SlideShare a Scribd company logo

Manipulating Web App Interfaces: a new approach to input validation testing

Felipe M
Felipe M

The document introduces a new approach to input validation testing using an open-source Firefox add-on called Groundspeed. It argues that the traditional approach of testing at the HTTP request level has limitations, including not having the form labels as context and requiring switching between the user interface and HTTP worlds. Groundspeed allows modifying web application interfaces directly, eliminating these issues and reducing friction. It summarizes the key capabilities of Groundspeed such as editing form fields and attributes to perform input validation testing more efficiently within the user interface.

Technology
1 of 40
Download to read offline
Manipulating Web Application Interfaces – a New Approach to Input Validation Testing Felipe Moreno-Strauch felipe@wobot.org http://groundspeed.wobot.org AppSec DC Nov 13, 2009 The OWASP Foundation http://www.owasp.org
Abstract  This talk will present two arguments against performing input validation testing at the HTTP request level (using proxies) and suggest a new approach: performing input validation testing directly in the user interface  It will also introduce Groundspeed, an open- source add-on for Mozilla Firefox that allows you to modify, on the fly, the forms and form fields in the page loaded in the browser  Groundspeed is available at: http://groundspeed.wobot.org OWASP 2
1. Introduction OWASP 3
An Answer with no Question  In the “Hitchhikers Guide to the Galaxy”, some super intelligent beings build a super computer to answer “the ultimate question of life the universe and everything”  After seven and a half million years, the computer gives its answer: “42”  Puzzled and disappointed, they ask the computer what the question was  But the computer is not powerful enough to respond that OWASP 4
Information Needs Context to be Useful  In the book, the joke is in the fact that the answer “42” makes no sense without the question  In order to understand the information in the answer, we need to know the question because the question provides context to the answer  This is an usual problem when people try to understand a piece data, and it affects us more than we first imagine  Let’s consider a normal example of interaction with a web application OWASP 5
Example: User Submits a Form  User loads a web page with a form  User types a value in a form field and submits  Client side logic validation is executed  Browser creates an HTTP with the input data in a parameter in the GET or POST request  Browser sends the request to the server  Server reads the HTTP request and handles data to application  Application processes the data and responds OWASP 6
The Life Cycle of Input Data User “I am John Smith” Types input data in form field User Interface Name: “John Smith” Client Side Logic custname.value = “John Smith”; HTTP Request … &custname=“John Smith”& … To the server OWASP 7
Interface Labels Provide Context to Humans  The form label next to the textbox field (for example “Name: ”) is the question being asked to the user  The value typed inside the textbox is the response to that question  As data travels down through the layers, the answer is separated from the question  When considered from the perspective of the HTTP request, the data is no longer in its original context (the labels provided context) OWASP 8
Argument 1: The Mapping Problem  Usually this is not a big problem because we can use the HTTP parameter names as “pseudo” labels  But parameter names do not need to match the labels, they are meant for server-side code not for humans so it could be any arbitrary value  In order to compensate for the lack of context, we need to solve this “mapping problem” (mapping label to parameter name), and this makes the test a little more difficult OWASP 9
Filling the Gaps  When performing input validation with a proxy, the tester has to solve the mapping problem  We probably figured out some tricks to help with this process:  Typing input data that explain what each field is  Using the source code of the page to map parameters and label names  But these tricks only work well for simple web applications OWASP 10
A Problem That Will Get Harder to Solve  The problem is that in order for the tricks to work, we have to assume two conditions:  That one form will translate to one HTTP request, form fields matching HTTP parameters one to one  That submitting one form will cause one HTTP request to be sent, at the time of the click  But those conditions are not true all the time:  As client-side logic gets more complex, data can be consolidated, pre-processed, encoded on the client  AJAX (no synchronicity of the user actions and HTTP)  And things will only get more complicated OWASP 11
Argument 2: Working at Two Places  Another problem of working at the HTTP level is that it forces the tester to switch between two worlds (user interface and HTTP)  Ideally, manipulation of the input data should happen in the user interface, but testers have to work at the HTTP level to bypass browser limitations  This switching has a cost associated to it  Let’s consider the task of performing one input validation test on one form field OWASP 12
Task Breakdown  In the browser, fill in the field to be tested  Submit the form  Select the proxy window  Scan through the HTTP request to find where the request parameters are located  Scan through the parameters to find the one that needs to be modified  Insert the attack string  Send the request to the server and select the browser window to see the result OWASP 13
Hard Problems  Even considering a simple task (1 test on 1 field) there are a lot of steps to complete  Some steps are distracting  But some steps create problems  Scanning through text requires “parsing”  Find the right parameter requires “mapping”  There are even more tasks if some fields are encoded or if there is form validation  There are a lot of secondary steps that do not contribute to the main goal: test input validation OWASP 14
