SlideShare a Scribd company logo

Security Testing and Debugging Tools

Download as PPTX, PDF
Rich Helton
Rich Helton

This document discusses various tools and techniques for security testing and debugging web applications developed in C#. It provides information on static analysis tools like FxCop and CAT.NET that can analyze source code. It also covers automated testing tools like NUnit, HTMLUnit, and Selenium that can test web applications without using a real browser. The document demonstrates how to integrate these tools into testing workflows and addresses related topics like logging, exception handling, and custom error pages.

Technology
1 of 40
Security Testing/Debugging From Rich Helton’s October 2010 C# Web Security
Security Testing -FXCop -CAT.NET -Nunit -HTMLUnit -Seleniumin
White Box Testing  White-Box testing is testing the system based on the internal perspective of the system.  In this case, this is also known as Static Analysis.  These tools can find issues with the source code before the code is actually executed.  A list of tools can be found at http://en.wikipedia.org/wiki/List_of_tools_for_static_code_anal ysis
CAT.NET (A plugin that can be added from the Windows SDK)  CAT.NET can be used with Visual Studio to analyze the current solution, here is a Visual Studio 2008 popup after selecting Tools- >CAT.NET Analysis Tool from the menu:
CAT.NET (After pushing the Excel report button)
FXCop  CAT.NET rules can can be run in FXCop instead of Visual Studio.  FXCop examines the assemblies and object code and not the source. It can be downloaded as part of the Windows SDK.
NUNIT  White-Box testing is testing the system based on the internal perspective of the system.  See www.nunit.org  These tools can find issues with the source code before the code is actually executed.  A list of tools can be found at http://en.wikipedia.org/wiki/List_of_tools_for_static_code_anal ysis
NUNIT
Headless Browser  Headless Browser Automation  Can replicate a real world browser.  Can automate the test.  Provides low-level control over the HTML and HTTP.  Reference http://blog.stevensanderson.com/2010/03/30/using- htmlunit-on-net-for-headless-browser-automation/
HTMLUnit steps  Download HTMLUnit http://sourceforge.net/projects/htmlunit/  Download IKVM http://sourceforge.net/projects/ikvm/files/  Create the HTMLUnit DLL:  Run “ikvmc –out:htmlunit-2.7.dll *.jar”  Include the htmlunit, IKVM.OpenJDK, and nunit dll’s in the external assemblies.  Can automate the test.  Provides low-level control over the HTML and HTTP.  Reference http://blog.stevensanderson.com/2010/03/30/using- htmlunit-on-net-for-headless-browser-automation/
What about the HTML?  HTTPUnit is great for HTTP Requests and Responses, but what if I want to parse the HTML code directly from the Web Server and examine the HTML before doing any work.  HTMLUnit allows a “getPage()” routine to examine the HTML source code.  This allows the walking through of “HREF”, images, and others pieces of the HTML code before executing on the item.  Selenium IDE is another Open Source concept that is a Integrated Development Environment running on top of the FireFox browser as a plugin.  This allows a recording of the browser actions that can be played back execute buttons being pushed and actions inside the browser.  Assertions can be executed on the HTML pages itself for checking specific information.  The test itself can be exported into Junit Java code to execute in Java.
HtmlUnit on C#
HtmlUnit on C# (Nunit Test) (Under Construction page)
HtmlUnit on C# (Nunit Test) (Page not found)
Selenium IDE  Selenium IDE is another Open Source concept that is a Integrated Development Environment running on top of the FireFox browser as a plugin.  Supports load testing.  This allows a recording of the browser actions that can be played back execute buttons being pushed and actions inside the browser.  Assertions can be executed on the HTML pages itself for checking specific information.  The test itself can be exported into Java, .NET, Perl, Ruby, etc, and then code to execute the tests in that language.
Selenium IDE Test
Does the framework matter?  JWebUnit wraps both HTMLUnit and Selenium so that code can be written for either framework using a unified framwork.  This way code can once in a single framework and executed using multiple HTML frameworks. http://jwebunit.sourceforge.net/
Security Debugging -Logging -Exceptions -Log4Net -NLog -Error Pages
Has my system been compromised?  Logging and Error handling is one of the most important concept in Security.  When an incident happens, the first questions are always “How did they get in?” and “What data was compromised?”.  The least favorite answer is usually “No one knows.”  With efficient logging of authorization, access to secure information, and any anomalous interaction with the system, a proper recovery of the system is usually insured.  The logs should be store into a different system in case the Web system is ever compromised, one where the Web system sends them but never asks for them back.  Logging is a fundamental API that comes with the Java and .NET languages.
