Groundspeed Presentation at the OWASP NY/NJ

•

1 like•1,245 views

The document discusses an approach called Groundspeed for manipulating web application interfaces from within the browser rather than intercepting and modifying HTTP requests. Groundspeed aims to provide context about form fields and parameters that is missing when analyzing HTTP traffic alone. It argues this reduces unnecessary tasks ("test friction") compared to traditional approaches. Specifically, working at the interface level 1) provides important contextual information and 2) reduces test friction by avoiding tasks like mapping parameters to interface labels. The presentation concludes by advocating a toolbox approach using multiple tools tailored to different layers (interface, JavaScript, HTTP) and bringing testing directly into the browser interface.

APPLICATION INTERFACES
felipe@wobot.org
OWASP
NY/NJ
Chapter
Mee3ng
–
Nov
2,
2010

MANIPULATING WEB
h=p://groundspeed.wobot.org

The Standard Approach:
Interact with
interface
Intercept and
modify HTTP
Analyze
response
1
2
3

Advantages:
single point of interception,
absolute control over data

Historic reason:
browser used to be a closed box,
no easy way to extend

The origin of input data:
HTML interface (forms)
client side logic (JavaScript)
the HTTP client (cookies)

Question:
can this information be useful for
improving the penetration test?

Core question:
would it be useful to look for a
diﬀerent approach?

http://groundspeed.wobot.org
open source Firefox add-on
released in Nov 09 at AppSecDC

Groundspeed goal:
manipulate the webapp interface to
remove client-side limitations in
order to work inside the browser

Things you can do:
change the type of form ﬁelds
remove size and length limitations
remove JS event handlers

But wait a minute:
why is this really diﬀerent than
manipulating HTTP requests?

#1 reason:
in order to understand
information we need context

Context problems:
without the context we need to ﬁll
in for what is missing

Ambiguous context:
if the context is not clear,
we can make mistakes

Labels are for humans:
the function of the interface is to
provide context to users

Parameters are for code:
HTTP parameters are meant for
the server side code, they can be
any arbitrary value

The mapping problem:
when we manipulate HTTP
requests we need to map
parameter to interface label

#2 reason:
working at the interface reduces
the unnecessary tasks

Test Friction:
all this creates“test friction”,
makes the test less eﬃcient
(and more boring)

Ok, but…
how is this diﬀerent than using
Firebug or the Web Dev
Extension?

Firebug and WedDev Extension:
very powerful but developer tools,
when used for security will
produce a lot of ‘test friction’

Hammers versus screwdrivers:
‘test friction’always appears when
you use a tool that was not
designed for the job

Performance load:
degree of mental and physical
activity to perform a task

Conclusion #1:
thinking about the nature of input
data can make our life easier
create an input testing toolbox

Input data toolbox:
interface layer (Groundspeed)
javascript layer (Firebug)
HTTP layer (Burp)

Conclusion #2:
tool design should focus on user
process (not the problem)
process = user + problem + context

Conclusion #3:
bring the tool into the browser
or the browser into the tool

Thank you!
more about groundspeed:
http://groundspeed.wobot.org
comments, questions:
felipe@wobot.org

1) The document discusses creating an abstraction for querying external systems and APIs to make the code more testable and resilient to changes. 2) It proposes defining an interface for the "question" being asked and a class for the "answer", with an implementation that handles the actual request. 3) This abstraction separates the application logic from infrastructure details, allowing the tests to focus on the domain and easing test setup by using test doubles instead of real external dependencies.

Behaviour driven development aka bdd

Prince Gupta

BDD is a software development process that improves communication between business and development teams. It uses examples written in a ubiquitous language to define desired product behaviors. The examples serve as requirements for automated tests and drive development. Key aspects of BDD include impact mapping to prioritize features, planning in examples with the three amigos (business, development, testing), and developing using examples as automated tests. This ensures the system meets business needs while delivering working software.

Having Fun Building Web Applications (Day 1 Slides)

Clarence Ngoh

This document outlines the agenda and content for Day 1 of a web applications course. The instructor will cover building the front end of web applications using HTML, CSS, JavaScript, jQuery and templating. Students will practice implementing common front end patterns and components. They will scaffold and style a matchmaking application, adding user profiles, events and APIs. The goal is to build out the front end interface without a backend, focusing on design, interactivity and data loading.

