Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Plants vs thieves: Automated Tests in the World of Web Security

Plants vs thieves: Automated Tests in the World of Web Security

Web security is crucial in a constantly evolving environment where potential threats are always present. To better understand this concept, we can imagine our web application as a garden or a home that needs to be protected from possible attacks. We can draw parallels with the popular game "Plants vs. Zombies," which aims to safeguard your garden from intruders.

Our automated tests function as diligent guardians whose primary objective is to identify and address potential vulnerabilities, much like the diverse plant arsenal in the game. Instead of framing the security process as a never-ending fight, we will explore how automated tests act as defenders against possible issues, whether they are zombies or intruders. Next to an overview of tools you can utilize, we emphasize the importance of fundamental testing types, such as unit or end-to-end tests, in securing your digital garden.

Join this session to understand how to create a secure environment for your web application through test automation. This approach ensures that your web applications can successfully navigate the challenges posed by cyber threats without the necessity of introducing entirely new dedicated tools.

Ramona Schwering

June 04, 2024
Tweet

More Decks by Ramona Schwering

Other Decks in Technology

Transcript

  1. Testing XSS it('checks for XSS vulnerability', () => { cy.visit('http://example.com/contact-form');

    cy.get('input[name="name"]').type('<script>alert("XSS")</script>'); cy.get('form').submit(); cy.contains('<script>alert("XSS")</script>').should('not.exist'); });
  2. Testing XSS it('checks for XSS vulnerability', () => { cy.visit('http://example.com/contact-form');

    cy.get('input[name="name"]').type('<script>alert("XSS")</script>'); cy.get('form').submit(); cy.contains('<script>alert("XSS")</script>').should('not.exist'); });
  3. Testing XSS it('checks for XSS vulnerability', () => { cy.visit('http://example.com/contact-form');

    cy.get('input[name="name"]').type('<script>alert("XSS")</script>'); cy.get('form').submit(); cy.contains('<script>alert("XSS")</script>').should('not.exist'); });
  4. Testing XSS it('checks for XSS vulnerability', () => { cy.visit('http://example.com/contact-form');

    cy.get('input[name="name"]').type('<script>alert("XSS")</script>'); cy.get('form').submit(); cy.contains('<script>alert("XSS")</script>').should('not.exist'); });
  5. Testing XSS it('checks for XSS vulnerability', () => { cy.visit('http://example.com/contact-form');

    cy.get('input[name="name"]').type('<script>alert("XSS")</script>'); cy.get('form').submit(); cy.contains('<script>alert("XSS")</script>').should('not.exist'); });
  6. it('checks for CSRF vulnerability', () => { cy.request({ method: 'POST',

    url: 'http://example.com/update-profile', form: true, body: { name: 'John Doe', email: '[email protected]' } }).then((response) => { expect(response.status).to.eq(403); }); }); Testing CSRF
  7. Testing CSRF it('checks for CSRF vulnerability', () => { cy.request({

    method: 'POST', url: 'http://example.com/update-profile', form: true, body: { name: 'John Doe', email: '[email protected]' } }).then((response) => { expect(response.status).to.eq(403); }); });
  8. Testing CSRF it('checks for CSRF vulnerability', () => { cy.request({

    method: 'POST', url: 'http://example.com/update-profile', form: true, body: { name: 'John Doe', email: '[email protected]' } }).then((response) => { expect(response.status).to.eq(403); }); });
  9. Testing CSRF it('checks for CSRF vulnerability', () => { cy.request({

    method: 'POST', url: 'http://example.com/update-profile', form: true, body: { name: 'John Doe', email: '[email protected]' } }).then((response) => { expect(response.status).to.eq(403); }); });
  10. Testing CSRF it('checks for CSRF vulnerability', () => { cy.request({

    method: 'POST', url: 'http://example.com/update-profile', form: true, body: { name: 'John Doe', email: '[email protected]' } }).then((response) => { expect(response.status).to.eq(403); }); });
  11. Testing SQL Injection it('checks for SQL injection vulnerability', () =>

    { cy.visit('http://example.com/search?query=1 OR 1=1'); cy.contains('Error:').should('not.exist'); });
  12. Testing SQL Injection it('checks for SQL injection vulnerability', () =>