Logging the C# way…. using System; using System.Diagnostics; class EventLogExample { static void Main(string[] args) { string sSource = "my warning message"; string sLog = "Application"; string sEvent = "Sample Event"; if (!EventLog.SourceExists(sSource)) EventLog.CreateEventSource(sSource, sLog); EventLog.WriteEntry(sSource, sEvent); EventLog.WriteEntry(sSource, sEvent, EventLogEntryType.Warning, 234); } }
The C# Logger output….
Exception Handling  Exception handling has helped debugging immensely. It allows a programmer to code for anomalies and handle a bizarre behavior.  There are 3 components of handling an exception, and they are the “try”, “catch” and “finally” blocks.  The “try” block will throw an exception from normal code, the “catch” block will catch the exception and handle it, and the “finally” block will process the cleanup afterwards.  The “catch” block can log the anomaly, stop the program, or process it in a hundred different ways.  You can write your own custom exception classes to trace specific pieces of code.
C# Exception Handling code…. class TestException{ static void Main(string[] args){ StreamReader myReader = null; try{ // constructor will throw FileNotFoundException myReader = new StreamReader("IamNotHere.txt"); }catch (FileNotFoundException e){ Console.WriteLine("FileNotFoundException was {0}", e.Message); }catch (IOException e){ Console.WriteLine("IOException was {0}" + e.Message); }finally{ if (myReader != null){ try{ myReader.Close(); }catch (IOException e){ Console.WriteLine("IOException was {0}" + e.Message);}}}}} Output-> FileNotFoundException was Could not find file ‘C:IamNotHere.txt'.
Log4net  The previous logging and exception handling example has many hard coded pieces. Log4Net offers more de-coupling by being separated as highly configurable framework.  http://logging.apache.org/log4net/  Even though the basic CLR logging framework can accept changes on destination through its Handler in the “logging.properties”, Log4Net offers more advanced features in its XML use of its Appender class.  Log4Net supports XML configuration and a text configuration in log4Net.properties.  Log4Net supports Appenders that will append the logs to databases, emails, files, etc. http://logging.apache.org/log4net/release/config-examples.html
Log4Net ASP.NET code
Log4j Console output
Adding an Appender #1  Let’s read the XML Appender from app.config.  Change the BasicConfigurator to XmlConfigurator:
Adding an Appender #2  Add app.config for "c:Loglog.txt”:
Adding an Appender Running  Reading "c:Loglog.txt”:
NLog  Nlog is similar to Log4Net. The difference is that Log4Net is a .Net version of Log4J and is a framework. NLog is a plugin to Visual Studio with templates.  http://nlog-project.org/
NLog  Adding log configuration with Visual 2010 plugin:
NLog  When debugging from VS2010, the default logging directory maps to C:Program FilesCommon FilesMicrosoft SharedDevServer10.0 .  This Nlog.config will append the logger in to a file named after the classname, i.e Webapplication1._Default.txt:
Nlog code  From the WebApplication1 Class, Default.aspx.cs code:
Nlog log file  Printing the Webapplication1._Default.txt:
Error Pages  Default Error pages may display unintentional information. For instance, some error pages may display database information in an exception.  An error page giving details, like a database or table name, may be more than enough to give an attacker enough information launch an attack at the website.  To correct bad error handling in pages, Tomcat, Struts and other Web engines will allow default configurations to throw a specific error page for any unknown exceptions. For instance, many Web Application Firewalls (WAFs) will generate a error page 500 “Internal Server Error” for blocking an attack.
Hackme Books (Bad error handling)
Send something more generic (based on business input)
Web Error pages…. Many web sites use the default error pages that show the user exceptions and even exceptions into the database. The database exceptions have a tendency to display table names and invalid SQL statements that can be used for further probing. To send all errors to a custom Error page, the web.config file for IIS: <customErrors mode="On" defaultRedirect="errors/ErrorPage.aspx"> </customErrors>
Custom Errors in ASP.NET  A good resource on the issue is http://www.codeproject.com/KB/aspnet/customerrorsinaspnet.as px  The idea is to redirect the error to a generic error.html page by the web.config configuration.
Send something more generic (based on business input)