Test Friction  Consider now all the tests we have to perform on all the parameters of the web application  There will be a lot of secondary tasks, this is not an optimal process  The secondary steps are like energy that is lost in things that do not contribute to the goal  We could think about them as “test friction”  This is a user experience problem not a usability problem OWASP 15
2. A New Approach OWASP 16
Why do We Work at the HTTP Level?  The browser is a tool designed for normal users, so it does not provide all the functionality that web app testers need  A few years ago, to modify the browser was too hard (closed source) and to create a browser from scratch was too much work  Working outside the browser, at the HTTP level was the best alternative  The mapping problem was easy to solve in the old web  The user experience problem was a reasonable price to pay OWASP 17
Now Things are Different  Because of the richer web apps, mapping parameters to interface labels is getting harder  The mapping problem might still be tolerable but will only get worse as apps get more complex  Working at the HTTP level forces the tester has to switch between two worlds: user interface (browser) and HTTP (proxy) adding “friction” to the process  Another important change: browsers are now easier to modify (open source and add-on systems) OWASP 18
Suggesting a New Approach  We should reconsider the strategy for input validation tests  It makes sense to keep some tests at the HTTP level  But most could benefit from work at the interface level  It is easier and more efficient to manipulate data from the user interface instead of the HTTP level  That would eliminate the mapping problem  Data makes more sense at the user interface level (bigger chance of business logic exploitation)  Improves user experience for tester (reduces friction) OWASP 19
3. Introducing Groundspeed OWASP 20
Introducing Groundspeed  Groundspeed is an open-source add-on for Mozilla Firefox (http://groundspeed.wobot.org)  Groundspeed allows a tester to perform input validation testing from the web app user interface  Groundspeed modify the browser in order to adapt it to the needs of web app testers:  Manipulate the application’s user interface  Remove client side validation and other limitations OWASP 21
Download and Install Groundspeed  Visit http://groundspeed.wobot.org  The following screenshots were taken on demo forms available at groundspeed.wobot.org/demo OWASP 22
How to Start Groundspeed  In order to start working with groundspeed, open the sidebar using: Tools – Groundspeed  Once groundspeed is open, load the form information from the current page using the “Reload” button OWASP 23
How to Start Groundspeed click click OWASP 24
Select a Form or a Form Field  The groundspeed sidebar has two sections  The top section lists the forms and fields in the page  The bottom section lists the HTML attributes of the selected form or form element  Select one form or field in the list in the top section, and groundspeed will highlight that element in the page and display its attributes in the lower part of the sidebar OWASP 25
View the Selected Form and its Attributes select result result OWASP 26
View the Selected Field and its Attributes select result result OWASP 27
View Hidden Fields  If you select a hidden field from the list of forms and form fields, the hidden field becomes visible in the page OWASP 28
View Hidden Fields select result OWASP 29
Edit Attributes of Forms and Fields  Groundspeed lets you modify, add and remove HTML attributes on the form and the form fields  In the upper list, select the form or the form field that you want to change the attributes  Right-click on the attribute in the lower list and select from the context menu  A double-click on a selected attribute will edit the current value OWASP 30
Edit Attributes of Forms and Fields select right click choose OWASP 31
Change the Type of any Form Field  Groundspeed allows you to change any form field into a textbox with 2 clicks:  Right-click on the element you want to convert  Choose the “Transform into Text Input”  After the change, you can edit the contents of the field directly in the page  Groundspeed will create a label that matches the field “name” or “id” attribute  For “Select” elements, groundspeed adds a “cheat-sheet” with the options that existed in the drop down list OWASP 32
Change the Type of any Form Field right click select result OWASP 33
Changing a Select into textbox right click select result OWASP 34
Other Manipulations in Forms  Other useful things you can do in a form:  Add a new form fields  Make the form submit in a new window (so you don’t have to manipulate the interface all over again)  Change all hidden fields into textboxes  Save all form field values (and clear the saved values)  Remove all JavaScript event handlers (in the form and its fields)  These are all options available when right clicking the form in the list OWASP 35
Other Manipulations in Forms OWASP 36
Other Manipulations in Fields  Other useful things you can do in a text or hidden field:  Remove length limits (so you can add more data)  Modify size (so the field looks bigger in the page)  Encode and decode the contents (Base64, Hex, HTML Entities, Unicode, URL Encode)  Hash the contents of the field (MD5, SHA1)  Remove all JavaScript Event Handlers  These options are available when you right-click on a field in the list OWASP 37
Other field manipulation options OWASP 38
Groundspeed  Adapts the web application interface to fit the needs of the security tester  What you need, where you need: no friction  Eliminates the complex secondary tasks  Allows input validation to be performed from the interface  Eliminates the mapping problem OWASP 39
Groundspeed Limitations and Bugs  Groundspeed does not work with poorly designed pages (where layout is made with HTML tables) because of DOM hierarchy  Groundspeed does not see JavaScript event handlers that are set programmatically using JavaScript OWASP 40

