SlideShare a Scribd company logo

Selenium Conference 2014 -- Bangalore

Download as PPTX, PDF
Prasanna Kanagasabai
Prasanna Kanagasabai

Presentation in Selenium Conference @ Banagalore

Education
1 of 26
Automation in Security Prasanna K, Ketan Soni
Agenda Typical use of Selenium Information Security How To achieve complete coverage Workflow Injection Attacks Conclusion
Introductions Prasanna Kanagasabai Pentester @ ThoughtWorks Author of IronSAP Speaker @ various security conferences Proud OSCP Ketan Soni QA @ ThoughtWorks
Typical use of Selenium UI Automation Cross Browser Testing Could We do more …….
Information Security Exploratory testing Find Defects Proactive Harming the system One of the most Exciting Jobs 
How To achieve complete coverage Applications are ever increasing Applications Tech stack has become vast Security attacks have become complex Security cannot be compromised Trained resources are finite Solution : Automation
Workflow Define a Scenario Generate Payload Deliver Payload Match Results for Success / Failure Test Scenario Identify Test Data Execution of Test Scenario’s Validation QA Flow Security Flow
Workflow -- Example Login without User Credentials Password List Brute force Script Login Success / Failure
How did we arrive @ Selenium Ajax in Normal “Urllib” Libraries were difficult Selenium could handle Ajax Requests easily.
Security !!!
SQL Injection 11 admin adminPass Username Password Submit SELECT * FROM users WHERE username = ‘admin’ AND password = ‘adminPass’
SQL Injection 12 ’OR 1=1--' BlahBlah Username Password Submit SELECT * FROM users WHERE username = ‘’ OR 1=1 --’’ AND password = ‘BlahBlah’
SQL Injection 13 ’OR 1=1--' BlahBlah Username Password Submit SELECT * FROM users WHERE username = ‘’ OR 1=1
DEMO 14
XSS 15 Search
XSS 16 Search Hello there friends Search results for “Hello there friends”
XSS 17 Hello <script>alert(“Hello World)</script> Search there friends Search results for “Hello
DEMO 18
Command Injection Ping Host 12.0.0.1 64 bytes from 127.0.0.1: icmp_seq=0 ttl=64 time=0.044 ms 64 bytes from 127.0.0.1: icmp_seq=1 ttl=64 time=0.049 ms 64 bytes from 127.0.0.1: icmp_seq=2 ttl=64 time=0.040 ms --- 127.0.0.1 ping statistics --- 3 packets transmitted, 3 packets received, 0.0% packet loss round-trip min/avg/max/stddev = 0.040/0.044/0.049/0.004 ms
Command Injection
Binary Protocols Binary Json, Protobuff Data is travelling in Mostly HEX Add code to teach tools Presented this plugin @ C0C0N
DEMO 22
What More … Cookiejar – for Cookie Management Suds – Web services Automation Lxml – Similar to BS4 Json – To work with Json pyAmf – AMF Protocol SimpleHTTPServer – Simplest Webserver (python –m SimpleHTTPServer 9080) Twisted
Conclusion Helps in larger code coverage Saving time Careful calibration is needed Cant fully replace manual testing
Questions ?? shifu@thoughtworks.com Ketan.soni@thoughtworks.com @prasannain @ketan_soni
References https://github.com/prasanna-in/Random-Scripts

Recommended

Session11-NoSQL InjectionPHP Injection
Session11-NoSQL InjectionPHP Injection Session11-NoSQL InjectionPHP Injection
Session11-NoSQL InjectionPHP Injection zakieh alizadeh
 
Secure Programming In Php
Secure Programming In PhpSecure Programming In Php
Secure Programming In PhpAkash Mahajan
 
Reversing malware analysis trainingpart9 advanced malware analysis
Reversing malware analysis trainingpart9 advanced malware analysisReversing malware analysis trainingpart9 advanced malware analysis
Reversing malware analysis trainingpart9 advanced malware analysisCysinfo Cyber Security Community
 
Web Uygulama Güvenliği (Akademik Bilişim 2016)
Web Uygulama Güvenliği (Akademik Bilişim 2016)Web Uygulama Güvenliği (Akademik Bilişim 2016)
Web Uygulama Güvenliği (Akademik Bilişim 2016)Ömer Çıtak
 
Reversing malware analysis training part1 lab setup guide
Reversing malware analysis training part1 lab setup guideReversing malware analysis training part1 lab setup guide
Reversing malware analysis training part1 lab setup guideCysinfo Cyber Security Community
 
Connection String Parameter Pollution Attacks
Connection String Parameter Pollution AttacksConnection String Parameter Pollution Attacks
Connection String Parameter Pollution AttacksChema Alonso
 
Whatever it takes - Fixing SQLIA and XSS in the process
Whatever it takes - Fixing SQLIA and XSS in the processWhatever it takes - Fixing SQLIA and XSS in the process
Whatever it takes - Fixing SQLIA and XSS in the processguest3379bd
 