Recommended

Codeigniter
CodeigniterCodeigniter
Codeigniterminhrau111
 
Usando postman para probar un rest api
Usando postman para probar un rest apiUsando postman para probar un rest api
Usando postman para probar un rest apiIleana Rodriguez
 
Automation - web testing with selenium
Automation - web testing with seleniumAutomation - web testing with selenium
Automation - web testing with seleniumTzirla Rozental
 
Web Security
Web SecurityWeb Security
Web SecurityRandy Connolly
 
Postman
PostmanPostman
PostmanIgor Shubovych
 
Apresentacao Testes de Unidade
Apresentacao Testes de UnidadeApresentacao Testes de Unidade
Apresentacao Testes de UnidadeAline Ferreira
 
QSpiders - Selenium Webdriver
QSpiders - Selenium WebdriverQSpiders - Selenium Webdriver
QSpiders - Selenium WebdriverQspiders - Software Testing Training Institute
 
Java Server Pages(jsp)
Java Server Pages(jsp)Java Server Pages(jsp)
Java Server Pages(jsp)Manisha Keim
 

Recommended

Codeigniter
CodeigniterCodeigniter
Codeigniterminhrau111
 
Usando postman para probar un rest api
Usando postman para probar un rest apiUsando postman para probar un rest api
Usando postman para probar un rest apiIleana Rodriguez
 
Automation - web testing with selenium
Automation - web testing with seleniumAutomation - web testing with selenium
Automation - web testing with seleniumTzirla Rozental
 
Web Security
Web SecurityWeb Security
Web SecurityRandy Connolly
 
Postman
PostmanPostman
PostmanIgor Shubovych
 
Apresentacao Testes de Unidade
Apresentacao Testes de UnidadeApresentacao Testes de Unidade
Apresentacao Testes de UnidadeAline Ferreira
 
QSpiders - Selenium Webdriver
QSpiders - Selenium WebdriverQSpiders - Selenium Webdriver
QSpiders - Selenium WebdriverQspiders - Software Testing Training Institute
 
Java Server Pages(jsp)
Java Server Pages(jsp)Java Server Pages(jsp)
Java Server Pages(jsp)Manisha Keim
 
Automating security test using Selenium and OWASP ZAP - Practical DevSecOps
Automating security test using Selenium and OWASP ZAP - Practical DevSecOpsAutomating security test using Selenium and OWASP ZAP - Practical DevSecOps
Automating security test using Selenium and OWASP ZAP - Practical DevSecOpsMohammed A. Imran
 
Selenium presentation
Selenium presentationSelenium presentation
Selenium presentationP.V.G'S COET, PUNE - 09
 
Web application framework
Web application frameworkWeb application framework
Web application frameworkPankaj Chand
 
PHP environment setup installation
PHP environment setup installation PHP environment setup installation
PHP environment setup installation e-visionlabs
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application SecurityAbdul Wahid
 
Automated testing using Selenium & NUnit
Automated testing using Selenium & NUnitAutomated testing using Selenium & NUnit
Automated testing using Selenium & NUnitAlfred Jett Grandeza
 
Sending Email
Sending EmailSending Email
Sending Emailprimeteacher32
 
Web Design 101
Web Design 101Web Design 101
Web Design 101T.S. Lim
 
SELENIUM PPT.pdf
SELENIUM PPT.pdfSELENIUM PPT.pdf
SELENIUM PPT.pdfRebelSnowball
 
Oscp preparation
Oscp preparationOscp preparation
Oscp preparationManich Koomsusi
 
Modern Web Development
Modern Web DevelopmentModern Web Development
Modern Web DevelopmentRobert Nyman
 
Web API testing : A quick glance
Web API testing : A quick glanceWeb API testing : A quick glance
Web API testing : A quick glanceDhanalaxmi K
 
Ceh v5 module 14 sql injection
Ceh v5 module 14 sql injectionCeh v5 module 14 sql injection
Ceh v5 module 14 sql injectionVi Tính Hoàng Nam
 
Introduction to Robot Framework
Introduction to Robot FrameworkIntroduction to Robot Framework
Introduction to Robot FrameworkSomkiat Puisungnoen
 
Php Presentation
Php PresentationPhp Presentation
Php PresentationManish Bothra
 
Selenium C# - The Essential Test Automation Guide
Selenium C# - The Essential Test Automation GuideSelenium C# - The Essential Test Automation Guide
Selenium C# - The Essential Test Automation GuideRapidValue
 
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourWAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourSoroush Dalili
 
Test automation using selenium
Test automation using seleniumTest automation using selenium
Test automation using seleniumshreyas JC
 
Presentation on Visual Studio
Presentation on Visual StudioPresentation on Visual Studio
Presentation on Visual StudioMuhammad Aqeel
 
Web-Development-ppt (1).pptx
Web-Development-ppt (1).pptxWeb-Development-ppt (1).pptx
Web-Development-ppt (1).pptxRaihanUddin57
 
Java Web Security Class
Java Web Security ClassJava Web Security Class
Java Web Security ClassRich Helton
 
Using HttpWatch Plug-in with Selenium Automation in Java
Using HttpWatch Plug-in with Selenium Automation in JavaUsing HttpWatch Plug-in with Selenium Automation in Java
Using HttpWatch Plug-in with Selenium Automation in JavaSandeep Tol
 

More Related Content

What's hot

Automating security test using Selenium and OWASP ZAP - Practical DevSecOps
Automating security test using Selenium and OWASP ZAP - Practical DevSecOpsAutomating security test using Selenium and OWASP ZAP - Practical DevSecOps
Automating security test using Selenium and OWASP ZAP - Practical DevSecOpsMohammed A. Imran
 
Web application framework
Web application frameworkWeb application framework
Web application frameworkPankaj Chand
 
PHP environment setup installation
PHP environment setup installation PHP environment setup installation
PHP environment setup installation e-visionlabs
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application SecurityAbdul Wahid
 