Recommended

A Validation Model of Data Input for Web Services
A Validation Model of Data Input for Web ServicesA Validation Model of Data Input for Web Services
A Validation Model of Data Input for Web ServicesRafael Brinhosa
 
HTTP protocol and Streams Security
HTTP protocol and Streams SecurityHTTP protocol and Streams Security
HTTP protocol and Streams Security
Blueinfy Solutions
 
Don't Drop the SOAP: Real World Web Service Testing for Web Hackers
Don't Drop the SOAP: Real World Web Service Testing for Web Hackers Don't Drop the SOAP: Real World Web Service Testing for Web Hackers
Don't Drop the SOAP: Real World Web Service Testing for Web Hackers
Tom Eston
 
Source Code Analysis with SAST
Source Code Analysis with SASTSource Code Analysis with SAST
Source Code Analysis with SAST
Blueinfy Solutions
 
05 20254 financial stock application
05 20254 financial stock application05 20254 financial stock application
05 20254 financial stock application
IAESIJEECS
 
ReST (Representational State Transfer) Explained
ReST (Representational State Transfer) ExplainedReST (Representational State Transfer) Explained
ReST (Representational State Transfer) Explained
Dhananjay Nene
 
Mule webservices in detail
Mule webservices in detailMule webservices in detail
Mule webservices in detail
Shahid Shaik
 
Web 2.0 Development with IBM DB2
Web 2.0 Development with IBM DB2Web 2.0 Development with IBM DB2
Web 2.0 Development with IBM DB2
Vladimir Bacvanski, PhD
 

Recommended

A Validation Model of Data Input for Web Services
A Validation Model of Data Input for Web ServicesA Validation Model of Data Input for Web Services
A Validation Model of Data Input for Web ServicesRafael Brinhosa
 
HTTP protocol and Streams Security
HTTP protocol and Streams SecurityHTTP protocol and Streams Security
HTTP protocol and Streams Security
Blueinfy Solutions
 
Don't Drop the SOAP: Real World Web Service Testing for Web Hackers
Don't Drop the SOAP: Real World Web Service Testing for Web Hackers Don't Drop the SOAP: Real World Web Service Testing for Web Hackers
Don't Drop the SOAP: Real World Web Service Testing for Web Hackers
Tom Eston
 
Source Code Analysis with SAST
Source Code Analysis with SASTSource Code Analysis with SAST
Source Code Analysis with SAST
Blueinfy Solutions
 
05 20254 financial stock application
05 20254 financial stock application05 20254 financial stock application
05 20254 financial stock application
IAESIJEECS
 
ReST (Representational State Transfer) Explained
ReST (Representational State Transfer) ExplainedReST (Representational State Transfer) Explained
ReST (Representational State Transfer) Explained
Dhananjay Nene
 
Mule webservices in detail
Mule webservices in detailMule webservices in detail
Mule webservices in detail
Shahid Shaik
 
Web 2.0 Development with IBM DB2
Web 2.0 Development with IBM DB2Web 2.0 Development with IBM DB2
Web 2.0 Development with IBM DB2
Vladimir Bacvanski, PhD
 
Restful webservices
Restful webservicesRestful webservices
Restful webservices
Luqman Shareef
 
Representational State Transfer (REST)
Representational State Transfer (REST)Representational State Transfer (REST)
Representational State Transfer (REST)
David Krmpotic
 
REST & RESTful Web Services
REST & RESTful Web ServicesREST & RESTful Web Services
REST & RESTful Web Services
Halil Burak Cetinkaya
 
Web Programming
Web ProgrammingWeb Programming
Web Programming
VijayapriyaP1
 
ASP.NET Web API and HTTP Fundamentals
ASP.NET Web API and HTTP FundamentalsASP.NET Web API and HTTP Fundamentals
ASP.NET Web API and HTTP Fundamentals
Ido Flatow
 
Use Windows Azure Service Bus, BizTalk Services, Mobile Services, and BizTalk...
Use Windows Azure Service Bus, BizTalk Services, Mobile Services, and BizTalk...Use Windows Azure Service Bus, BizTalk Services, Mobile Services, and BizTalk...
Use Windows Azure Service Bus, BizTalk Services, Mobile Services, and BizTalk...
BizTalk360
 
Rest & RESTful WebServices
Rest & RESTful WebServicesRest & RESTful WebServices
Rest & RESTful WebServices
Prateek Tandon
 
Representational state transfer (rest) architectural style1.1
Representational state transfer (rest) architectural style1.1Representational state transfer (rest) architectural style1.1
Representational state transfer (rest) architectural style1.1
Vinod Wilson
 
MS
MSMS
MSAustin Byers
 
The Full Power of ASP.NET Web API
The Full Power of ASP.NET Web APIThe Full Power of ASP.NET Web API
The Full Power of ASP.NET Web API
Eyal Vardi
 
Web development with ASP.NET Web API
Web development with ASP.NET Web APIWeb development with ASP.NET Web API
Web development with ASP.NET Web API
Damir Dobric
 
Overview of Rest Service and ASP.NET WEB API
Overview of Rest Service and ASP.NET WEB APIOverview of Rest Service and ASP.NET WEB API
Overview of Rest Service and ASP.NET WEB API
Pankaj Bajaj
 
Unit 02: Web Technologies (1/2)
Unit 02: Web Technologies (1/2)Unit 02: Web Technologies (1/2)
Unit 02: Web Technologies (1/2)DSBW 2011/2002 - Carles Farré - Barcelona Tech
 
REST - Representational State Transfer
REST - Representational State TransferREST - Representational State Transfer
REST - Representational State Transfer
Peter R. Egli
 
JSON and REST
JSON and RESTJSON and REST
JSON and REST
Robert MacLean
 
Web services - REST and SOAP
Web services - REST and SOAPWeb services - REST and SOAP
Web services - REST and SOAPCompare Infobase Limited
 
The Rest Architectural Style
The Rest Architectural StyleThe Rest Architectural Style
The Rest Architectural Style
Robert Wilson
 
Intoduction to php web services and json
Intoduction to php web services and jsonIntoduction to php web services and json
Intoduction to php web services and jsonbaabtra.com - No. 1 supplier of quality freshers
 
