Towards a More Secure, Reliable, and Performant Web: Tools / Approaches to Help

Towards a More Secure, Reliable, and Performant Web: Tools /Approaches to Help September 22, 2010 Stephen Donner WebQA Lead Michael Coates Web-Applications Security Guru Mozilla Corporation

Overview • Types of Attacks / Vulnerabilities (just a few) • Why Use Tools / Beneﬁts? • Web-App Performance • Load-Testing Sites • Security / Fuzzing • Link Checkers • Gotchas / Pitfalls • Recommendations / Best Practices 9/22/2010 2 Mozilla WebQA

Types of Attacks / Vulnerabilities (just a few) • CSRF - Cross-Site Request Forgery • “An attack which forces an end user to With a little help ofactions engineering (like sending a which he/she is currently authenticated. execute unwanted social on a web application in link via email/chat), an attacker may force the users of a web application to execute actions of the attacker's choosing.” [1] • XSS - Cross-Site Scripting • “...malicious scripts areoccur when an attacker usesbenign and trusted to send malicious scripting (XSS) attacks injected into the otherwise a web application web sites. Cross-site code, generally in the form of a browser side script, to a different end user [...] the malicious script can access any cookies, session tokens, or other sensitive information retained by your browser and used with that site.” [2] Sources: • [1] http://www.owasp.org/index.php/CSRF • [2] http://www.owasp.org/index.php/Cross- site_Scripting_(XSS) 9/22/2010 3 Mozilla WebQA

Types of Attacks / Vulnerabilities (just a few) • SQL Injection - http://www.owasp.org/index.php/SQL_Injection • “injection of a SQL query via the input data from the client to the application. A successful SQL injection exploit can read sensitive data from the database, modify database data (Insert/Update/Delete), execute administration operations on the database (such as shutdown the DBMS), recover the content of a given ﬁle present on the DBMS ﬁle system and in some cases issue commands to the operating system.” [3] • ...and many more: • OWASP list of attacks • OWASP list of vulnerabilities Sources: • [3] http://www.owasp.org/index.php/ 9/22/2010 4 Mozilla WebQA

Why Use Tools / Beneﬁts? • Saves time • Increases/augments manual coverage • Ensures a certain set of tests run every time • (Eliminates the human-failure component) • Can help educate the tester 9/22/2010 5 Mozilla WebQA

Web-App Performance Sites / Add-ons • Performance-Testing Sites: • BrowserMob - http://browsermob.com • Webpagetest - http://www.webpagetest.org/ • Firefox Add-ons: • Firebug - http://getﬁrebug.com/ • YSlow! - http://developer.yahoo.com/yslow/ 9/22/2010 6 Mozilla WebQA

Load-Testing Sites • Load Impact - http://loadimpact.com/ • Load Labs - http://loadlabs.com/ • Gomez - http://www.gomez.com 9/22/2010 7 Mozilla WebQA

Load / Performance-Testing Tools • Siege - http://www.joedog.org/index/siege-home • siege -c50 -r150 -i http://input.stage.mozilla.com • ab (Apache Benchmark) - http://httpd.apache.org/docs/2.0/programs/ab.html • ab -c 150 -n 600 http://preview.addons.mozilla.org:81/en-US/ firefox/collection/enkei (run on Khan) • JMeter - http://jakarta.apache.org/jmeter/ • Benchmarking/performance/stress-testing • logreplay - http://github.com/oremj/logreplay • Takes Apache access logs and, well, replays them :-) • All but JMeter used for AMO: https://wiki.mozilla.org/User:Clouserw/AMO/loadtest 9/22/2010 8 Mozilla WebQA

Security / Fuzzing • PowerFuzzer: • http://www.powerfuzzer.com/ • XSS Me: • http://labs.securitycompass.com/index.php/exploit-me/xss-me/ • SQL Inject Me: • http://labs.securitycompass.com/index.php/exploit-me/sql-inject-me/ • TamperData: • https://addons.mozilla.org/en-US/ﬁrefox/addon/966/ • Acunetix (XSS only): • http://www.acunetix.com/cross-site-scripting/scanner.htm 9/22/2010 9 Mozilla WebQA

Link Checkers • Xenu • http://home.snafu.de/tilman/xenulink.html • W3C • http://validator.w3.org/checklink/ 9/22/2010 10 Mozilla WebQA

Gotchas / Pitfalls • Over-reliance on automated tools/websites • “One test tool ﬁts all” fallacy • Not knowing the tool and its limits / strengths • Once is (usually) never enough • Not knowing enough about your system / infrastructure 9/22/2010 11 Mozilla WebQA

Recommendations / Guidelines • Balance your testing: augment manual with automation • Pick the best tool for the task • Read up on tools (from multiple sources) before and during use • Run them often: in the background of a VM while manually testing • Read up on/ask about your framework; look for published vulnerabilities (Drupal, anyone?) 9/22/2010 12 Mozilla WebQA

References • OWASP Top 10 • http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project • Security-coding guidelines for Developers: • https://wiki.mozilla.org/WebAppSec/Secure_Coding_Guidelines • Security-coding checklist for QA: • https://wiki.mozilla.org/WebAppSec/Secure_Coding_QA_Checklist • Web Test Tools: • http://www.softwareqatest.com/qatweb1.html • Security Test Tools: • http://www.softwareqatest.com/qatweb1.html#SECURITY 9/22/2010 13 Mozilla WebQA

Thank You! • WebQA homepage: • https://wiki.mozilla.org/QA/Execution/Web_Testing • Get Involved: • http://quality.mozilla.org/docs/webqa/get-involved/ • Contact Us: • IRC: • #mozwebqa on irc.mozilla.org • Mailing List: • mozwebqa@mozilla.org 9/22/2010 14 Mozilla WebQA

Questions? 9/22/2010 15 Mozilla WebQA

Towards a More Secure, Reliable, and Performant Web: Tools / Approaches to Help

by Stephen Donner

Accessibility

Categories

Upload Details

Usage Rights

1 Embed 1

Statistics