Automated testing using Selenium & NUnit
Automated testing using Selenium & NUnitAutomated testing using Selenium & NUnit
Automated testing using Selenium & NUnitAlfred Jett Grandeza
 
Web Design 101
Web Design 101Web Design 101
Web Design 101T.S. Lim
 
Modern Web Development
Modern Web DevelopmentModern Web Development
Modern Web DevelopmentRobert Nyman
 
Web API testing : A quick glance
Web API testing : A quick glanceWeb API testing : A quick glance
Web API testing : A quick glanceDhanalaxmi K
 
Selenium C# - The Essential Test Automation Guide
Selenium C# - The Essential Test Automation GuideSelenium C# - The Essential Test Automation Guide
Selenium C# - The Essential Test Automation GuideRapidValue
 
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourWAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourSoroush Dalili
 
Test automation using selenium
Test automation using seleniumTest automation using selenium
Test automation using seleniumshreyas JC
 
Presentation on Visual Studio
Presentation on Visual StudioPresentation on Visual Studio
Presentation on Visual StudioMuhammad Aqeel
 
Web-Development-ppt (1).pptx
Web-Development-ppt (1).pptxWeb-Development-ppt (1).pptx
Web-Development-ppt (1).pptxRaihanUddin57
 

What's hot (20)

Automating security test using Selenium and OWASP ZAP - Practical DevSecOps
Automating security test using Selenium and OWASP ZAP - Practical DevSecOpsAutomating security test using Selenium and OWASP ZAP - Practical DevSecOps
Automating security test using Selenium and OWASP ZAP - Practical DevSecOps
 
Selenium presentation
Selenium presentationSelenium presentation
Selenium presentation
 
Web application framework
Web application frameworkWeb application framework
Web application framework
 
PHP environment setup installation
PHP environment setup installation PHP environment setup installation
PHP environment setup installation
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application Security
 
Automated testing using Selenium & NUnit
Automated testing using Selenium & NUnitAutomated testing using Selenium & NUnit
Automated testing using Selenium & NUnit
 
Sending Email
Sending EmailSending Email
Sending Email
 
Web Design 101
Web Design 101Web Design 101
Web Design 101
 
SELENIUM PPT.pdf
SELENIUM PPT.pdfSELENIUM PPT.pdf
SELENIUM PPT.pdf
 
Oscp preparation
Oscp preparationOscp preparation
Oscp preparation
 
Modern Web Development
Modern Web DevelopmentModern Web Development
Modern Web Development
 
Web API testing : A quick glance
Web API testing : A quick glanceWeb API testing : A quick glance
Web API testing : A quick glance
 
Ceh v5 module 14 sql injection
Ceh v5 module 14 sql injectionCeh v5 module 14 sql injection
Ceh v5 module 14 sql injection
 
Introduction to Robot Framework
Introduction to Robot FrameworkIntroduction to Robot Framework
Introduction to Robot Framework
 
Php Presentation
Php PresentationPhp Presentation
Php Presentation
 
Selenium C# - The Essential Test Automation Guide
Selenium C# - The Essential Test Automation GuideSelenium C# - The Essential Test Automation Guide
Selenium C# - The Essential Test Automation Guide
 
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourWAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
 
Test automation using selenium
Test automation using seleniumTest automation using selenium
Test automation using selenium
 
Presentation on Visual Studio
Presentation on Visual StudioPresentation on Visual Studio
Presentation on Visual Studio
 
Web-Development-ppt (1).pptx
Web-Development-ppt (1).pptxWeb-Development-ppt (1).pptx
Web-Development-ppt (1).pptx
 

Similar to Security Testing and Debugging Tools

Java Web Security Class
Java Web Security ClassJava Web Security Class
Java Web Security ClassRich Helton
 
Using HttpWatch Plug-in with Selenium Automation in Java
Using HttpWatch Plug-in with Selenium Automation in JavaUsing HttpWatch Plug-in with Selenium Automation in Java
Using HttpWatch Plug-in with Selenium Automation in JavaSandeep Tol
 
Exploit ie using scriptable active x controls version English
Exploit ie using scriptable active x controls version EnglishExploit ie using scriptable active x controls version English
Exploit ie using scriptable active x controls version Englishchen yuki
 
Production Debugging at Code Camp Philly
Production Debugging at Code Camp PhillyProduction Debugging at Code Camp Philly
Production Debugging at Code Camp PhillyBrian Lyttle
 
Automated JavaScript Deobfuscation - PacSec 2007
Automated JavaScript Deobfuscation - PacSec 2007Automated JavaScript Deobfuscation - PacSec 2007
Automated JavaScript Deobfuscation - PacSec 2007Stephan Chenette
 
Siebel Open UI Debugging (Siebel Open UI Training, Part 7)
Siebel Open UI Debugging (Siebel Open UI Training, Part 7)Siebel Open UI Debugging (Siebel Open UI Training, Part 7)
Siebel Open UI Debugging (Siebel Open UI Training, Part 7)Tech OneStop
 