Secure programming with php
Secure programming with phpSecure programming with php
Secure programming with phpMohmad Feroz
 

Recommended

Session11-NoSQL InjectionPHP Injection
Session11-NoSQL InjectionPHP Injection Session11-NoSQL InjectionPHP Injection
Session11-NoSQL InjectionPHP Injection zakieh alizadeh
 
Secure Programming In Php
Secure Programming In PhpSecure Programming In Php
Secure Programming In PhpAkash Mahajan
 
Reversing malware analysis trainingpart9 advanced malware analysis
Reversing malware analysis trainingpart9 advanced malware analysisReversing malware analysis trainingpart9 advanced malware analysis
Reversing malware analysis trainingpart9 advanced malware analysisCysinfo Cyber Security Community
 
Web Uygulama Güvenliği (Akademik Bilişim 2016)
Web Uygulama Güvenliği (Akademik Bilişim 2016)Web Uygulama Güvenliği (Akademik Bilişim 2016)
Web Uygulama Güvenliği (Akademik Bilişim 2016)Ömer Çıtak
 
Reversing malware analysis training part1 lab setup guide
Reversing malware analysis training part1 lab setup guideReversing malware analysis training part1 lab setup guide
Reversing malware analysis training part1 lab setup guideCysinfo Cyber Security Community
 
Connection String Parameter Pollution Attacks
Connection String Parameter Pollution AttacksConnection String Parameter Pollution Attacks
Connection String Parameter Pollution AttacksChema Alonso
 
Whatever it takes - Fixing SQLIA and XSS in the process
Whatever it takes - Fixing SQLIA and XSS in the processWhatever it takes - Fixing SQLIA and XSS in the process
Whatever it takes - Fixing SQLIA and XSS in the processguest3379bd
 
Secure programming with php
Secure programming with phpSecure programming with php
Secure programming with phpMohmad Feroz
 
Sql Injection and XSS
Sql Injection and XSSSql Injection and XSS
Sql Injection and XSSMike Crabb
 
XSS And SQL Injection Vulnerabilities
XSS And SQL Injection VulnerabilitiesXSS And SQL Injection Vulnerabilities
XSS And SQL Injection VulnerabilitiesMindfire Solutions
 
SQL injection prevention techniques
SQL injection prevention techniquesSQL injection prevention techniques
SQL injection prevention techniquesSongchaiDuangpan
 
SalemPhilip_ResearchReport
SalemPhilip_ResearchReportSalemPhilip_ResearchReport
SalemPhilip_ResearchReportPhilip Salem
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application Securityn|u - The Open Security Community
 
Sql Injection at Hashemite University
Sql Injection at Hashemite UniversitySql Injection at Hashemite University
Sql Injection at Hashemite UniversityYusuf Amro
 
Chapter 14 sql injection
Chapter 14 sql injectionChapter 14 sql injection
Chapter 14 sql injectionnewbie2019
 
Flashack
FlashackFlashack
Flashackn|u - The Open Security Community
 
Secure code
Secure codeSecure code
Secure codeddeogun
 
Netscaler java applet troubleshooting
Netscaler java applet troubleshootingNetscaler java applet troubleshooting
Netscaler java applet troubleshootingB K Chaudhari
 
A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...Noppadol Songsakaew
 
Htaccess info
Htaccess infoHtaccess info
Htaccess infoumakant jadhav
 
Sql injection course made by Cristian Alexandrescu
Sql injection course made by Cristian AlexandrescuSql injection course made by Cristian Alexandrescu
Sql injection course made by Cristian AlexandrescuCristian Alexandrescu
 
Securing the Web @DevDay Da Nang 2018
Securing the Web @DevDay Da Nang 2018Securing the Web @DevDay Da Nang 2018
Securing the Web @DevDay Da Nang 2018Sumanth Damarla
 
[DevDay2018] Security Testing - By Thuy Nguyen, Software Engineer at Axon Act...
[DevDay2018] Security Testing - By Thuy Nguyen, Software Engineer at Axon Act...[DevDay2018] Security Testing - By Thuy Nguyen, Software Engineer at Axon Act...
[DevDay2018] Security Testing - By Thuy Nguyen, Software Engineer at Axon Act...DevDay.org
 
Beefing Up Security In ASP.NET Dot Net Bangalore 3rd meet up on May 16 2015
Beefing Up Security In ASP.NET Dot Net Bangalore 3rd meet up on May 16 2015Beefing Up Security In ASP.NET Dot Net Bangalore 3rd meet up on May 16 2015
Beefing Up Security In ASP.NET Dot Net Bangalore 3rd meet up on May 16 2015gmaran23
 
What is SQL Injection Attack | How to prevent SQL Injection Attacks? | Cybers...
What is SQL Injection Attack | How to prevent SQL Injection Attacks? | Cybers...What is SQL Injection Attack | How to prevent SQL Injection Attacks? | Cybers...
What is SQL Injection Attack | How to prevent SQL Injection Attacks? | Cybers...Edureka!
 
