EuroSTAR Software Testing Conference 2013 presentation on How About Security Testing by Jouri Dufour.
See more at: http://conference.eurostarsoftwaretesting.com/past-presentations/
12. Password change function
Administrator
N
Existing
password
parameter
?
Y
User
Password change request
Username
Existing password *
New password
Confirm new password
* Only presented to users
The functionality The assumption The attack
13. Password change function
Administrator
N
FLAW
Existing
password
parameter
?
Y
User
Password change request
Username
Existing password *
New password
Confirm new password
* Only presented to users
The functionality The assumption The attack
14. Password change function
Administrator
N
Existing
password
parameter
?
Y
User
Password change request
ATTACK
Username
Existing password *
New password
Confirm new password
* Only presented to users
The functionality The assumption The attack
15. RECOMMENDED HACK STEPS
Try removing in turn each request parameter
Be sure to delete the actual parameter name as
well as its value
Attack only one parameter at a time
Follow a multistage process through to completion
17. Retail application
Add
items to
shopping
basket
Finalize
order
Enter
payment
information
Enter
delivery
information
The functionality The assumption The attack
18. Retail application
Add
items to
shopping
basket
Finalize
order
Enter
payment
information
Enter
delivery
information
FLAW
The functionality The assumption The attack
19. Retail application
Add
items to
shopping
basket
Finalize
order
ATTACK
Enter
payment
information
Enter
delivery
information
The functionality The assumption The attack
20. RECOMMENDED HACK STEPS
Attempt to submit requests out of the expected
sequence
Be sure to fully understand the access mechanisms
to distinct stages
Try to violate the developers’ assumptions
Use any interesting error messages and debug
output to fine-tune your attacks
21. The application may enforce
strict access control only
on the initial stages of the process
29. Retail application
Purchase
bundle
Shopping basket
Item 1 €...
Item 2 €...
Item 3 €...
-25%
The functionality The assumption The attack
30. Retail application
Purchase
bundle
Shopping basket
Item 1 €...
Item 2 €...
Item 3 €...
-25%
FLAW
The functionality The assumption The attack
31. Retail application
Purchase
bundle
Shopping basket
Item 1 €...
Item 2 €...
Item 3 €...
-25%
ATTACK
The functionality The assumption The attack
32. RECOMMENDED HACK STEPS
Find out if adjustments are made on a one-time
basis
Try to manipulate the application’s behavior to get
adjustments that don’t correspond to the original
intended criteria
34. Web application
Operating
system
command
User-controllable input
Sanitization
using the
backslash
character
; | & < > `
space newline
The functionality The assumption The attack
35. Web application
Operating
system
command
User-controllable input
Sanitization
using the
backslash
character
; | & < > `
space newline
FLAW
The functionality The assumption The attack
36. Web application
Operating
system
command
ATTACK
User-controllable input
Sanitization
using the
backslash
character
; | & < > `
space newline
The functionality The assumption The attack
37. Web application
COMMAND INJECTION
Operating
system
command
Foo;ls
Sanitization
using the
backslash
character
; | & < > `
space newline
Foo;ls
The functionality The assumption The attack
38. RECOMMENDED HACK STEPS
Attempt to insert relevant metacharacters into the
data you control
Always try placing a backslash immediately before
each such character
39. This same defect can be
found in some defenses against
cross-site scripting attacks
42. HOW ABOUT
SECURITY
TESTING?
Fooling a
password
change
function
Proceeding to
checkout
Beating a
business limit
Cheating on
bulk discounts
Escaping from
escaping
Speaker: Jouri Dufour
www.ctg.com
jouri.dufour@ctg.com