UI Automation_White_CodedUI common problems and tricks
UI Automation_White_CodedUI common problems and tricksUI Automation_White_CodedUI common problems and tricks
UI Automation_White_CodedUI common problems and tricksTsimafei Avilin
 
Exploit Frameworks
Exploit FrameworksExploit Frameworks
Exploit Frameworksphanleson
 
Thug: a new low-interaction honeyclient
Thug: a new low-interaction honeyclientThug: a new low-interaction honeyclient
Thug: a new low-interaction honeyclientAngelo Dell'Aera
 
.NET Debugging Tips and Techniques
.NET Debugging Tips and Techniques.NET Debugging Tips and Techniques
.NET Debugging Tips and TechniquesBala Subra
 
.Net Debugging Techniques
.Net Debugging Techniques.Net Debugging Techniques
.Net Debugging TechniquesBala Subra
 
Selenium Automation in Java Using HttpWatch Plug-in
Selenium Automation in Java Using HttpWatch Plug-in Selenium Automation in Java Using HttpWatch Plug-in
Selenium Automation in Java Using HttpWatch Plug-in Sandeep Tol
 
tybsc it asp.net full unit 1,2,3,4,5,6 notes
tybsc it asp.net full unit 1,2,3,4,5,6 notestybsc it asp.net full unit 1,2,3,4,5,6 notes
tybsc it asp.net full unit 1,2,3,4,5,6 notesWE-IT TUTORIALS
 
Innoplexia DevTools to Crawl Webpages
Innoplexia DevTools to Crawl WebpagesInnoplexia DevTools to Crawl Webpages
Innoplexia DevTools to Crawl Webpagesd0x
 
.NET TECHNOLOGIES
.NET TECHNOLOGIES.NET TECHNOLOGIES
.NET TECHNOLOGIESProf Ansari
 
PVS-Studio vs Chromium. 3-rd Check
PVS-Studio vs Chromium. 3-rd CheckPVS-Studio vs Chromium. 3-rd Check
PVS-Studio vs Chromium. 3-rd CheckAndrey Karpov
 
Ef Poco And Unit Testing
Ef Poco And Unit TestingEf Poco And Unit Testing
Ef Poco And Unit TestingJames Phillips
 
Comparative Development Methodologies
Comparative Development MethodologiesComparative Development Methodologies
Comparative Development Methodologieselliando dias
 
Mastering Test Automation: How To Use Selenium Successfully
Mastering Test Automation: How To Use Selenium SuccessfullyMastering Test Automation: How To Use Selenium Successfully
Mastering Test Automation: How To Use Selenium SuccessfullySpringPeople
 

Similar to Security Testing and Debugging Tools (20)

Java Web Security Class
Java Web Security ClassJava Web Security Class
Java Web Security Class
 
Using HttpWatch Plug-in with Selenium Automation in Java
Using HttpWatch Plug-in with Selenium Automation in JavaUsing HttpWatch Plug-in with Selenium Automation in Java
Using HttpWatch Plug-in with Selenium Automation in Java
 
Exploit ie using scriptable active x controls version English
Exploit ie using scriptable active x controls version EnglishExploit ie using scriptable active x controls version English
Exploit ie using scriptable active x controls version English
 
Production Debugging at Code Camp Philly
Production Debugging at Code Camp PhillyProduction Debugging at Code Camp Philly
Production Debugging at Code Camp Philly
 
Automated JavaScript Deobfuscation - PacSec 2007
Automated JavaScript Deobfuscation - PacSec 2007Automated JavaScript Deobfuscation - PacSec 2007
Automated JavaScript Deobfuscation - PacSec 2007
 
Siebel Open UI Debugging (Siebel Open UI Training, Part 7)
Siebel Open UI Debugging (Siebel Open UI Training, Part 7)Siebel Open UI Debugging (Siebel Open UI Training, Part 7)
Siebel Open UI Debugging (Siebel Open UI Training, Part 7)
 
UI Automation_White_CodedUI common problems and tricks
UI Automation_White_CodedUI common problems and tricksUI Automation_White_CodedUI common problems and tricks
UI Automation_White_CodedUI common problems and tricks
 
Exploit Frameworks
Exploit FrameworksExploit Frameworks
Exploit Frameworks
 
Thug: a new low-interaction honeyclient
Thug: a new low-interaction honeyclientThug: a new low-interaction honeyclient
Thug: a new low-interaction honeyclient
 
.NET Debugging Tips and Techniques
.NET Debugging Tips and Techniques.NET Debugging Tips and Techniques
.NET Debugging Tips and Techniques
 
.Net Debugging Techniques
.Net Debugging Techniques.Net Debugging Techniques
.Net Debugging Techniques
 