Advanced malware analysis training session 7 malware memory forensics
Advanced malware analysis training session 7 malware memory forensicsAdvanced malware analysis training session 7 malware memory forensics
Advanced malware analysis training session 7 malware memory forensicsCysinfo Cyber Security Community
 
Web Application Security II - SQL Injection
Web Application Security II - SQL InjectionWeb Application Security II - SQL Injection
Web Application Security II - SQL InjectionMd Syed Ahamad
 
Systems Introspection
Systems IntrospectionSystems Introspection
Systems IntrospectionAndrew Howden
 
Javascript Testing
Javascript TestingJavascript Testing
Javascript TestingPrasanna Kanagasabai
 
IronSAP
IronSAP IronSAP
IronSAP Prasanna Kanagasabai
 

More Related Content

What's hot

Sql Injection and XSS
Sql Injection and XSSSql Injection and XSS
Sql Injection and XSSMike Crabb
 
XSS And SQL Injection Vulnerabilities
XSS And SQL Injection VulnerabilitiesXSS And SQL Injection Vulnerabilities
XSS And SQL Injection VulnerabilitiesMindfire Solutions
 
SQL injection prevention techniques
SQL injection prevention techniquesSQL injection prevention techniques
SQL injection prevention techniquesSongchaiDuangpan
 
SalemPhilip_ResearchReport
SalemPhilip_ResearchReportSalemPhilip_ResearchReport
SalemPhilip_ResearchReportPhilip Salem
 
Sql Injection at Hashemite University
Sql Injection at Hashemite UniversitySql Injection at Hashemite University
Sql Injection at Hashemite UniversityYusuf Amro
 
Chapter 14 sql injection
Chapter 14 sql injectionChapter 14 sql injection
Chapter 14 sql injectionnewbie2019
 
Secure code
Secure codeSecure code
Secure codeddeogun
 
Netscaler java applet troubleshooting
Netscaler java applet troubleshootingNetscaler java applet troubleshooting
Netscaler java applet troubleshootingB K Chaudhari
 
A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...Noppadol Songsakaew
 
Sql injection course made by Cristian Alexandrescu
Sql injection course made by Cristian AlexandrescuSql injection course made by Cristian Alexandrescu
Sql injection course made by Cristian AlexandrescuCristian Alexandrescu
 
Securing the Web @DevDay Da Nang 2018
Securing the Web @DevDay Da Nang 2018Securing the Web @DevDay Da Nang 2018
Securing the Web @DevDay Da Nang 2018Sumanth Damarla
 
[DevDay2018] Security Testing - By Thuy Nguyen, Software Engineer at Axon Act...
[DevDay2018] Security Testing - By Thuy Nguyen, Software Engineer at Axon Act...[DevDay2018] Security Testing - By Thuy Nguyen, Software Engineer at Axon Act...
[DevDay2018] Security Testing - By Thuy Nguyen, Software Engineer at Axon Act...DevDay.org
 
Beefing Up Security In ASP.NET Dot Net Bangalore 3rd meet up on May 16 2015
Beefing Up Security In ASP.NET Dot Net Bangalore 3rd meet up on May 16 2015Beefing Up Security In ASP.NET Dot Net Bangalore 3rd meet up on May 16 2015
Beefing Up Security In ASP.NET Dot Net Bangalore 3rd meet up on May 16 2015gmaran23
 
What is SQL Injection Attack | How to prevent SQL Injection Attacks? | Cybers...
What is SQL Injection Attack | How to prevent SQL Injection Attacks? | Cybers...What is SQL Injection Attack | How to prevent SQL Injection Attacks? | Cybers...
What is SQL Injection Attack | How to prevent SQL Injection Attacks? | Cybers...Edureka!
 
Advanced malware analysis training session 7 malware memory forensics
Advanced malware analysis training session 7 malware memory forensicsAdvanced malware analysis training session 7 malware memory forensics
Advanced malware analysis training session 7 malware memory forensicsCysinfo Cyber Security Community
 
Web Application Security II - SQL Injection
Web Application Security II - SQL InjectionWeb Application Security II - SQL Injection
Web Application Security II - SQL InjectionMd Syed Ahamad
 
Systems Introspection
Systems IntrospectionSystems Introspection
Systems IntrospectionAndrew Howden
 

What's hot (20)

Sql Injection and XSS
Sql Injection and XSSSql Injection and XSS
Sql Injection and XSS
 
XSS And SQL Injection Vulnerabilities
XSS And SQL Injection VulnerabilitiesXSS And SQL Injection Vulnerabilities
XSS And SQL Injection Vulnerabilities
 
SQL injection prevention techniques
SQL injection prevention techniquesSQL injection prevention techniques
SQL injection prevention techniques
 
