Towards a More Secure, Reliable, and Performant Web: Tools / Approaches to Help

1,876 views
1,773 views

Published on

Published in: Technology
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,876
On SlideShare
0
From Embeds
0
Number of Embeds
10
Actions
Shares
0
Downloads
22
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide















  • Towards a More Secure, Reliable, and Performant Web: Tools / Approaches to Help

    1. 1. Towards a More Secure, Reliable, and Performant Web: Tools /Approaches to Help September 22, 2010 Stephen Donner WebQA Lead Michael Coates Web-Applications Security Guru Mozilla Corporation
    2. 2. Overview • Types of Attacks / Vulnerabilities (just a few) • Why Use Tools / Benefits? • Web-App Performance • Load-Testing Sites • Security / Fuzzing • Link Checkers • Gotchas / Pitfalls • Recommendations / Best Practices 9/22/2010 2 Mozilla WebQA
    3. 3. Types of Attacks / Vulnerabilities (just a few) • CSRF - Cross-Site Request Forgery • “An attack which forces an end user to With a little help ofactions engineering (like sending a which he/she is currently authenticated. execute unwanted social on a web application in link via email/chat), an attacker may force the users of a web application to execute actions of the attacker's choosing.” [1] • XSS - Cross-Site Scripting • “...malicious scripts areoccur when an attacker usesbenign and trusted to send malicious scripting (XSS) attacks injected into the otherwise a web application web sites. Cross-site code, generally in the form of a browser side script, to a different end user [...] the malicious script can access any cookies, session tokens, or other sensitive information retained by your browser and used with that site.” [2] Sources: • [1] http://www.owasp.org/index.php/CSRF • [2] http://www.owasp.org/index.php/Cross- site_Scripting_(XSS) 9/22/2010 3 Mozilla WebQA
    4. 4. Types of Attacks / Vulnerabilities (just a few) • SQL Injection - http://www.owasp.org/index.php/SQL_Injection • “injection of a SQL query via the input data from the client to the application. A successful SQL injection exploit can read sensitive data from the database, modify database data (Insert/Update/Delete), execute administration operations on the database (such as shutdown the DBMS), recover the content of a given file present on the DBMS file system and in some cases issue commands to the operating system.” [3] • ...and many more: • OWASP list of attacks • OWASP list of vulnerabilities Sources: • [3] http://www.owasp.org/index.php/ 9/22/2010 4 Mozilla WebQA
    5. 5. Why Use Tools / Benefits? • Saves time • Increases/augments manual coverage • Ensures a certain set of tests run every time • (Eliminates the human-failure component) • Can help educate the tester 9/22/2010 5 Mozilla WebQA
    6. 6. Web-App Performance Sites / Add-ons • Performance-Testing Sites: • BrowserMob - http://browsermob.com • Webpagetest - http://www.webpagetest.org/ • Firefox Add-ons: • Firebug - http://getfirebug.com/ • YSlow! - http://developer.yahoo.com/yslow/ 9/22/2010 6 Mozilla WebQA
    7. 7. Load-Testing Sites • Load Impact - http://loadimpact.com/ • Load Labs - http://loadlabs.com/ • Gomez - http://www.gomez.com 9/22/2010 7 Mozilla WebQA
    8. 8. Load / Performance-Testing Tools • Siege - http://www.joedog.org/index/siege-home • siege -c50 -r150 -i http://input.stage.mozilla.com • ab (Apache Benchmark) - http://httpd.apache.org/docs/2.0/programs/ab.html • ab -c 150 -n 600 http://preview.addons.mozilla.org:81/en-US/ firefox/collection/enkei (run on Khan) • JMeter - http://jakarta.apache.org/jmeter/ • Benchmarking/performance/stress-testing • logreplay - http://github.com/oremj/logreplay • Takes Apache access logs and, well, replays them :-) • All but JMeter used for AMO: https://wiki.mozilla.org/User:Clouserw/AMO/loadtest 9/22/2010 8 Mozilla WebQA
    9. 9. Security / Fuzzing • PowerFuzzer: • http://www.powerfuzzer.com/ • XSS Me: • http://labs.securitycompass.com/index.php/exploit-me/xss-me/ • SQL Inject Me: • http://labs.securitycompass.com/index.php/exploit-me/sql-inject-me/ • TamperData: • https://addons.mozilla.org/en-US/firefox/addon/966/ • Acunetix (XSS only): • http://www.acunetix.com/cross-site-scripting/scanner.htm 9/22/2010 9 Mozilla WebQA
    10. 10. Link Checkers • Xenu • http://home.snafu.de/tilman/xenulink.html • W3C • http://validator.w3.org/checklink/ 9/22/2010 10 Mozilla WebQA
    11. 11. Gotchas / Pitfalls • Over-reliance on automated tools/websites • “One test tool fits all” fallacy • Not knowing the tool and its limits / strengths • Once is (usually) never enough • Not knowing enough about your system / infrastructure 9/22/2010 11 Mozilla WebQA
    12. 12. Recommendations / Guidelines • Balance your testing: augment manual with automation • Pick the best tool for the task • Read up on tools (from multiple sources) before and during use • Run them often: in the background of a VM while manually testing • Read up on/ask about your framework; look for published vulnerabilities (Drupal, anyone?) 9/22/2010 12 Mozilla WebQA
    13. 13. References • OWASP Top 10 • http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project • Security-coding guidelines for Developers: • https://wiki.mozilla.org/WebAppSec/Secure_Coding_Guidelines • Security-coding checklist for QA: • https://wiki.mozilla.org/WebAppSec/Secure_Coding_QA_Checklist • Web Test Tools: • http://www.softwareqatest.com/qatweb1.html • Security Test Tools: • http://www.softwareqatest.com/qatweb1.html#SECURITY 9/22/2010 13 Mozilla WebQA
    14. 14. Thank You! • WebQA homepage: • https://wiki.mozilla.org/QA/Execution/Web_Testing • Get Involved: • http://quality.mozilla.org/docs/webqa/get-involved/ • Contact Us: • IRC: • #mozwebqa on irc.mozilla.org • Mailing List: • mozwebqa@mozilla.org 9/22/2010 14 Mozilla WebQA
    15. 15. Questions? 9/22/2010 15 Mozilla WebQA

    ×