Scalability Manuscript for Star98
Scalability Manuscript for Star98Scalability Manuscript for Star98
Scalability Manuscript for Star98Steve Oubre
 
Excellent rest using asp.net web api
Excellent rest using asp.net web apiExcellent rest using asp.net web api
Excellent rest using asp.net web api
Maurice De Beijer [MVP]
 
Groundspeed Presentation at the OWASP NY/NJ
Groundspeed Presentation at the OWASP NY/NJGroundspeed Presentation at the OWASP NY/NJ
Groundspeed Presentation at the OWASP NY/NJ
Felipe M
 
Manipulating Web Application Interfaces
Manipulating Web Application InterfacesManipulating Web Application Interfaces
Manipulating Web Application Interfaces
Felipe M
 

More Related Content

What's hot

Restful webservices
Restful webservicesRestful webservices
Restful webservices
Luqman Shareef
 
Representational State Transfer (REST)
Representational State Transfer (REST)Representational State Transfer (REST)
Representational State Transfer (REST)
David Krmpotic
 
REST & RESTful Web Services
REST & RESTful Web ServicesREST & RESTful Web Services
REST & RESTful Web Services
Halil Burak Cetinkaya
 
Web Programming
Web ProgrammingWeb Programming
Web Programming
VijayapriyaP1
 
ASP.NET Web API and HTTP Fundamentals
ASP.NET Web API and HTTP FundamentalsASP.NET Web API and HTTP Fundamentals
ASP.NET Web API and HTTP Fundamentals
Ido Flatow
 
Use Windows Azure Service Bus, BizTalk Services, Mobile Services, and BizTalk...
Use Windows Azure Service Bus, BizTalk Services, Mobile Services, and BizTalk...Use Windows Azure Service Bus, BizTalk Services, Mobile Services, and BizTalk...
Use Windows Azure Service Bus, BizTalk Services, Mobile Services, and BizTalk...
BizTalk360
 
Rest & RESTful WebServices
Rest & RESTful WebServicesRest & RESTful WebServices
Rest & RESTful WebServices
Prateek Tandon
 
Representational state transfer (rest) architectural style1.1
Representational state transfer (rest) architectural style1.1Representational state transfer (rest) architectural style1.1
Representational state transfer (rest) architectural style1.1
Vinod Wilson
 
The Full Power of ASP.NET Web API
The Full Power of ASP.NET Web APIThe Full Power of ASP.NET Web API
The Full Power of ASP.NET Web API
Eyal Vardi
 
Web development with ASP.NET Web API
Web development with ASP.NET Web APIWeb development with ASP.NET Web API
Web development with ASP.NET Web API
Damir Dobric
 
Overview of Rest Service and ASP.NET WEB API
Overview of Rest Service and ASP.NET WEB APIOverview of Rest Service and ASP.NET WEB API
Overview of Rest Service and ASP.NET WEB API
Pankaj Bajaj
 
REST - Representational State Transfer
REST - Representational State TransferREST - Representational State Transfer
REST - Representational State Transfer
Peter R. Egli
 
JSON and REST
JSON and RESTJSON and REST
JSON and REST
Robert MacLean
 
The Rest Architectural Style
The Rest Architectural StyleThe Rest Architectural Style
The Rest Architectural Style
Robert Wilson
 
Scalability Manuscript for Star98
Scalability Manuscript for Star98Scalability Manuscript for Star98
Scalability Manuscript for Star98Steve Oubre
 
Excellent rest using asp.net web api
Excellent rest using asp.net web apiExcellent rest using asp.net web api
Excellent rest using asp.net web api
Maurice De Beijer [MVP]
 

What's hot (20)

Restful webservices
Restful webservicesRestful webservices
Restful webservices
 
Representational State Transfer (REST)
Representational State Transfer (REST)Representational State Transfer (REST)
Representational State Transfer (REST)
 
REST & RESTful Web Services
REST & RESTful Web ServicesREST & RESTful Web Services
REST & RESTful Web Services
 
Web Programming
Web ProgrammingWeb Programming
Web Programming
 
ASP.NET Web API and HTTP Fundamentals
ASP.NET Web API and HTTP FundamentalsASP.NET Web API and HTTP Fundamentals
ASP.NET Web API and HTTP Fundamentals
 
Use Windows Azure Service Bus, BizTalk Services, Mobile Services, and BizTalk...
Use Windows Azure Service Bus, BizTalk Services, Mobile Services, and BizTalk...Use Windows Azure Service Bus, BizTalk Services, Mobile Services, and BizTalk...
Use Windows Azure Service Bus, BizTalk Services, Mobile Services, and BizTalk...
 