SalemPhilip_ResearchReport
SalemPhilip_ResearchReportSalemPhilip_ResearchReport
SalemPhilip_ResearchReport
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application Security
 
Sql Injection at Hashemite University
Sql Injection at Hashemite UniversitySql Injection at Hashemite University
Sql Injection at Hashemite University
 
Chapter 14 sql injection
Chapter 14 sql injectionChapter 14 sql injection
Chapter 14 sql injection
 
Flashack
FlashackFlashack
Flashack
 
Secure code
Secure codeSecure code
Secure code
 
Netscaler java applet troubleshooting
Netscaler java applet troubleshootingNetscaler java applet troubleshooting
Netscaler java applet troubleshooting
 
A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...
 
Htaccess info
Htaccess infoHtaccess info
Htaccess info
 
Sql injection course made by Cristian Alexandrescu
Sql injection course made by Cristian AlexandrescuSql injection course made by Cristian Alexandrescu
Sql injection course made by Cristian Alexandrescu
 
Securing the Web @DevDay Da Nang 2018
Securing the Web @DevDay Da Nang 2018Securing the Web @DevDay Da Nang 2018
Securing the Web @DevDay Da Nang 2018
 
[DevDay2018] Security Testing - By Thuy Nguyen, Software Engineer at Axon Act...
[DevDay2018] Security Testing - By Thuy Nguyen, Software Engineer at Axon Act...[DevDay2018] Security Testing - By Thuy Nguyen, Software Engineer at Axon Act...
[DevDay2018] Security Testing - By Thuy Nguyen, Software Engineer at Axon Act...
 
Beefing Up Security In ASP.NET Dot Net Bangalore 3rd meet up on May 16 2015
Beefing Up Security In ASP.NET Dot Net Bangalore 3rd meet up on May 16 2015Beefing Up Security In ASP.NET Dot Net Bangalore 3rd meet up on May 16 2015
Beefing Up Security In ASP.NET Dot Net Bangalore 3rd meet up on May 16 2015
 
What is SQL Injection Attack | How to prevent SQL Injection Attacks? | Cybers...
What is SQL Injection Attack | How to prevent SQL Injection Attacks? | Cybers...What is SQL Injection Attack | How to prevent SQL Injection Attacks? | Cybers...
What is SQL Injection Attack | How to prevent SQL Injection Attacks? | Cybers...
 
Advanced malware analysis training session 7 malware memory forensics
Advanced malware analysis training session 7 malware memory forensicsAdvanced malware analysis training session 7 malware memory forensics
Advanced malware analysis training session 7 malware memory forensics
 
Web Application Security II - SQL Injection
Web Application Security II - SQL InjectionWeb Application Security II - SQL Injection
Web Application Security II - SQL Injection
 
Systems Introspection
Systems IntrospectionSystems Introspection
Systems Introspection
 

Viewers also liked

PHPSpec & Behat: Two Testing Tools That Write Code For You (#phptek edition)
PHPSpec & Behat: Two Testing Tools That Write Code For You (#phptek edition)PHPSpec & Behat: Two Testing Tools That Write Code For You (#phptek edition)
PHPSpec & Behat: Two Testing Tools That Write Code For You (#phptek edition)Joshua Warren
 
How to Automate API Testing
How to Automate API TestingHow to Automate API Testing
How to Automate API TestingBruno Pedro
 
FARMACOLOGÍA - MEDICAMENTOS BÁSICOS EN ODONTOLOGÍA
FARMACOLOGÍA - MEDICAMENTOS BÁSICOS EN ODONTOLOGÍAFARMACOLOGÍA - MEDICAMENTOS BÁSICOS EN ODONTOLOGÍA
FARMACOLOGÍA - MEDICAMENTOS BÁSICOS EN ODONTOLOGÍAdedy jhan carlos
 

Viewers also liked (7)

Javascript Testing
Javascript TestingJavascript Testing
Javascript Testing
 
IronSAP
IronSAP IronSAP
IronSAP
 
Automated tests to a REST API
Automated tests to a REST APIAutomated tests to a REST API
Automated tests to a REST API
 
PHPSpec & Behat: Two Testing Tools That Write Code For You (#phptek edition)
PHPSpec & Behat: Two Testing Tools That Write Code For You (#phptek edition)PHPSpec & Behat: Two Testing Tools That Write Code For You (#phptek edition)
PHPSpec & Behat: Two Testing Tools That Write Code For You (#phptek edition)
 
BDD for APIs
BDD for APIsBDD for APIs
BDD for APIs
 
How to Automate API Testing
How to Automate API TestingHow to Automate API Testing
How to Automate API Testing
 
