Plants vs thieves: Automated Tests in the World of Web Security

Transcript

1. Automated Tests in the World of Web Security

2. None
3. None

4. What does that have to do with web development?

5. None
6. None
7. None
8. None
9. None

10. Garden

11. Garden House = Protected parts

12. Garden Garden = our defenses House = Protected parts

13. None

14. Security best practises

15. None

16. Broken Access Control

17. Broken Access Control Cryptographic Failures

18. Broken Access Control Cryptographic Failures Injection

19. Test Cases

20. Injection

21. Testing XSS it('checks for XSS vulnerability', () => { cy.visit('http://example.com/contact-form');

    cy.get('input[name="name"]').type('<script>alert("XSS")</script>'); cy.get('form').submit(); cy.contains('<script>alert("XSS")</script>').should('not.exist'); });

22. Testing XSS it('checks for XSS vulnerability', () => { cy.visit('http://example.com/contact-form');

    cy.get('input[name="name"]').type('<script>alert("XSS")</script>'); cy.get('form').submit(); cy.contains('<script>alert("XSS")</script>').should('not.exist'); });

23. Testing XSS it('checks for XSS vulnerability', () => { cy.visit('http://example.com/contact-form');

    cy.get('input[name="name"]').type('<script>alert("XSS")</script>'); cy.get('form').submit(); cy.contains('<script>alert("XSS")</script>').should('not.exist'); });

24. Testing XSS it('checks for XSS vulnerability', () => { cy.visit('http://example.com/contact-form');

    cy.get('input[name="name"]').type('<script>alert("XSS")</script>'); cy.get('form').submit(); cy.contains('<script>alert("XSS")</script>').should('not.exist'); });

25. Testing XSS it('checks for XSS vulnerability', () => { cy.visit('http://example.com/contact-form');

    cy.get('input[name="name"]').type('<script>alert("XSS")</script>'); cy.get('form').submit(); cy.contains('<script>alert("XSS")</script>').should('not.exist'); });

26. it('checks for CSRF vulnerability', () => { cy.request({ method: 'POST',

    url: 'http://example.com/update-profile', form: true, body: { name: 'John Doe', email: '[email protected]' } }).then((response) => { expect(response.status).to.eq(403); }); }); Testing CSRF

27. Testing CSRF it('checks for CSRF vulnerability', () => { cy.request({

    method: 'POST', url: 'http://example.com/update-profile', form: true, body: { name: 'John Doe', email: '[email protected]' } }).then((response) => { expect(response.status).to.eq(403); }); });

28. Testing CSRF it('checks for CSRF vulnerability', () => { cy.request({

    method: 'POST', url: 'http://example.com/update-profile', form: true, body: { name: 'John Doe', email: '[email protected]' } }).then((response) => { expect(response.status).to.eq(403); }); });

29. Testing CSRF it('checks for CSRF vulnerability', () => { cy.request({

    method: 'POST', url: 'http://example.com/update-profile', form: true, body: { name: 'John Doe', email: '[email protected]' } }).then((response) => { expect(response.status).to.eq(403); }); });

30. Testing CSRF it('checks for CSRF vulnerability', () => { cy.request({

    method: 'POST', url: 'http://example.com/update-profile', form: true, body: { name: 'John Doe', email: '[email protected]' } }).then((response) => { expect(response.status).to.eq(403); }); });

31. Testing SQL Injection it('checks for SQL injection vulnerability', () =>

    { cy.visit('http://example.com/search?query=1 OR 1=1'); cy.contains('Error:').should('not.exist'); });

32. Testing SQL Injection it('checks for SQL injection vulnerability', () =>

    { cy.visit('http://example.com/search?query=1 OR 1=1'); cy.contains('Error:').should('not.exist'); });

33. Testing SQL Injection it('checks for SQL injection vulnerability', () =>

    { cy.visit('http://example.com/search?query=1 OR 1=1'); cy.contains('Error:').should('not.exist'); });

34. CSP Testing Using Cypress const { defineConfig } = require('cypress')

    module.exports = defineConfig({ // https://on.cypress.io/experiments // https://github.com/cypress-io/cypress/issues/1030 experimentalCspAllowList: ['default-src', 'script-src'], e2e: { baseUrl: 'http://localhost:3003', }, });