Rest & RESTful WebServices
Rest & RESTful WebServicesRest & RESTful WebServices
Rest & RESTful WebServices
 
Representational state transfer (rest) architectural style1.1
Representational state transfer (rest) architectural style1.1Representational state transfer (rest) architectural style1.1
Representational state transfer (rest) architectural style1.1
 
MS
MSMS
MS
 
The Full Power of ASP.NET Web API
The Full Power of ASP.NET Web APIThe Full Power of ASP.NET Web API
The Full Power of ASP.NET Web API
 
Web development with ASP.NET Web API
Web development with ASP.NET Web APIWeb development with ASP.NET Web API
Web development with ASP.NET Web API
 
Overview of Rest Service and ASP.NET WEB API
Overview of Rest Service and ASP.NET WEB APIOverview of Rest Service and ASP.NET WEB API
Overview of Rest Service and ASP.NET WEB API
 
Unit 02: Web Technologies (1/2)
Unit 02: Web Technologies (1/2)Unit 02: Web Technologies (1/2)
Unit 02: Web Technologies (1/2)
 
REST - Representational State Transfer
REST - Representational State TransferREST - Representational State Transfer
REST - Representational State Transfer
 
JSON and REST
JSON and RESTJSON and REST
JSON and REST
 
Web services - REST and SOAP
Web services - REST and SOAPWeb services - REST and SOAP
Web services - REST and SOAP
 
The Rest Architectural Style
The Rest Architectural StyleThe Rest Architectural Style
The Rest Architectural Style
 
Intoduction to php web services and json
Intoduction to php web services and jsonIntoduction to php web services and json
Intoduction to php web services and json
 
Scalability Manuscript for Star98
Scalability Manuscript for Star98Scalability Manuscript for Star98
Scalability Manuscript for Star98
 
Excellent rest using asp.net web api
Excellent rest using asp.net web apiExcellent rest using asp.net web api
Excellent rest using asp.net web api
 

Similar to Manipulating Web App Interfaces: a new approach to input validation testing

Groundspeed Presentation at the OWASP NY/NJ
Groundspeed Presentation at the OWASP NY/NJGroundspeed Presentation at the OWASP NY/NJ
Groundspeed Presentation at the OWASP NY/NJ
Felipe M
 
Manipulating Web Application Interfaces
Manipulating Web Application InterfacesManipulating Web Application Interfaces
Manipulating Web Application Interfaces
Felipe M
 
Load ui web Load Testing Open source Performance Testing tool Learn Load UI W...
Load ui web Load Testing Open source Performance Testing tool Learn Load UI W...Load ui web Load Testing Open source Performance Testing tool Learn Load UI W...
Load ui web Load Testing Open source Performance Testing tool Learn Load UI W...
Vishal Parekh
 
LoadUI web performance testing tool
LoadUI web performance testing toolLoadUI web performance testing tool
LoadUI web performance testing tool
Milind Rupchandani
 
Ajax Testing Approach
Ajax Testing ApproachAjax Testing Approach
Ajax Testing Approach
HarshJ
 
Ajax Testing Approach
Ajax Testing ApproachAjax Testing Approach
Ajax Testing ApproachHarshaVJoshi
 
Hp Loadrunner
Hp LoadrunnerHp Loadrunner
Hp Loadrunner
guestb3416f
 
web 2. 0 performance testing - Dave chadwick
web 2. 0 performance testing - Dave chadwickweb 2. 0 performance testing - Dave chadwick
web 2. 0 performance testing - Dave chadwickRoopa Nadkarni
 
Quiz application system project report..pdf
Quiz application system project report..pdfQuiz application system project report..pdf
Quiz application system project report..pdf
Kamal Acharya
 
Operational API design anti-patterns (Jason Harmon)
Operational API design anti-patterns (Jason Harmon)Operational API design anti-patterns (Jason Harmon)
Operational API design anti-patterns (Jason Harmon)
Nordic APIs
 
Lec6 ecom fall16
Lec6 ecom fall16Lec6 ecom fall16
Lec6 ecom fall16
Zainab Khallouf
 
Load Speed PSI development of webcore vitals
Load Speed PSI development of webcore vitalsLoad Speed PSI development of webcore vitals
Load Speed PSI development of webcore vitals
rahmathidayat471220
 
Ajax and PHP
Ajax and PHPAjax and PHP
Ajax and PHP
John Coggeshall
 
Using Ajax In Domino Web Applications
Using Ajax In Domino Web ApplicationsUsing Ajax In Domino Web Applications
Using Ajax In Domino Web Applicationsdominion
 
Soap UI and postman
Soap UI and postmanSoap UI and postman
Soap UI and postman
Tushar Agarwal
 
Dh2 Apps Training Part2
Dh2 Apps Training Part2Dh2 Apps Training Part2
Dh2 Apps Training Part2jamram82
 
Eric Beland Ajax Load Testing Considerations
Eric Beland Ajax Load Testing ConsiderationsEric Beland Ajax Load Testing Considerations
Eric Beland Ajax Load Testing ConsiderationsAjax Experience 2009
 
Research Inventy : International Journal of Engineering and Science
Research Inventy : International Journal of Engineering and ScienceResearch Inventy : International Journal of Engineering and Science
Research Inventy : International Journal of Engineering and Science
inventy
 

Similar to Manipulating Web App Interfaces: a new approach to input validation testing (20)

Groundspeed Presentation at the OWASP NY/NJ
Groundspeed Presentation at the OWASP NY/NJGroundspeed Presentation at the OWASP NY/NJ
Groundspeed Presentation at the OWASP NY/NJ
 
Manipulating Web Application Interfaces
Manipulating Web Application InterfacesManipulating Web Application Interfaces
Manipulating Web Application Interfaces
 
Load ui web Load Testing Open source Performance Testing tool Learn Load UI W...
Load ui web Load Testing Open source Performance Testing tool Learn Load UI W...Load ui web Load Testing Open source Performance Testing tool Learn Load UI W...
Load ui web Load Testing Open source Performance Testing tool Learn Load UI W...
 