FARMACOLOGÍA - MEDICAMENTOS BÁSICOS EN ODONTOLOGÍA
FARMACOLOGÍA - MEDICAMENTOS BÁSICOS EN ODONTOLOGÍAFARMACOLOGÍA - MEDICAMENTOS BÁSICOS EN ODONTOLOGÍA
FARMACOLOGÍA - MEDICAMENTOS BÁSICOS EN ODONTOLOGÍA
 

Similar to Selenium Conference 2014 -- Bangalore

Hacking 101 (Session 2)
Hacking 101 (Session 2)Hacking 101 (Session 2)
Hacking 101 (Session 2)Nitroxis Sprl
 
Your Last manual Assessment
Your Last manual AssessmentYour Last manual Assessment
Your Last manual Assessmentdevgrega
 
Security on Rails
Security on RailsSecurity on Rails
Security on RailsDavid Paluy
 
Java EE Web Security By Example: Frank Kim
Java EE Web Security By Example: Frank KimJava EE Web Security By Example: Frank Kim
Java EE Web Security By Example: Frank Kimjaxconf
 
They Ought to Know Better: Exploiting Security Gateways via Their Web Interfaces
They Ought to Know Better: Exploiting Security Gateways via Their Web InterfacesThey Ought to Know Better: Exploiting Security Gateways via Their Web Interfaces
They Ought to Know Better: Exploiting Security Gateways via Their Web Interfacesmichelemanzotti
 
Security Training: #4 Development: Typical Security Issues
Security Training: #4 Development: Typical Security IssuesSecurity Training: #4 Development: Typical Security Issues
Security Training: #4 Development: Typical Security IssuesYulian Slobodyan
 
My app is secure... I think
My app is secure... I thinkMy app is secure... I think
My app is secure... I thinkWim Godden
 
Application and Website Security -- Fundamental Edition
Application and Website Security -- Fundamental EditionApplication and Website Security -- Fundamental Edition
Application and Website Security -- Fundamental EditionDaniel Owens
 
SECON'2017, Евстифеев Петр, Антипаттерны безопасного программирования
SECON'2017, Евстифеев Петр, Антипаттерны безопасного программированияSECON'2017, Евстифеев Петр, Антипаттерны безопасного программирования
SECON'2017, Евстифеев Петр, Антипаттерны безопасного программированияSECON
 
DEFCON 23 - Lance buttars Nemus - sql injection on lamp
DEFCON 23 - Lance buttars Nemus - sql injection on lampDEFCON 23 - Lance buttars Nemus - sql injection on lamp
DEFCON 23 - Lance buttars Nemus - sql injection on lampFelipe Prado
 
Php Security - OWASP
Php Security - OWASPPhp Security - OWASP
Php Security - OWASPMizno Kruge
 
Conf2015 d waddle_defense_pointsecurity_deploying_splunksslbestpractices
Conf2015 d waddle_defense_pointsecurity_deploying_splunksslbestpracticesConf2015 d waddle_defense_pointsecurity_deploying_splunksslbestpractices
Conf2015 d waddle_defense_pointsecurity_deploying_splunksslbestpracticesBrentMatlock
 
Puppet Camp DC 2015: Distributed OpenSCAP Compliance Validation with MCollective
Puppet Camp DC 2015: Distributed OpenSCAP Compliance Validation with MCollectivePuppet Camp DC 2015: Distributed OpenSCAP Compliance Validation with MCollective
Puppet Camp DC 2015: Distributed OpenSCAP Compliance Validation with MCollectivePuppet
 
Defcon 17-joseph mccray-adv-sql_injection
Defcon 17-joseph mccray-adv-sql_injectionDefcon 17-joseph mccray-adv-sql_injection
Defcon 17-joseph mccray-adv-sql_injectionAhmed AbdelSatar
 
Being HAPI! Reverse Proxying on Purpose
Being HAPI! Reverse Proxying on PurposeBeing HAPI! Reverse Proxying on Purpose
Being HAPI! Reverse Proxying on PurposeAman Kohli
 
MySQL server security
MySQL server securityMySQL server security
MySQL server securityDamien Seguy
 

Similar to Selenium Conference 2014 -- Bangalore (20)

ASP.NET Web Security
ASP.NET Web SecurityASP.NET Web Security
ASP.NET Web Security
 
Security in Node.JS and Express:
Security in Node.JS and Express:Security in Node.JS and Express:
Security in Node.JS and Express:
 
Hacking 101 (Session 2)
Hacking 101 (Session 2)Hacking 101 (Session 2)
Hacking 101 (Session 2)
 
Your Last manual Assessment
Your Last manual AssessmentYour Last manual Assessment
Your Last manual Assessment
 
Security on Rails
Security on RailsSecurity on Rails
Security on Rails
 
Sql
SqlSql
Sql
 
Java EE Web Security By Example: Frank Kim
Java EE Web Security By Example: Frank KimJava EE Web Security By Example: Frank Kim
Java EE Web Security By Example: Frank Kim
 
