This document discusses using functional test automation with the open source web application security scanner IronWasp to provide automated security testing of web applications. It outlines how Selenium test cases can be integrated with IronWasp to allow the scanner to crawl and test the full application workflow, providing security checks across all functional flows. This improves on traditional scanners by allowing testing of login screens, multi-page sequences, and ensuring the scanner has valid inputs to exercise all application features.

1. HACKER-PROOF WEB
APP USING
FUNCTIONAL TESTS
Ankita Gupta
Anamika Singh

2. Presenters
Ankita Gupta
Software Engineer, QA@LinkendIn
@_ankitag_

3. Presenters
Anamika Singh
Product Analyst @ IronWASP Information Security Services
Author of WiHawk – Router Vulnerability Scanner
@_Anamikas_

4. Importance of Web app Security

5. Importance of Web app Security
• Web Application breach can lead to:
• Theft of data
• Malware infection
• Loss of consumer confidence
• Failure to meet regulatory requirements
• Eventual loss of hundreds of thousands, even millions of dollars.
• According to studies 8 out of 10 sites are Vulnerable.

6. Types of Attack
• SQL Injection
• Cross Site Scripting
• Denial of Service
• Code Execution
• Cross Site Request Forgery
And many more …

9. Find Security Bugs
Security Experts
• Expensive
• Time consuming

10. Find Security Bugs
Automated Scanning using Web Security Scanners
Scanner :
• A program which interacts to web application like an User.
• It performs Black box testing.
• It find misconfigurations and code level Vulnerabilities.
• Cheap
• runs 24*7

11. How Scanner Works
• Crawls site and find injection points.
• Test Each point for Security problem by injecting different
payloads.
• Payloads are not random text, predefined possible values
for Security problems.
• For each security we have corresponding input.

12. How Scanner Works
• Each scanner has their own algorithm
• What payloads , Analysis
• Passive Approach
• It will look at request and response and tries to identify security
problems.

13. Challenges of Automated Scanning

14. Challenges of Automated Scanning

15. Challenges of Automated Scanning
• Automated Login
• Infinite Web Site
• Multipage Sequence

16. HOW?
..??

17. Solutions:
• Manually provide all possible input to Scanner.
• Time Consuming
• Inefficient

18. Better Approach
• Use Functional test cases automation.
• Enterprises use framework like Selenium to automate
Functional testing.
How about we integrate Selenium test cases and
Automated Scanner?

19. Combine Selenium with IronWASP

20. IronWASP
• IronWASP is an open source
Web Security Scanner.
• Its one among best Scanners.
• Checks for more than 25
Vulnerabilities.
• It stands better than
commercial scanner in some
parameters.

21. IronWASP is better than other Scanner

22. Benefits
• Automated Scanner has valid inputs now for all possible
cases.
• Follows Correct flow on web page.
• Time/Cost effective.

23. Demo IronWasp

24. A Simple Functional Test
public void test() throws InterruptedException
{
WebDriver driver = new FirefoxDriver();
driver.get(“abc.com");
System.out.println(driver.getTitle());
driver.quit();
}

25. Setup IronWasp Library
• Add Library to Build Path.
• Add IronWaspConfig.xml to <MainFolder>/resources/
• AND WE ARE GOOD TO GO!!

26. Routing Traffic to IronWasp
public static WebDriver createDriver() {
FirefoxProfile profile = new FirefoxProfile();
profile.setPreference("network.proxy.type", 1);
profile.setPreference("network.proxy.http", IronWasp.ipAddress);
profile.setPreference("network.proxy.http_port",
IronWasp.portNumber);
profile.setPreference("network.proxy.ssl", IronWasp.ipAddress);
profile.setPreference("network.proxy.ssl_port",
IronWasp.portNumber);
profile.setPreference("network.proxy.no_proxies_on","");
return driver = new FirefoxDriver(profile);
}

27. An IronWasp Integrated Test Case
public void test() throws InterruptedException {
IronWasp.workflowStart();
WebDriver driver=FirefoxBrowser.createDriver();
driver.get(“abc.com");
System.out.println(driver.getTitle());
IronWasp.workflowEnd();
driver.quit();
}

28. Demo TestNG/Junit
• Create a wrapper for creating broswers.
• Create A base class which calls IronWasp Library in start
and end of every test case.
• All test cases should inherit the Base class.

29. Advantages
• No special Security Auditing needed.
• Easy understandable reports.
• Can fix Security Issues early in SDLC.
• Can prevent major design/architectural changes.
• No more ransom to Bug Bounty Hunters.

30. Area of improvements
• Speed and Effectiveness:
• Current system replays each test case repeatedly. Very time
consuming.
• Current system does not work properly for JavaScript heavy
websites.
• Coverage:
• Current system does not test for client-side vulnerabilities.
• Current system does not discover features that are not covered by
the test case.
• Reporting:
• Current system only generates report, no integration with bug
tracking software.

31. Area of improvements
• Management:
• Current system needs to be started every time a test suite needs to
be run.
• If it crashes during a scan then it needs to be manually detected
and restarted.
• Bug Fix verification can only be done by manually comparing the
reports.
• Cannot handle parallel functional testing traffic from multiple users.
• Configuration wise:
• Configuring proxy settings in web driver.
• Sending API calls at the start and end of each test case.

32. Issue Types
• Scanners are
unable to find flaws
in business logic.
• More complicated
attacks are found by
people.

33. References
• IronWasp : http://ironwasp.net / http://ironwasp.org
• Mutillidae : http://sourceforge.net/projects/mutillidae
• Github : https://github.com/Ankitagupta2309/IronWasp/
• Special Thanks to Lavakumar Kuppan, Author@IronWasp