Selenium Automation in Java Using HttpWatch Plug-in
Selenium Automation in Java Using HttpWatch Plug-in Selenium Automation in Java Using HttpWatch Plug-in
Selenium Automation in Java Using HttpWatch Plug-in
 
tybsc it asp.net full unit 1,2,3,4,5,6 notes
tybsc it asp.net full unit 1,2,3,4,5,6 notestybsc it asp.net full unit 1,2,3,4,5,6 notes
tybsc it asp.net full unit 1,2,3,4,5,6 notes
 
Innoplexia DevTools to Crawl Webpages
Innoplexia DevTools to Crawl WebpagesInnoplexia DevTools to Crawl Webpages
Innoplexia DevTools to Crawl Webpages
 
.NET TECHNOLOGIES
.NET TECHNOLOGIES.NET TECHNOLOGIES
.NET TECHNOLOGIES
 
PVS-Studio vs Chromium. 3-rd Check
PVS-Studio vs Chromium. 3-rd CheckPVS-Studio vs Chromium. 3-rd Check
PVS-Studio vs Chromium. 3-rd Check
 
Php
PhpPhp
Php
 
Ef Poco And Unit Testing
Ef Poco And Unit TestingEf Poco And Unit Testing
Ef Poco And Unit Testing
 
Comparative Development Methodologies
Comparative Development MethodologiesComparative Development Methodologies
Comparative Development Methodologies
 
Mastering Test Automation: How To Use Selenium Successfully
Mastering Test Automation: How To Use Selenium SuccessfullyMastering Test Automation: How To Use Selenium Successfully
Mastering Test Automation: How To Use Selenium Successfully
 

More from Rich Helton

Java for Mainframers
Java for MainframersJava for Mainframers
Java for MainframersRich Helton
 
I pad uicatalog_lesson02
I pad uicatalog_lesson02I pad uicatalog_lesson02
I pad uicatalog_lesson02Rich Helton
 
Mongo db rev001.
Mongo db rev001.Mongo db rev001.
Mongo db rev001.Rich Helton
 
NServicebus WCF Integration 101
NServicebus WCF Integration 101NServicebus WCF Integration 101
NServicebus WCF Integration 101Rich Helton
 
AspMVC4 start101
AspMVC4 start101AspMVC4 start101
AspMVC4 start101Rich Helton
 
Entity frameworks101
Entity frameworks101Entity frameworks101
Entity frameworks101Rich Helton
 
Tumbleweed intro
Tumbleweed introTumbleweed intro
Tumbleweed introRich Helton
 
Salesforce Intro
Salesforce IntroSalesforce Intro
Salesforce IntroRich Helton
 
LEARNING  iPAD STORYBOARDS IN OBJ-­‐C LESSON 1
LEARNING  iPAD STORYBOARDS IN OBJ-­‐C LESSON 1LEARNING  iPAD STORYBOARDS IN OBJ-­‐C LESSON 1
LEARNING  iPAD STORYBOARDS IN OBJ-­‐C LESSON 1Rich Helton
 
Learning C# iPad Programming
Learning C# iPad ProgrammingLearning C# iPad Programming
Learning C# iPad ProgrammingRich Helton
 
First Steps in Android
First Steps in AndroidFirst Steps in Android
First Steps in AndroidRich Helton
 
Python For Droid
Python For DroidPython For Droid
Python For DroidRich Helton
 
Spring Roo Rev005
Spring Roo Rev005Spring Roo Rev005
Spring Roo Rev005Rich Helton
 
Overview of CSharp MVC3 and EF4
Overview of CSharp MVC3 and EF4Overview of CSharp MVC3 and EF4
Overview of CSharp MVC3 and EF4Rich Helton
 
C#Web Sec Oct27 2010 Final
C#Web Sec Oct27 2010 FinalC#Web Sec Oct27 2010 Final
C#Web Sec Oct27 2010 FinalRich Helton
 

More from Rich Helton (20)

Java for Mainframers
Java for MainframersJava for Mainframers
Java for Mainframers
 
I pad uicatalog_lesson02
I pad uicatalog_lesson02I pad uicatalog_lesson02
I pad uicatalog_lesson02
 
Mongo db rev001.
Mongo db rev001.Mongo db rev001.
Mongo db rev001.
 