They Ought to Know Better: Exploiting Security Gateways via Their Web Interfaces
They Ought to Know Better: Exploiting Security Gateways via Their Web InterfacesThey Ought to Know Better: Exploiting Security Gateways via Their Web Interfaces
They Ought to Know Better: Exploiting Security Gateways via Their Web Interfaces
 
Security Training: #4 Development: Typical Security Issues
Security Training: #4 Development: Typical Security IssuesSecurity Training: #4 Development: Typical Security Issues
Security Training: #4 Development: Typical Security Issues
 
My app is secure... I think
My app is secure... I thinkMy app is secure... I think
My app is secure... I think
 
Application and Website Security -- Fundamental Edition
Application and Website Security -- Fundamental EditionApplication and Website Security -- Fundamental Edition
Application and Website Security -- Fundamental Edition
 
SECON'2017, Евстифеев Петр, Антипаттерны безопасного программирования
SECON'2017, Евстифеев Петр, Антипаттерны безопасного программированияSECON'2017, Евстифеев Петр, Антипаттерны безопасного программирования
SECON'2017, Евстифеев Петр, Антипаттерны безопасного программирования
 
DEFCON 23 - Lance buttars Nemus - sql injection on lamp
DEFCON 23 - Lance buttars Nemus - sql injection on lampDEFCON 23 - Lance buttars Nemus - sql injection on lamp
DEFCON 23 - Lance buttars Nemus - sql injection on lamp
 
Php Security - OWASP
Php Security - OWASPPhp Security - OWASP
Php Security - OWASP
 
Asp
AspAsp
Asp
 
Conf2015 d waddle_defense_pointsecurity_deploying_splunksslbestpractices
Conf2015 d waddle_defense_pointsecurity_deploying_splunksslbestpracticesConf2015 d waddle_defense_pointsecurity_deploying_splunksslbestpractices
Conf2015 d waddle_defense_pointsecurity_deploying_splunksslbestpractices
 
Puppet Camp DC 2015: Distributed OpenSCAP Compliance Validation with MCollective
Puppet Camp DC 2015: Distributed OpenSCAP Compliance Validation with MCollectivePuppet Camp DC 2015: Distributed OpenSCAP Compliance Validation with MCollective
Puppet Camp DC 2015: Distributed OpenSCAP Compliance Validation with MCollective
 
Defcon 17-joseph mccray-adv-sql_injection
Defcon 17-joseph mccray-adv-sql_injectionDefcon 17-joseph mccray-adv-sql_injection
Defcon 17-joseph mccray-adv-sql_injection
 
Being HAPI! Reverse Proxying on Purpose
Being HAPI! Reverse Proxying on PurposeBeing HAPI! Reverse Proxying on Purpose
Being HAPI! Reverse Proxying on Purpose
 
MySQL server security
MySQL server securityMySQL server security
MySQL server security
 

Recently uploaded

Unit-V; Pricing (Pharma Marketing Management).pptx
Unit-V; Pricing (Pharma Marketing Management).pptxUnit-V; Pricing (Pharma Marketing Management).pptx
Unit-V; Pricing (Pharma Marketing Management).pptxVishalSingh1417
 
Micro-Scholarship, What it is, How can it help me.pdf
Micro-Scholarship, What it is, How can it help me.pdfMicro-Scholarship, What it is, How can it help me.pdf
Micro-Scholarship, What it is, How can it help me.pdfPoh-Sun Goh
 
HMCS Max Bernays Pre-Deployment Brief (May 2024).pptx
HMCS Max Bernays Pre-Deployment Brief (May 2024).pptxHMCS Max Bernays Pre-Deployment Brief (May 2024).pptx
HMCS Max Bernays Pre-Deployment Brief (May 2024).pptxEsquimalt MFRC
 
Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...
Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...
Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...pradhanghanshyam7136
 
Spellings Wk 3 English CAPS CARES Please Practise
Spellings Wk 3 English CAPS CARES Please PractiseSpellings Wk 3 English CAPS CARES Please Practise
Spellings Wk 3 English CAPS CARES Please PractiseAnaAcapella
 
Sociology 101 Demonstration of Learning Exhibit
Sociology 101 Demonstration of Learning ExhibitSociology 101 Demonstration of Learning Exhibit
Sociology 101 Demonstration of Learning Exhibitjbellavia9
 
1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdfQucHHunhnh
 
ComPTIA Overview | Comptia Security+ Book SY0-701
ComPTIA Overview | Comptia Security+ Book SY0-701ComPTIA Overview | Comptia Security+ Book SY0-701
ComPTIA Overview | Comptia Security+ Book SY0-701bronxfugly43
 
Fostering Friendships - Enhancing Social Bonds in the Classroom
Fostering Friendships - Enhancing Social Bonds in the ClassroomFostering Friendships - Enhancing Social Bonds in the Classroom
Fostering Friendships - Enhancing Social Bonds in the ClassroomPooky Knightsmith
 