LoadUI web performance testing tool
LoadUI web performance testing toolLoadUI web performance testing tool
LoadUI web performance testing tool
 
Ajax Testing Approach
Ajax Testing ApproachAjax Testing Approach
Ajax Testing Approach
 
Ajax Testing Approach
Ajax Testing ApproachAjax Testing Approach
Ajax Testing Approach
 
Final paper
Final paperFinal paper
Final paper
 
Hp Loadrunner
Hp LoadrunnerHp Loadrunner
Hp Loadrunner
 
web 2. 0 performance testing - Dave chadwick
web 2. 0 performance testing - Dave chadwickweb 2. 0 performance testing - Dave chadwick
web 2. 0 performance testing - Dave chadwick
 
Quiz application system project report..pdf
Quiz application system project report..pdfQuiz application system project report..pdf
Quiz application system project report..pdf
 
Operational API design anti-patterns (Jason Harmon)
Operational API design anti-patterns (Jason Harmon)Operational API design anti-patterns (Jason Harmon)
Operational API design anti-patterns (Jason Harmon)
 
Lec6 ecom fall16
Lec6 ecom fall16Lec6 ecom fall16
Lec6 ecom fall16
 
Load Speed PSI development of webcore vitals
Load Speed PSI development of webcore vitalsLoad Speed PSI development of webcore vitals
Load Speed PSI development of webcore vitals
 
Ajax and PHP
Ajax and PHPAjax and PHP
Ajax and PHP
 
Using Ajax In Domino Web Applications
Using Ajax In Domino Web ApplicationsUsing Ajax In Domino Web Applications
Using Ajax In Domino Web Applications
 
Soap UI and postman
Soap UI and postmanSoap UI and postman
Soap UI and postman
 
Dh2 Apps Training Part2
Dh2 Apps Training Part2Dh2 Apps Training Part2
Dh2 Apps Training Part2
 
Eric Beland Ajax Load Testing Considerations
Eric Beland Ajax Load Testing ConsiderationsEric Beland Ajax Load Testing Considerations
Eric Beland Ajax Load Testing Considerations
 
Beyond The MVC
Beyond The MVCBeyond The MVC
Beyond The MVC
 
Research Inventy : International Journal of Engineering and Science
Research Inventy : International Journal of Engineering and ScienceResearch Inventy : International Journal of Engineering and Science
Research Inventy : International Journal of Engineering and Science
 

Recently uploaded

DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
Kari Kakkonen
 
Monitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR EventsMonitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR Events
Ana-Maria Mihalceanu
 
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
James Anderson
 
GraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge GraphGraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge Graph
Guy Korland
 
UiPath Community Day Dubai: AI at Work..
UiPath Community Day Dubai: AI at Work..UiPath Community Day Dubai: AI at Work..
UiPath Community Day Dubai: AI at Work..
UiPathCommunity
 
Elizabeth Buie - Older adults: Are we really designing for our future selves?
Elizabeth Buie - Older adults: Are we really designing for our future selves?Elizabeth Buie - Older adults: Are we really designing for our future selves?
Elizabeth Buie - Older adults: Are we really designing for our future selves?
Nexer Digital
 
Elevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object CalisthenicsElevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object Calisthenics
Dorra BARTAGUIZ
 
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
BookNet Canada
 
PCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase TeamPCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase Team
ControlCase
 
RESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for studentsRESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for students
KAMESHS29
 
Quantum Computing: Current Landscape and the Future Role of APIs
Quantum Computing: Current Landscape and the Future Role of APIsQuantum Computing: Current Landscape and the Future Role of APIs
Quantum Computing: Current Landscape and the Future Role of APIs
Vlad Stirbu
 
Free Complete Python - A step towards Data Science
Free Complete Python - A step towards Data ScienceFree Complete Python - A step towards Data Science
Free Complete Python - A step towards Data Science
RinaMondal9
 
Essentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FMEEssentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FME
Safe Software
 
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdfFIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance
 
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Albert Hoitingh
 
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 previewState of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
Prayukth K V
 
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
DanBrown980551
 
Enhancing Performance with Globus and the Science DMZ
Enhancing Performance with Globus and the Science DMZEnhancing Performance with Globus and the Science DMZ
Enhancing Performance with Globus and the Science DMZ
Globus
 
The Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and SalesThe Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and Sales
Laura Byrne
 
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptx
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptxSecstrike : Reverse Engineering & Pwnable tools for CTF.pptx
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptx
nkrafacyberclub
 

Recently uploaded (20)

DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
 
Monitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR EventsMonitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR Events
 
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
 
GraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge GraphGraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge Graph
 
UiPath Community Day Dubai: AI at Work..
UiPath Community Day Dubai: AI at Work..UiPath Community Day Dubai: AI at Work..
UiPath Community Day Dubai: AI at Work..
 
Elizabeth Buie - Older adults: Are we really designing for our future selves?
Elizabeth Buie - Older adults: Are we really designing for our future selves?Elizabeth Buie - Older adults: Are we really designing for our future selves?
Elizabeth Buie - Older adults: Are we really designing for our future selves?
 
Elevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object CalisthenicsElevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object Calisthenics
 
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
 
PCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase TeamPCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase Team
 
RESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for studentsRESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for students
 
Quantum Computing: Current Landscape and the Future Role of APIs
Quantum Computing: Current Landscape and the Future Role of APIsQuantum Computing: Current Landscape and the Future Role of APIs
Quantum Computing: Current Landscape and the Future Role of APIs
 
Free Complete Python - A step towards Data Science
Free Complete Python - A step towards Data ScienceFree Complete Python - A step towards Data Science
Free Complete Python - A step towards Data Science
 
Essentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FMEEssentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FME
 
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdfFIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
 
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
 
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 previewState of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
 
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
 
Enhancing Performance with Globus and the Science DMZ
Enhancing Performance with Globus and the Science DMZEnhancing Performance with Globus and the Science DMZ
Enhancing Performance with Globus and the Science DMZ
 
The Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and SalesThe Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and Sales
 
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptx
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptxSecstrike : Reverse Engineering & Pwnable tools for CTF.pptx
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptx
 

Manipulating Web App Interfaces: a new approach to input validation testing

  • 1. Manipulating Web Application Interfaces – a New Approach to Input Validation Testing Felipe Moreno-Strauch felipe@wobot.org http://groundspeed.wobot.org AppSec DC Nov 13, 2009 The OWASP Foundation http://www.owasp.org
  • 2. Abstract  This talk will present two arguments against performing input validation testing at the HTTP request level (using proxies) and suggest a new approach: performing input validation testing directly in the user interface  It will also introduce Groundspeed, an open- source add-on for Mozilla Firefox that allows you to modify, on the fly, the forms and form fields in the page loaded in the browser  Groundspeed is available at: http://groundspeed.wobot.org OWASP 2
  • 3. 1. Introduction OWASP 3
  • 4. An Answer with no Question  In the “Hitchhikers Guide to the Galaxy”, some super intelligent beings build a super computer to answer “the ultimate question of life the universe and everything”  After seven and a half million years, the computer gives its answer: “42”  Puzzled and disappointed, they ask the computer what the question was  But the computer is not powerful enough to respond that OWASP 4
  • 5. Information Needs Context to be Useful  In the book, the joke is in the fact that the answer “42” makes no sense without the question  In order to understand the information in the answer, we need to know the question because the question provides context to the answer  This is an usual problem when people try to understand a piece data, and it affects us more than we first imagine  Let’s consider a normal example of interaction with a web application OWASP 5
  • 6. Example: User Submits a Form  User loads a web page with a form  User types a value in a form field and submits  Client side logic validation is executed  Browser creates an HTTP with the input data in a parameter in the GET or POST request  Browser sends the request to the server  Server reads the HTTP request and handles data to application  Application processes the data and responds OWASP 6
  • 7. The Life Cycle of Input Data User “I am John Smith” Types input data in form field User Interface Name: “John Smith” Client Side Logic custname.value = “John Smith”; HTTP Request … &custname=“John Smith”& … To the server OWASP 7
  • 8. Interface Labels Provide Context to Humans  The form label next to the textbox field (for example “Name: ”) is the question being asked to the user  The value typed inside the textbox is the response to that question  As data travels down through the layers, the answer is separated from the question  When considered from the perspective of the HTTP request, the data is no longer in its original context (the labels provided context) OWASP 8
  • 9. Argument 1: The Mapping Problem  Usually this is not a big problem because we can use the HTTP parameter names as “pseudo” labels  But parameter names do not need to match the labels, they are meant for server-side code not for humans so it could be any arbitrary value  In order to compensate for the lack of context, we need to solve this “mapping problem” (mapping label to parameter name), and this makes the test a little more difficult OWASP 9
  • 10. Filling the Gaps  When performing input validation with a proxy, the tester has to solve the mapping problem  We probably figured out some tricks to help with this process:  Typing input data that explain what each field is  Using the source code of the page to map parameters and label names  But these tricks only work well for simple web applications OWASP 10
  • 11. A Problem That Will Get Harder to Solve  The problem is that in order for the tricks to work, we have to assume two conditions:  That one form will translate to one HTTP request, form fields matching HTTP parameters one to one  That submitting one form will cause one HTTP request to be sent, at the time of the click  But those conditions are not true all the time:  As client-side logic gets more complex, data can be consolidated, pre-processed, encoded on the client  AJAX (no synchronicity of the user actions and HTTP)  And things will only get more complicated OWASP 11
  • 12. Argument 2: Working at Two Places  Another problem of working at the HTTP level is that it forces the tester to switch between two worlds (user interface and HTTP)  Ideally, manipulation of the input data should happen in the user interface, but testers have to work at the HTTP level to bypass browser limitations  This switching has a cost associated to it  Let’s consider the task of performing one input validation test on one form field OWASP 12