NServicebus WCF Integration 101
NServicebus WCF Integration 101NServicebus WCF Integration 101
NServicebus WCF Integration 101
 
AspMVC4 start101
AspMVC4 start101AspMVC4 start101
AspMVC4 start101
 
Entity frameworks101
Entity frameworks101Entity frameworks101
Entity frameworks101
 
Tumbleweed intro
Tumbleweed introTumbleweed intro
Tumbleweed intro
 
Azure rev002
Azure rev002Azure rev002
Azure rev002
 
Salesforce Intro
Salesforce IntroSalesforce Intro
Salesforce Intro
 
LEARNING  iPAD STORYBOARDS IN OBJ-­‐C LESSON 1
LEARNING  iPAD STORYBOARDS IN OBJ-­‐C LESSON 1LEARNING  iPAD STORYBOARDS IN OBJ-­‐C LESSON 1
LEARNING  iPAD STORYBOARDS IN OBJ-­‐C LESSON 1
 
Learning C# iPad Programming
Learning C# iPad ProgrammingLearning C# iPad Programming
Learning C# iPad Programming
 
First Steps in Android
First Steps in AndroidFirst Steps in Android
First Steps in Android
 
NServiceBus
NServiceBusNServiceBus
NServiceBus
 
Python For Droid
Python For DroidPython For Droid
Python For Droid
 
Spring Roo Rev005
Spring Roo Rev005Spring Roo Rev005
Spring Roo Rev005
 
Python Final
Python FinalPython Final
Python Final
 
Overview of CSharp MVC3 and EF4
Overview of CSharp MVC3 and EF4Overview of CSharp MVC3 and EF4
Overview of CSharp MVC3 and EF4
 
Adobe Flex4
Adobe Flex4 Adobe Flex4
Adobe Flex4
 
C#Web Sec Oct27 2010 Final
C#Web Sec Oct27 2010 FinalC#Web Sec Oct27 2010 Final
C#Web Sec Oct27 2010 Final
 
Jira Rev002
Jira Rev002Jira Rev002
Jira Rev002
 

Recently uploaded

Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAndikSusilo4
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?XfilesPro
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxLBM Solutions
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 

Recently uploaded (20)

Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & Application
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptx
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 