Graduate Outcomes Presentation Slides - English
Graduate Outcomes Presentation Slides - EnglishGraduate Outcomes Presentation Slides - English
Graduate Outcomes Presentation Slides - Englishneillewis46
 
Understanding Accommodations and Modifications
Understanding Accommodations and ModificationsUnderstanding Accommodations and Modifications
Understanding Accommodations and ModificationsMJDuyan
 
Unit-IV; Professional Sales Representative (PSR).pptx
Unit-IV; Professional Sales Representative (PSR).pptxUnit-IV; Professional Sales Representative (PSR).pptx
Unit-IV; Professional Sales Representative (PSR).pptxVishalSingh1417
 
SKILL OF INTRODUCING THE LESSON MICRO SKILLS.pptx
SKILL OF INTRODUCING THE LESSON MICRO SKILLS.pptxSKILL OF INTRODUCING THE LESSON MICRO SKILLS.pptx
SKILL OF INTRODUCING THE LESSON MICRO SKILLS.pptxAmanpreet Kaur
 
How to Create and Manage Wizard in Odoo 17
How to Create and Manage Wizard in Odoo 17How to Create and Manage Wizard in Odoo 17
How to Create and Manage Wizard in Odoo 17Celine George
 
Unit-IV- Pharma. Marketing Channels.pptx
Unit-IV- Pharma. Marketing Channels.pptxUnit-IV- Pharma. Marketing Channels.pptx
Unit-IV- Pharma. Marketing Channels.pptxVishalSingh1417
 
General Principles of Intellectual Property: Concepts of Intellectual Proper...
General Principles of Intellectual Property: Concepts of Intellectual Proper...General Principles of Intellectual Property: Concepts of Intellectual Proper...
General Principles of Intellectual Property: Concepts of Intellectual Proper...Poonam Aher Patil
 
Towards a code of practice for AI in AT.pptx
Towards a code of practice for AI in AT.pptxTowards a code of practice for AI in AT.pptx
Towards a code of practice for AI in AT.pptxJisc
 
Accessible Digital Futures project (20/03/2024)
Accessible Digital Futures project (20/03/2024)Accessible Digital Futures project (20/03/2024)
Accessible Digital Futures project (20/03/2024)Jisc
 

Recently uploaded (20)

Unit-V; Pricing (Pharma Marketing Management).pptx
Unit-V; Pricing (Pharma Marketing Management).pptxUnit-V; Pricing (Pharma Marketing Management).pptx
Unit-V; Pricing (Pharma Marketing Management).pptx
 
Micro-Scholarship, What it is, How can it help me.pdf
Micro-Scholarship, What it is, How can it help me.pdfMicro-Scholarship, What it is, How can it help me.pdf
Micro-Scholarship, What it is, How can it help me.pdf
 
HMCS Max Bernays Pre-Deployment Brief (May 2024).pptx
HMCS Max Bernays Pre-Deployment Brief (May 2024).pptxHMCS Max Bernays Pre-Deployment Brief (May 2024).pptx
HMCS Max Bernays Pre-Deployment Brief (May 2024).pptx
 
Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...
Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...
Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...
 
Spellings Wk 3 English CAPS CARES Please Practise
Spellings Wk 3 English CAPS CARES Please PractiseSpellings Wk 3 English CAPS CARES Please Practise
Spellings Wk 3 English CAPS CARES Please Practise
 
Mehran University Newsletter Vol-X, Issue-I, 2024
Mehran University Newsletter Vol-X, Issue-I, 2024Mehran University Newsletter Vol-X, Issue-I, 2024
Mehran University Newsletter Vol-X, Issue-I, 2024
 
Sociology 101 Demonstration of Learning Exhibit
Sociology 101 Demonstration of Learning ExhibitSociology 101 Demonstration of Learning Exhibit
Sociology 101 Demonstration of Learning Exhibit
 
1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf
 
Spatium Project Simulation student brief
Spatium Project Simulation student briefSpatium Project Simulation student brief
Spatium Project Simulation student brief
 
ComPTIA Overview | Comptia Security+ Book SY0-701
ComPTIA Overview | Comptia Security+ Book SY0-701ComPTIA Overview | Comptia Security+ Book SY0-701
ComPTIA Overview | Comptia Security+ Book SY0-701
 
Fostering Friendships - Enhancing Social Bonds in the Classroom
Fostering Friendships - Enhancing Social Bonds in the ClassroomFostering Friendships - Enhancing Social Bonds in the Classroom
Fostering Friendships - Enhancing Social Bonds in the Classroom
 
Graduate Outcomes Presentation Slides - English
Graduate Outcomes Presentation Slides - EnglishGraduate Outcomes Presentation Slides - English
Graduate Outcomes Presentation Slides - English
 
Understanding Accommodations and Modifications
Understanding Accommodations and ModificationsUnderstanding Accommodations and Modifications
Understanding Accommodations and Modifications
 