35. CSP Testing Using Cypress const { defineConfig } = require('cypress')

    module.exports = defineConfig({ // https://on.cypress.io/experiments // https://github.com/cypress-io/cypress/issues/1030 experimentalCspAllowList: ['default-src', 'script-src'], e2e: { baseUrl: 'http://localhost:3003', }, });

36. CSP Testing Using Cypress it('serves Content-Security-Policy header', () => {

    cy.request('/') .its('headers') .should('have.property', 'content-security-policy') // confirm parts of the CSP directive .should('include', "default-src 'self'") .and('include', 'report-uri /security-attacks’); });

37. CSP Testing Using Cypress it('serves Content-Security-Policy header', () => {

    cy.request('/') .its('headers') .should('have.property', 'content-security-policy') // confirm parts of the CSP directive .should('include', "default-src 'self'") .and('include', 'report-uri /security-attacks’); });

38. CSP Testing Using Cypress it('serves Content-Security-Policy header', () => {

    cy.request('/') .its('headers') .should('have.property', 'content-security-policy') // confirm parts of the CSP directive .should('include', "default-src 'self'") .and('include', 'report-uri /security-attacks’); });

39. CSP Testing Using Cypress it('stops XSS and reports CSP violations',

    () => { cy.intercept('/security-attacks', {}).as(‘cspAttacks'); cy.on('window:load', (win) => cy.stub(win.console, ‘log').as('log')); cy.visit(‘/'); cy.get('#message').type('Hello<img src="" onerror="console.log(`hacked`)" />’); cy.contains('button', ‘Send').click(); cy.contains('#messages li', ‘Hello'); cy.log('**XSS stopped and reported**') cy.wait('@cspAttacks').its('request.body').should('include', ‘blocked'); cy.get(‘@log').should('not.be.called'); })

40. CSP Testing Using Cypress it('stops XSS and reports CSP violations',

    () => { cy.intercept('/security-attacks', {}).as(‘cspAttacks'); cy.on('window:load', (win) => cy.stub(win.console, ‘log').as('log')); cy.visit(‘/'); cy.get('#message').type('Hello<img src="" onerror="console.log(`hacked`)" />’); cy.contains('button', ‘Send').click(); cy.contains('#messages li', ‘Hello'); cy.log('**XSS stopped and reported**') cy.wait('@cspAttacks').its('request.body').should('include', ‘blocked'); cy.get(‘@log').should('not.be.called'); })

41. CSP Testing Using Cypress it('stops XSS and reports CSP violations',

    () => { cy.intercept('/security-attacks', {}).as(‘cspAttacks'); cy.on('window:load', (win) => cy.stub(win.console, ‘log').as('log')); cy.visit(‘/'); cy.get('#message').type('Hello<img src="" onerror="console.log(`hacked`)" />’); cy.contains('button', ‘Send').click(); cy.contains('#messages li', ‘Hello'); cy.log('**XSS stopped and reported**') cy.wait('@cspAttacks').its('request.body').should('include', ‘blocked'); cy.get(‘@log').should('not.be.called'); })

42. Cover Login / Auth APIs

43. ... cy.get('#username').type(username); cy.get('#password').type(password); cy.get('[type="submit"]').click(); cy.contains('Access denied') .should('not.exist'); ... Cover Authn

    / Login

44. HTTPS!?

45. None

46. Test Automation Tools

47. None

48. SAST Tools

49. SAST Tools DAST Tools

50. SAST Tools DAST Tools IAST Tools

51. SAST Tools DAST Tools IAST Tools Static Code Quality Analysis

52. SAST Tools Keeping dependencies up-to-date DAST Tools IAST Tools Static

    Code Quality Analysis

53. General testing practises

54. None
55. None

56. Understand your app

57. Understand your app Create a test plan

58. Understand your app Create a test plan Write your test

    cases

59. Understand your app Create a test plan Write your test

    cases Execute tests and analyse

60. Understand your app Create a test plan Write your test

    cases Execute tests and analyse Include other tools

61. Understand your app Create a test plan Write your test

    cases Execute tests and analyse Include other tools Repeat your test runs

62. Understand your app Create a test plan Write your test

    cases Execute tests and analyse Include other tools Repeat your test runs
63. None
64. None
65. None
66. None

67. Automation = great complement

68. Automation = great complement Simple steps are most useful

69. Automation = great complement Simple steps are most useful Combine

    own test cases + Tools

70. Automation = great complement Simple steps are most useful Combine

    own test cases + Tools All testing types can be utilized
71. None