Security Testing and Debugging Tools

  • 1. Security Testing/Debugging From Rich Helton’s October 2010 C# Web Security
  • 3. White Box Testing  White-Box testing is testing the system based on the internal perspective of the system.  In this case, this is also known as Static Analysis.  These tools can find issues with the source code before the code is actually executed.  A list of tools can be found at http://en.wikipedia.org/wiki/List_of_tools_for_static_code_anal ysis
  • 4. CAT.NET (A plugin that can be added from the Windows SDK)  CAT.NET can be used with Visual Studio to analyze the current solution, here is a Visual Studio 2008 popup after selecting Tools- >CAT.NET Analysis Tool from the menu:
  • 5. CAT.NET (After pushing the Excel report button)
  • 6. FXCop  CAT.NET rules can can be run in FXCop instead of Visual Studio.  FXCop examines the assemblies and object code and not the source. It can be downloaded as part of the Windows SDK.
  • 7. NUNIT  White-Box testing is testing the system based on the internal perspective of the system.  See www.nunit.org  These tools can find issues with the source code before the code is actually executed.  A list of tools can be found at http://en.wikipedia.org/wiki/List_of_tools_for_static_code_anal ysis
  • 9. Headless Browser  Headless Browser Automation  Can replicate a real world browser.  Can automate the test.  Provides low-level control over the HTML and HTTP.  Reference http://blog.stevensanderson.com/2010/03/30/using- htmlunit-on-net-for-headless-browser-automation/
  • 10. HTMLUnit steps  Download HTMLUnit http://sourceforge.net/projects/htmlunit/  Download IKVM http://sourceforge.net/projects/ikvm/files/  Create the HTMLUnit DLL:  Run “ikvmc –out:htmlunit-2.7.dll *.jar”  Include the htmlunit, IKVM.OpenJDK, and nunit dll’s in the external assemblies.  Can automate the test.  Provides low-level control over the HTML and HTTP.  Reference http://blog.stevensanderson.com/2010/03/30/using- htmlunit-on-net-for-headless-browser-automation/
  • 11. What about the HTML?  HTTPUnit is great for HTTP Requests and Responses, but what if I want to parse the HTML code directly from the Web Server and examine the HTML before doing any work.  HTMLUnit allows a “getPage()” routine to examine the HTML source code.  This allows the walking through of “HREF”, images, and others pieces of the HTML code before executing on the item.  Selenium IDE is another Open Source concept that is a Integrated Development Environment running on top of the FireFox browser as a plugin.  This allows a recording of the browser actions that can be played back execute buttons being pushed and actions inside the browser.  Assertions can be executed on the HTML pages itself for checking specific information.  The test itself can be exported into Junit Java code to execute in Java.
  • 13. HtmlUnit on C# (Nunit Test) (Under Construction page)
  • 14. HtmlUnit on C# (Nunit Test) (Page not found)
  • 15. Selenium IDE  Selenium IDE is another Open Source concept that is a Integrated Development Environment running on top of the FireFox browser as a plugin.  Supports load testing.  This allows a recording of the browser actions that can be played back execute buttons being pushed and actions inside the browser.  Assertions can be executed on the HTML pages itself for checking specific information.  The test itself can be exported into Java, .NET, Perl, Ruby, etc, and then code to execute the tests in that language.
  • 17. Does the framework matter?  JWebUnit wraps both HTMLUnit and Selenium so that code can be written for either framework using a unified framwork.  This way code can once in a single framework and executed using multiple HTML frameworks. http://jwebunit.sourceforge.net/
  • 19. Has my system been compromised?  Logging and Error handling is one of the most important concept in Security.  When an incident happens, the first questions are always “How did they get in?” and “What data was compromised?”.  The least favorite answer is usually “No one knows.”  With efficient logging of authorization, access to secure information, and any anomalous interaction with the system, a proper recovery of the system is usually insured.  The logs should be store into a different system in case the Web system is ever compromised, one where the Web system sends them but never asks for them back.  Logging is a fundamental API that comes with the Java and .NET languages.
  • 20. Logging the C# way…. using System; using System.Diagnostics; class EventLogExample { static void Main(string[] args) { string sSource = "my warning message"; string sLog = "Application"; string sEvent = "Sample Event"; if (!EventLog.SourceExists(sSource)) EventLog.CreateEventSource(sSource, sLog); EventLog.WriteEntry(sSource, sEvent); EventLog.WriteEntry(sSource, sEvent, EventLogEntryType.Warning, 234); } }
  • 21. The C# Logger output….
  • 22. Exception Handling  Exception handling has helped debugging immensely. It allows a programmer to code for anomalies and handle a bizarre behavior.  There are 3 components of handling an exception, and they are the “try”, “catch” and “finally” blocks.  The “try” block will throw an exception from normal code, the “catch” block will catch the exception and handle it, and the “finally” block will process the cleanup afterwards.  The “catch” block can log the anomaly, stop the program, or process it in a hundred different ways.  You can write your own custom exception classes to trace specific pieces of code.
  • 23. C# Exception Handling code…. class TestException{ static void Main(string[] args){ StreamReader myReader = null; try{ // constructor will throw FileNotFoundException myReader = new StreamReader("IamNotHere.txt"); }catch (FileNotFoundException e){ Console.WriteLine("FileNotFoundException was {0}", e.Message); }catch (IOException e){ Console.WriteLine("IOException was {0}" + e.Message); }finally{ if (myReader != null){ try{ myReader.Close(); }catch (IOException e){ Console.WriteLine("IOException was {0}" + e.Message);}}}}} Output-> FileNotFoundException was Could not find file ‘C:IamNotHere.txt'.
  • 24. Log4net  The previous logging and exception handling example has many hard coded pieces. Log4Net offers more de-coupling by being separated as highly configurable framework.  http://logging.apache.org/log4net/  Even though the basic CLR logging framework can accept changes on destination through its Handler in the “logging.properties”, Log4Net offers more advanced features in its XML use of its Appender class.  Log4Net supports XML configuration and a text configuration in log4Net.properties.  Log4Net supports Appenders that will append the logs to databases, emails, files, etc. http://logging.apache.org/log4net/release/config-examples.html
  • 27. Adding an Appender #1  Let’s read the XML Appender from app.config.  Change the BasicConfigurator to XmlConfigurator:
  • 28. Adding an Appender #2  Add app.config for "c:Loglog.txt”:
  • 29. Adding an Appender Running  Reading "c:Loglog.txt”:
  • 30. NLog  Nlog is similar to Log4Net. The difference is that Log4Net is a .Net version of Log4J and is a framework. NLog is a plugin to Visual Studio with templates.  http://nlog-project.org/
  • 31. NLog  Adding log configuration with Visual 2010 plugin:
  • 32. NLog  When debugging from VS2010, the default logging directory maps to C:Program FilesCommon FilesMicrosoft SharedDevServer10.0 .  This Nlog.config will append the logger in to a file named after the classname, i.e Webapplication1._Default.txt:
  • 33. Nlog code  From the WebApplication1 Class, Default.aspx.cs code:
  • 34. Nlog log file  Printing the Webapplication1._Default.txt:
  • 35. Error Pages  Default Error pages may display unintentional information. For instance, some error pages may display database information in an exception.  An error page giving details, like a database or table name, may be more than enough to give an attacker enough information launch an attack at the website.  To correct bad error handling in pages, Tomcat, Struts and other Web engines will allow default configurations to throw a specific error page for any unknown exceptions. For instance, many Web Application Firewalls (WAFs) will generate a error page 500 “Internal Server Error” for blocking an attack.
  • 37. Send something more generic (based on business input)
  • 38. Web Error pages…. Many web sites use the default error pages that show the user exceptions and even exceptions into the database. The database exceptions have a tendency to display table names and invalid SQL statements that can be used for further probing. To send all errors to a custom Error page, the web.config file for IIS: <customErrors mode="On" defaultRedirect="errors/ErrorPage.aspx"> </customErrors>
  • 39. Custom Errors in ASP.NET  A good resource on the issue is http://www.codeproject.com/KB/aspnet/customerrorsinaspnet.as px  The idea is to redirect the error to a generic error.html page by the web.config configuration.
  • 40. Send something more generic (based on business input)