EuroSTAR Software Testing Conference 2012 presentation on Re-purposing Webdriver for Security Testing by Adrian Rapan.
See more at: http://conference.eurostarsoftwaretesting.com/past-presentations/
6. Security testing
• Open Web Application Security Project (OWASP)
• MITM (man-in-the-middle) attack
• DoS attack
• Metasploit
• BackTrack (Linux distribution used in penetration
testing)
• Acunetix, Netsparker, N-Stalker, ProxyStrike, XSSS
7. What about…
• Webdriver?
• It tests websites
• Drivers for different browser/OS pairs
• With a bit of tinkering can manipulate the
DOM
8. How
• The test bed: Application Vulnerability
Scanner Evaluation Project (WAVSEP)
– Reflected/Stored Cross-Site Scripting (XSS): 66
test cases, implemented in 64 jsp pages (GET &
POST)
– 7 different categories of false positive Reflected
XSS vulnerabilities (GET & POST )
– Payloads comprising of 44 attack vectors
9. Ingredients
• The attack vectors:
https://www.owasp.org/index.php/XSS_Filter_E
vasion_Cheat_Sheet and save it as an XML
• Javascript snippets like:
<INPUT TYPE="IMAGE"
SRC="javascript:alert('CrossSiteScriptingAcademia12'
);"></script>
10. Transparency
• Commercial tools…how do they do it???
• The security scanners tell you about
vulnerabilities
• They’ll even offer a solution
• But how do they do it???
11. What about…
• Webdriver?
• Drives the browser just like a tester would
• Total transparency over the value of running a
test
• Any security tests run using a real browser
• Lower false-positive rate of detection
12. Test case
• The browser navigates to the required webpage
• Webdriver scans for input forms which represent
the delivery channel for the XSS payloads
• The XSS attack vectors are inserted in the input
fields of the form
• The form is submitted
• The attack efficiency is verified by detecting the
execton of Javascript snippet
13. Under the hood
• Getting the urls from a website as an XML
– Few tools online. Used http://www.xml-sitemaps.
com/crawlproc.html?&initurl=<<website
>>
14. Under the hood
• Each url is opened by webdriver and scanned
for FORMs
allForms = driver.findElements(By.xpath("//form"));
• All inputs from the FORM
allInputs = form.findElements(By.xpath(".//input"));
• Each input is populated by the attack vector
input.sendKeys(vector);
15. Under the hood
• Submit the injected FORM
form.findElement(By.xpath(".//input[@type='submit']")
).click();
• Repeat for each FORM from each url
16. Under the hood
• The actual Webriver test for an url
webDriver.attack(urlToAttack).using(attackVector).run();
webDriver.executionReportFor(attackVector).waitFor();
17. Now for the tricky part
• Detecting if the attack succeeded
• There is, one way… but it’s similar to watching
paint dry
18. The automated way
driver.switchTo().alert()
• But what if the alert is hidden in the DOM
waiting for a triggering event, like a click
19. Another “dirty” automated way
• Use the infamous JavascriptExecutor
((JavascriptExecutor)
driver).executeScript(payloadToExecute);
• It goes against the intended usage of
Webdriver – to test as a tester would
20. And the method is
• Running an xpath to find the “hidden” payload
and then executing it
((JavascriptExecutor) driver).executeScript("return
(document.evaluate("//@*[contains(.,<<the attack
vector>>')]", document, null,
XPathResult.STRING_TYPE, null)).stringValue")
21. Some conclusions
• Writing tests to cover security test cases isn’t
that hard
• The attack vectors for XSS are publicly
available
• Using Webdriver as a security tool might be
slow but offers more transparency and
• Best of all, it’s free