solved	The timed task has been connected, and it will be executed every Monday at 9:00
manual testing	Purpose: To make up for the lack of tool scanning, to mine logical vulnerabilities Covering vulnerability types: Logical vulnerabilities, file operations	①Comprehensive testing of the external network platform ②100% security testing for new requirements
DCAP security policy	Purpose: Expose data security issues Coverage vulnerability type: Data security issues	Completed security policy access	Detect loopholes through traffic monitoring and other methods, and when problems are found, colleagues in the security department will confirm and submit Changan work orders (data security type)

7. Future planning

1. The normalization of security testing continues to advance

2. Continuous improvement of safety knowledge

Author: JD Logistics, Fan Wenjun

Source: Reprinted from Yuanqishuo Tech by JD Cloud developer community, please indicate the source

Security test normalization landing plan and daily promotion mechanism | JD Logistics technical team