Web Application Software Testing

Andrew Kandels

Building websites like applications means bringing more attention to testing. From unit tests early on to load and regression testing later in the game, the primary purpose of testing is to detect software failures so that defects are discovered and corrected before they make it to the customer. Depending on your size, different testing strategies and things like automation may or may not be necessary. I'll cover some great free tools, some simple command line scripts as well as some commercial choices for the various types of testing.

Test Driven Development - a Practitioner’s Perspective

Malinda Kapuruge

This document discusses test driven development (TDD) and provides an overview and demonstration. It begins by covering software development, testing, and TDD. It then demonstrates TDD with a NodeJS example, showing how to start with a failing test and incrementally make it pass through small changes. The benefits of TDD are outlined as better designed code, understanding requirements, quality, and confidence to refactor. Challenges with TDD for microservices and frontends are discussed. It concludes with taking questions and providing further reading suggestions.

Visual Studio 2010 Testing for Developers

Steve Lange

The document discusses testing tools in Visual Studio 2010 that help developers get code right the first time. It describes features like code analysis, code metrics, test impact analysis, IntelliTrace for debugging, and performance profiling. The tools help improve code quality, find bugs more quickly, and reduce "no repro" issues. The presentation includes demos of these tools and how they can help foster better collaboration between developers and testers.

HTTP Server Push Techniques

Folio3 Software

The document introduces a new approach to input validation testing using an open-source Firefox add-on called Groundspeed. It argues that the traditional approach of testing at the HTTP request level has limitations, including not having the form labels as context and requiring switching between the user interface and HTTP worlds. Groundspeed allows modifying web application interfaces directly, eliminating these issues and reducing friction. It summarizes the key capabilities of Groundspeed such as editing form fields and attributes to perform input validation testing more efficiently within the user interface.

Updated SAKET MRINAL Resume

Saket Mrinal

Saket Mrinal provides his contact information and academic qualifications. He has experience with languages like C#, VB, HTML, and databases like SQL Server, Oracle, and Sybase. He has worked as a senior engineer and software engineer on projects involving APIs, file sharing systems, and financial applications. His responsibilities included requirements gathering, development, testing, and performance optimization.

System Development Life Cycle

sourav verma

The document discusses and compares two software development life cycle (SDLC) models: the waterfall model and evolutionary model. The waterfall model involves 5 sequential phases: requirements analysis, design, implementation, testing, and maintenance. However, it is inflexible and does not allow for updates based on user feedback. The evolutionary model involves iterative development of prototypes based on basic requirements, with customer feedback and modifications to subsequent versions. This model is better suited for developing online systems and user interfaces as it allows for evolution through use.

Monitoring as an entry point for collaboration

Julien Pivotto

This document summarizes a talk on using monitoring as an entry point for collaboration. It discusses using the Prometheus monitoring system to collect metrics and expose them using exporters. Grafana is then used to visualize the metrics and create dashboards focused on business metrics like requests, errors, and durations. These metrics provide observability across teams and enable alerting when business services are impacted.

JavaOne 2015: Top Performance Patterns Deep Dive

Andreas Grabner

Bringing Zest to SharePoint Sites Using Out-of-the-Box Technology

joelsef

The document discusses various ways to enhance SharePoint sites using out-of-the-box technologies, ranging from simple to more advanced options. It provides examples in four "Tiers" - Tier 1 options require no code and include changing themes, re-enabling quick launch navigation, and using choice columns. Tier 2 utilizes tools like the content editor web part and SharePoint Designer for widgets, scripts, and gadgets. Tier 3 involves advanced SharePoint Designer configurations and some code. Tier 4 includes enterprise applications and custom web parts requiring programming. Specific scenarios around page design, forms, and metrics are also presented.

Techdays 2011 - Things I will remember

Alexander Vanwynsberghe

Online Examination System in .NET & DB2

Abhay Ananda Shukla

This document provides a project report summary for an online examination system. It includes sections on the purpose of developing a web application to conduct online exams, the technologies used including ASP.NET and DB2, hardware and software requirements, constraints of the system, and a feasibility study. It also includes sections on the specification report, communication interface, bottlenecks identified in the existing system, need for a new system, software system attributes, ER diagram, and database and programming codes.

Developing a database server: software engineer's view

Laurynas Biveinis

An Introduction to Microservices

Ad van der Veer

Another day, another buzzword in the world of software development! ‘Microservices’ is a new approach to structuring server-side software. But is it really new? In this talk I’ll walk you through the birth and ‘raison d’etre’ of microservices and tell about pro’s and con’s of the approach. Having laid the foundation, we will take a look at best-practices and patterns for building micro service architectures and combine this with a tour of current technologies and development tools. Finally, I will take a quick look at the future and discuss some of the remaining challenges. All parts of the presentation will be accompanied by structural examples based on a real ecommerse system.