  • 13. Task Breakdown  In the browser, fill in the field to be tested  Submit the form  Select the proxy window  Scan through the HTTP request to find where the request parameters are located  Scan through the parameters to find the one that needs to be modified  Insert the attack string  Send the request to the server and select the browser window to see the result OWASP 13
  • 14. Hard Problems  Even considering a simple task (1 test on 1 field) there are a lot of steps to complete  Some steps are distracting  But some steps create problems  Scanning through text requires “parsing”  Find the right parameter requires “mapping”  There are even more tasks if some fields are encoded or if there is form validation  There are a lot of secondary steps that do not contribute to the main goal: test input validation OWASP 14
  • 15. Test Friction  Consider now all the tests we have to perform on all the parameters of the web application  There will be a lot of secondary tasks, this is not an optimal process  The secondary steps are like energy that is lost in things that do not contribute to the goal  We could think about them as “test friction”  This is a user experience problem not a usability problem OWASP 15
  • 16. 2. A New Approach OWASP 16
  • 17. Why do We Work at the HTTP Level?  The browser is a tool designed for normal users, so it does not provide all the functionality that web app testers need  A few years ago, to modify the browser was too hard (closed source) and to create a browser from scratch was too much work  Working outside the browser, at the HTTP level was the best alternative  The mapping problem was easy to solve in the old web  The user experience problem was a reasonable price to pay OWASP 17
  • 18. Now Things are Different  Because of the richer web apps, mapping parameters to interface labels is getting harder  The mapping problem might still be tolerable but will only get worse as apps get more complex  Working at the HTTP level forces the tester has to switch between two worlds: user interface (browser) and HTTP (proxy) adding “friction” to the process  Another important change: browsers are now easier to modify (open source and add-on systems) OWASP 18
  • 19. Suggesting a New Approach  We should reconsider the strategy for input validation tests  It makes sense to keep some tests at the HTTP level  But most could benefit from work at the interface level  It is easier and more efficient to manipulate data from the user interface instead of the HTTP level  That would eliminate the mapping problem  Data makes more sense at the user interface level (bigger chance of business logic exploitation)  Improves user experience for tester (reduces friction) OWASP 19
  • 21. Introducing Groundspeed  Groundspeed is an open-source add-on for Mozilla Firefox (http://groundspeed.wobot.org)  Groundspeed allows a tester to perform input validation testing from the web app user interface  Groundspeed modify the browser in order to adapt it to the needs of web app testers:  Manipulate the application’s user interface  Remove client side validation and other limitations OWASP 21
  • 22. Download and Install Groundspeed  Visit http://groundspeed.wobot.org  The following screenshots were taken on demo forms available at groundspeed.wobot.org/demo OWASP 22
  • 23. How to Start Groundspeed  In order to start working with groundspeed, open the sidebar using: Tools – Groundspeed  Once groundspeed is open, load the form information from the current page using the “Reload” button OWASP 23
  • 24. How to Start Groundspeed click click OWASP 24
  • 25. Select a Form or a Form Field  The groundspeed sidebar has two sections  The top section lists the forms and fields in the page  The bottom section lists the HTML attributes of the selected form or form element  Select one form or field in the list in the top section, and groundspeed will highlight that element in the page and display its attributes in the lower part of the sidebar OWASP 25
  • 26. View the Selected Form and its Attributes select result result OWASP 26
  • 27. View the Selected Field and its Attributes select result result OWASP 27
  • 28. View Hidden Fields  If you select a hidden field from the list of forms and form fields, the hidden field becomes visible in the page OWASP 28
  • 29. View Hidden Fields select result OWASP 29
  • 30. Edit Attributes of Forms and Fields  Groundspeed lets you modify, add and remove HTML attributes on the form and the form fields  In the upper list, select the form or the form field that you want to change the attributes  Right-click on the attribute in the lower list and select from the context menu  A double-click on a selected attribute will edit the current value OWASP 30
  • 31. Edit Attributes of Forms and Fields select right click choose OWASP 31
  • 32. Change the Type of any Form Field  Groundspeed allows you to change any form field into a textbox with 2 clicks:  Right-click on the element you want to convert  Choose the “Transform into Text Input”  After the change, you can edit the contents of the field directly in the page  Groundspeed will create a label that matches the field “name” or “id” attribute  For “Select” elements, groundspeed adds a “cheat-sheet” with the options that existed in the drop down list OWASP 32
  • 33. Change the Type of any Form Field right click select result OWASP 33
  • 34. Changing a Select into textbox right click select result OWASP 34
  • 35. Other Manipulations in Forms  Other useful things you can do in a form:  Add a new form fields  Make the form submit in a new window (so you don’t have to manipulate the interface all over again)  Change all hidden fields into textboxes  Save all form field values (and clear the saved values)  Remove all JavaScript event handlers (in the form and its fields)  These are all options available when right clicking the form in the list OWASP 35
  • 36. Other Manipulations in Forms OWASP 36
  • 37. Other Manipulations in Fields  Other useful things you can do in a text or hidden field:  Remove length limits (so you can add more data)  Modify size (so the field looks bigger in the page)  Encode and decode the contents (Base64, Hex, HTML Entities, Unicode, URL Encode)  Hash the contents of the field (MD5, SHA1)  Remove all JavaScript Event Handlers  These options are available when you right-click on a field in the list OWASP 37
  • 38. Other field manipulation options OWASP 38
  • 39. Groundspeed  Adapts the web application interface to fit the needs of the security tester  What you need, where you need: no friction  Eliminates the complex secondary tasks  Allows input validation to be performed from the interface  Eliminates the mapping problem OWASP 39
  • 40. Groundspeed Limitations and Bugs  Groundspeed does not work with poorly designed pages (where layout is made with HTML tables) because of DOM hierarchy  Groundspeed does not see JavaScript event handlers that are set programmatically using JavaScript OWASP 40