Unit-IV; Professional Sales Representative (PSR).pptx
Unit-IV; Professional Sales Representative (PSR).pptxUnit-IV; Professional Sales Representative (PSR).pptx
Unit-IV; Professional Sales Representative (PSR).pptx
 
SKILL OF INTRODUCING THE LESSON MICRO SKILLS.pptx
SKILL OF INTRODUCING THE LESSON MICRO SKILLS.pptxSKILL OF INTRODUCING THE LESSON MICRO SKILLS.pptx
SKILL OF INTRODUCING THE LESSON MICRO SKILLS.pptx
 
How to Create and Manage Wizard in Odoo 17
How to Create and Manage Wizard in Odoo 17How to Create and Manage Wizard in Odoo 17
How to Create and Manage Wizard in Odoo 17
 
Unit-IV- Pharma. Marketing Channels.pptx
Unit-IV- Pharma. Marketing Channels.pptxUnit-IV- Pharma. Marketing Channels.pptx
Unit-IV- Pharma. Marketing Channels.pptx
 
General Principles of Intellectual Property: Concepts of Intellectual Proper...
General Principles of Intellectual Property: Concepts of Intellectual Proper...General Principles of Intellectual Property: Concepts of Intellectual Proper...
General Principles of Intellectual Property: Concepts of Intellectual Proper...
 
Towards a code of practice for AI in AT.pptx
Towards a code of practice for AI in AT.pptxTowards a code of practice for AI in AT.pptx
Towards a code of practice for AI in AT.pptx
 
Accessible Digital Futures project (20/03/2024)
Accessible Digital Futures project (20/03/2024)Accessible Digital Futures project (20/03/2024)
Accessible Digital Futures project (20/03/2024)
 

Selenium Conference 2014 -- Bangalore

  • 1. Automation in Security Prasanna K, Ketan Soni
  • 2. Agenda Typical use of Selenium Information Security How To achieve complete coverage Workflow Injection Attacks Conclusion
  • 3. Introductions Prasanna Kanagasabai Pentester @ ThoughtWorks Author of IronSAP Speaker @ various security conferences Proud OSCP Ketan Soni QA @ ThoughtWorks
  • 4. Typical use of Selenium UI Automation Cross Browser Testing Could We do more …….
  • 5. Information Security Exploratory testing Find Defects Proactive Harming the system One of the most Exciting Jobs 
  • 6. How To achieve complete coverage Applications are ever increasing Applications Tech stack has become vast Security attacks have become complex Security cannot be compromised Trained resources are finite Solution : Automation
  • 7. Workflow Define a Scenario Generate Payload Deliver Payload Match Results for Success / Failure Test Scenario Identify Test Data Execution of Test Scenario’s Validation QA Flow Security Flow
  • 8. Workflow -- Example Login without User Credentials Password List Brute force Script Login Success / Failure
  • 9. How did we arrive @ Selenium Ajax in Normal “Urllib” Libraries were difficult Selenium could handle Ajax Requests easily.
  • 11. SQL Injection 11 admin adminPass Username Password Submit SELECT * FROM users WHERE username = ‘admin’ AND password = ‘adminPass’
  • 12. SQL Injection 12 ’OR 1=1--' BlahBlah Username Password Submit SELECT * FROM users WHERE username = ‘’ OR 1=1 --’’ AND password = ‘BlahBlah’
  • 13. SQL Injection 13 ’OR 1=1--' BlahBlah Username Password Submit SELECT * FROM users WHERE username = ‘’ OR 1=1
  • 16. XSS 16 Search Hello there friends Search results for “Hello there friends”
  • 17. XSS 17 Hello <script>alert(“Hello World)</script> Search there friends Search results for “Hello
  • 19. Command Injection Ping Host 12.0.0.1 64 bytes from 127.0.0.1: icmp_seq=0 ttl=64 time=0.044 ms 64 bytes from 127.0.0.1: icmp_seq=1 ttl=64 time=0.049 ms 64 bytes from 127.0.0.1: icmp_seq=2 ttl=64 time=0.040 ms --- 127.0.0.1 ping statistics --- 3 packets transmitted, 3 packets received, 0.0% packet loss round-trip min/avg/max/stddev = 0.040/0.044/0.049/0.004 ms
  • 21. Binary Protocols Binary Json, Protobuff Data is travelling in Mostly HEX Add code to teach tools Presented this plugin @ C0C0N
  • 23. What More … Cookiejar – for Cookie Management Suds – Web services Automation Lxml – Similar to BS4 Json – To work with Json pyAmf – AMF Protocol SimpleHTTPServer – Simplest Webserver (python –m SimpleHTTPServer 9080) Twisted
  • 24. Conclusion Helps in larger code coverage Saving time Careful calibration is needed Cant fully replace manual testing
  • 25. Questions ?? shifu@thoughtworks.com Ketan.soni@thoughtworks.com @prasannain @ketan_soni