Beyond The MVC

george.james

Beyond the MVC framework, EWD provides a design-oriented approach to web development that abstracts away technical implementation details. EWD pages focus on design through declarative scripts that handle data fetching and navigation. This allows designers and developers to work together through the entire application lifecycle without programmers needing to understand design or designers needing to learn programming.

Performance Testing REST APIs

Jason Weden

This document discusses performance testing of REST APIs. It provides lessons on using a non-blocking HTTP client like Akka for tests to avoid blocking connections, reusing logic from functional tests, devising a performance test plan with metrics and sign-offs, capturing results in a database for trending, running tests continuously in CI environments, and creating visualizations of performance test results with charts and dashboards. The goal is to share an approach for efficient, scalable API performance testing.

Advanced web application architecture - Talk

Matthias Noback

This document discusses web application architecture and frameworks. It argues that frameworks should not dictate project structure, and that the code should separate domain logic from infrastructure logic. This allows focusing on the core problem domain without concerning itself with technical details like databases or web requests. It also advocates splitting code into ports that define intentions like persistence, and adapters that provide framework-specific implementations, allowing for independence of the domain logic from any particular framework or technology. This architecture, known as hexagonal or ports and adapters, facilitates testing, replacement of parts, and future-proofing of the application.

DevOpsDays Warsaw 2015: Zero-Friction Performance Instrumentation And Monitor...

PROIDEA

Published on Dec 07, 2015 Speaker: João Miranda Language: English OutSystems Platform is a product for rapid application delivery of desktop and mobile web applications. As part of the product, we offer performance instrumentation, monitoring and troubleshoot capabilities for the generated applications. The goal is to offer a zero-friction experience when troubleshooting desktop and mobile web performance problems, without requiring any special instrumentation effort when building the application. This talk will cover how we achieve that goal and how the approach can be applied to other projects. We have to decide which metrics to gather, how to gather them and mash it all up in out-of-the-box dashboards. All the while, we want our clients to be able to use the raw instrumentation data so they can integrate it with their own application performance monitoring solutions. Visit our website: http://2015.devopsdays.pl

quiz half ppt

mohit91

This document describes an online examination web application that allows multiple students to take tests simultaneously and view results automatically. It uses ASP.NET with a DB2 backend. Administrators can create, modify and delete test papers and questions. Users register, login to take tests with their ID and see results. The application provides worldwide online testing that saves time over traditional paper exams.

Viewers also liked

Colors

guest580a7e5

Colors

guest580a7e5

Concert 2 september 2009 songcompany

Colors

Colors

Numbers

Viewers also liked (7)

Colors

Concert 2 september 2009 songcompany

Colors

Numbers

How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf

Chart Kalyan

June Patch Tuesday

Ivanti

Ivanti’s Patch Tuesday breakdown goes beyond patching your applications and brings you the intelligence and guidance needed to prioritize where to focus your attention first. Catch early analysis on our Ivanti blog, then join industry expert Chris Goettl for the Patch Tuesday Webinar Event. There we’ll do a deep dive into each of the bulletins and give guidance on the risks associated with the newly-identified vulnerabilities.

Salesforce Integration for Bonterra Impact Management (fka Social Solutions A...

Jeffrey Haguewood

Sidekick Solutions uses Bonterra Impact Management (fka Social Solutions Apricot) and automation solutions to integrate data for business workflows. We believe integration and automation are essential to user experience and the promise of efficient work through technology. Automation is the critical ingredient to realizing that full vision. We develop integration products and services for Bonterra Case Management software to support the deployment of automations for a variety of use cases. This video focuses on integration of Salesforce with Bonterra Impact Management. Interested in deploying an integration with Salesforce for Bonterra Impact Management? Contact us at sales@sidekicksolutionsllc.com to discuss next steps.

みなさんこんにちはこれ何文字まで入るの？40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの？えこ...

名前です男

“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...

Edge AI and Vision Alliance

For the full video of this presentation, please visit: https://www.edge-ai-vision.com/2024/06/building-and-scaling-ai-applications-with-the-nx-ai-manager-a-presentation-from-network-optix/ Robin van Emden, Senior Director of Data Science at Network Optix, presents the “Building and Scaling AI Applications with the Nx AI Manager,” tutorial at the May 2024 Embedded Vision Summit. In this presentation, van Emden covers the basics of scaling edge AI solutions using the Nx tool kit. He emphasizes the process of developing AI models and deploying them globally. He also showcases the conversion of AI models and the creation of effective edge AI pipelines, with a focus on pre-processing, model conversion, selecting the appropriate inference engine for the target hardware and post-processing. van Emden shows how Nx can simplify the developer’s life and facilitate a rapid transition from concept to production-ready applications.He provides valuable insights into developing scalable and efficient edge AI solutions, with a strong focus on practical implementation.

Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...

saastr

Best 20 SEO Techniques To Improve Website Visibility In SERP

Pixlogix Infotech

Recently uploaded (20)

Cosa hanno in comune un mattoncino Lego e la backdoor XZ?

Digital Marketing Trends in 2024 | Guide for Staying Ahead

Webinar: Designing a schema for a Data Warehouse

20240607 QFM018 Elixir Reading List May 2024

Building Production Ready Search Pipelines with Spark and Milvus

Nordic Marketo Engage User Group_June 13_ 2024.pptx

TrustArc Webinar - 2024 Global Privacy Survey

HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU

HCL Notes and Domino License Cost Reduction in the World of DLAU

Presentation of the OECD Artificial Intelligence Review of Germany

Columbus Data & Analytics Wednesdays - June 2024

Driving Business Innovation: Latest Generative AI Advancements & Success Story

Fueling AI with Great Data with Airbyte Webinar

How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf

June Patch Tuesday

Salesforce Integration for Bonterra Impact Management (fka Social Solutions A...

“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...

Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...

Best 20 SEO Techniques To Improve Website Visibility In SERP

Groundspeed Presentation at the OWASP NY/NJ

1. APPLICATION INTERFACES felipe@wobot.org OWASP NY/NJ Chapter Mee3ng – Nov 2, 2010 MANIPULATING WEB h=p://groundspeed.wobot.org

3. User problem?

4. User problem?

5. The Standard Approach: Interact with interface Intercept and modify HTTP Analyze response 1 2 3

6. Advantages: single point of interception, absolute control over data

7. Historic reason: browser used to be a closed box, no easy way to extend

8. The origin of input data: HTML interface (forms) client side logic (JavaScript) the HTTP client (cookies)

9. Question: can this information be useful for improving the penetration test?

10. Core question: would it be useful to look for a diﬀerent approach?

11. http://groundspeed.wobot.org open source Firefox add-on released in Nov 09 at AppSecDC

12. Groundspeed goal: manipulate the webapp interface to remove client-side limitations in order to work inside the browser

13. Things you can do: change the type of form ﬁelds remove size and length limitations remove JS event handlers

14. Demo: see Groundspeed in action

15. But wait a minute: why is this really diﬀerent than manipulating HTTP requests?

16. #1 reason: in order to understand information we need context

17. Context problems: without the context we need to ﬁll in for what is missing

18. Ambiguous context: if the context is not clear, we can make mistakes

19. Context is important!

20. Labels are for humans: the function of the interface is to provide context to users

21. Parameters are for code: HTTP parameters are meant for the server side code, they can be any arbitrary value

22. The mapping problem: when we manipulate HTTP requests we need to map parameter to interface label

23. #2 reason: working at the interface reduces the unnecessary tasks

24. Test Friction: all this creates“test friction”, makes the test less eﬃcient (and more boring)

25. Ok, but… how is this diﬀerent than using Firebug or the Web Dev Extension?

26. Firebug and WedDev Extension: very powerful but developer tools, when used for security will produce a lot of ‘test friction’

27. Hammers versus screwdrivers: ‘test friction’always appears when you use a tool that was not designed for the job

28. Performance load: degree of mental and physical activity to perform a task

29. Improved interface

30. Conclusion #1: thinking about the nature of input data can make our life easier create an input testing toolbox

31. Input data toolbox: interface layer (Groundspeed) javascript layer (Firebug) HTTP layer (Burp)

32. Conclusion #2: tool design should focus on user process (not the problem) process = user + problem + context

33. Conclusion #3: bring the tool into the browser or the browser into the tool

34. Thank you! more about groundspeed: http://groundspeed.wobot.org comments, questions: felipe@wobot.org

Groundspeed Presentation at the OWASP NY/NJ

Recommended

Recommended

More Related Content

Viewers also liked

Viewers also liked (7)

Similar to Groundspeed Presentation at the OWASP NY/NJ

Similar to Groundspeed Presentation at the OWASP NY/NJ (20)

Recently uploaded

Recently uploaded (20)

Groundspeed Presentation at the OWASP NY/NJ