    { cy.visit('http://example.com/search?query=1 OR 1=1'); cy.contains('Error:').should('not.exist'); });
  13. Testing SQL Injection it('checks for SQL injection vulnerability', () =>

    { cy.visit('http://example.com/search?query=1 OR 1=1'); cy.contains('Error:').should('not.exist'); });
  14. CSP Testing Using Cypress const { defineConfig } = require('cypress')

    module.exports = defineConfig({ // https://on.cypress.io/experiments // https://github.com/cypress-io/cypress/issues/1030 experimentalCspAllowList: ['default-src', 'script-src'], e2e: { baseUrl: 'http://localhost:3003', }, });
  15. CSP Testing Using Cypress const { defineConfig } = require('cypress')

    module.exports = defineConfig({ // https://on.cypress.io/experiments // https://github.com/cypress-io/cypress/issues/1030 experimentalCspAllowList: ['default-src', 'script-src'], e2e: { baseUrl: 'http://localhost:3003', }, });
  16. CSP Testing Using Cypress it('serves Content-Security-Policy header', () => {

    cy.request('/') .its('headers') .should('have.property', 'content-security-policy') // confirm parts of the CSP directive .should('include', "default-src 'self'") .and('include', 'report-uri /security-attacks’); });
  17. CSP Testing Using Cypress it('serves Content-Security-Policy header', () => {

    cy.request('/') .its('headers') .should('have.property', 'content-security-policy') // confirm parts of the CSP directive .should('include', "default-src 'self'") .and('include', 'report-uri /security-attacks’); });
  18. CSP Testing Using Cypress it('serves Content-Security-Policy header', () => {

    cy.request('/') .its('headers') .should('have.property', 'content-security-policy') // confirm parts of the CSP directive .should('include', "default-src 'self'") .and('include', 'report-uri /security-attacks’); });
  19. CSP Testing Using Cypress it('stops XSS and reports CSP violations',

    () => { cy.intercept('/security-attacks', {}).as(‘cspAttacks'); cy.on('window:load', (win) => cy.stub(win.console, ‘log').as('log')); cy.visit(‘/'); cy.get('#message').type('Hello<img src="" onerror="console.log(`hacked`)" />’); cy.contains('button', ‘Send').click(); cy.contains('#messages li', ‘Hello'); cy.log('**XSS stopped and reported**') cy.wait('@cspAttacks').its('request.body').should('include', ‘blocked'); cy.get(‘@log').should('not.be.called'); })
  20. CSP Testing Using Cypress it('stops XSS and reports CSP violations',

    () => { cy.intercept('/security-attacks', {}).as(‘cspAttacks'); cy.on('window:load', (win) => cy.stub(win.console, ‘log').as('log')); cy.visit(‘/'); cy.get('#message').type('Hello<img src="" onerror="console.log(`hacked`)" />’); cy.contains('button', ‘Send').click(); cy.contains('#messages li', ‘Hello'); cy.log('**XSS stopped and reported**') cy.wait('@cspAttacks').its('request.body').should('include', ‘blocked'); cy.get(‘@log').should('not.be.called'); })
  21. CSP Testing Using Cypress it('stops XSS and reports CSP violations',

    () => { cy.intercept('/security-attacks', {}).as(‘cspAttacks'); cy.on('window:load', (win) => cy.stub(win.console, ‘log').as('log')); cy.visit(‘/'); cy.get('#message').type('Hello<img src="" onerror="console.log(`hacked`)" />’); cy.contains('button', ‘Send').click(); cy.contains('#messages li', ‘Hello'); cy.log('**XSS stopped and reported**') cy.wait('@cspAttacks').its('request.body').should('include', ‘blocked'); cy.get(‘@log').should('not.be.called'); })
  22. Understand your app Create a test plan Write your test

    cases Execute tests and analyse Include other tools
  23. Understand your app Create a test plan Write your test

    cases Execute tests and analyse Include other tools Repeat your test runs
  24. Understand your app Create a test plan Write your test

    cases Execute tests and analyse Include other tools Repeat your test runs
  25. Automation = great complement Simple steps are most useful Combine

    own test cases + Tools All testing types can be utilized