Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Towards a More Secure, Reliable,
and Performant Web:
Tools /Approaches to Help




           September 22, 2010

        ...
Overview
  • Types of Attacks / Vulnerabilities (just a few)
  • Why Use Tools / Benefits?
  • Web-App Performance
  • Load...
Types of Attacks / Vulnerabilities (just a few)

•   CSRF - Cross-Site Request Forgery
     • “An attack which forces an e...
Types of Attacks / Vulnerabilities (just a few)

•    SQL Injection - http://www.owasp.org/index.php/SQL_Injection

      ...
Why Use Tools / Benefits?
  • Saves time
  • Increases/augments manual coverage
  • Ensures a certain set of tests run ever...
Web-App Performance Sites / Add-ons

  •    Performance-Testing Sites:
      •     BrowserMob - http://browsermob.com
    ...
Load-Testing Sites

     •      Load Impact - http://loadimpact.com/
     •      Load Labs - http://loadlabs.com/
     •  ...
Load / Performance-Testing Tools


      •     Siege - http://www.joedog.org/index/siege-home

            •   siege -c50 ...
Security / Fuzzing
  •    PowerFuzzer:

      •     http://www.powerfuzzer.com/

  •    XSS Me:

      •     http://labs.s...
Link Checkers

  • Xenu
      •     http://home.snafu.de/tilman/xenulink.html

  • W3C
      •     http://validator.w3.org...
Gotchas / Pitfalls
  • Over-reliance on automated tools/websites
  • “One test tool fits all” fallacy
  • Not knowing the t...
Recommendations / Guidelines
  •    Balance your testing: augment manual with
       automation
  •    Pick the best tool ...
References
•   OWASP Top 10

      •     http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project

•   Security-codin...
Thank You!
•   WebQA homepage:
      •     https://wiki.mozilla.org/QA/Execution/Web_Testing
•   Get Involved:
      •    ...
Questions?




9/22/2010       15       Mozilla WebQA
Upcoming SlideShare
Loading in …5
×

Towards a More Secure, Reliable, and Performant Web: Tools / Approaches to Help

1,994 views

Published on

Published in: Technology
  • Be the first to comment

Towards a More Secure, Reliable, and Performant Web: Tools / Approaches to Help

  1. 1. Towards a More Secure, Reliable, and Performant Web: Tools /Approaches to Help September 22, 2010 Stephen Donner WebQA Lead Michael Coates Web-Applications Security Guru Mozilla Corporation
  2. 2. Overview • Types of Attacks / Vulnerabilities (just a few) • Why Use Tools / Benefits? • Web-App Performance • Load-Testing Sites • Security / Fuzzing • Link Checkers • Gotchas / Pitfalls • Recommendations / Best Practices 9/22/2010 2 Mozilla WebQA
  3. 3. Types of Attacks / Vulnerabilities (just a few) • CSRF - Cross-Site Request Forgery • “An attack which forces an end user to With a little help ofactions engineering (like sending a which he/she is currently authenticated. execute unwanted social on a web application in link via email/chat), an attacker may force the users of a web application to execute actions of the attacker's choosing.” [1] • XSS - Cross-Site Scripting • “...malicious scripts areoccur when an attacker usesbenign and trusted to send malicious scripting (XSS) attacks injected into the otherwise a web application web sites. Cross-site code, generally in the form of a browser side script, to a different end user [...] the malicious script can access any cookies, session tokens, or other sensitive information retained by your browser and used with that site.” [2] Sources: • [1] http://www.owasp.org/index.php/CSRF • [2] http://www.owasp.org/index.php/Cross- site_Scripting_(XSS) 9/22/2010 3 Mozilla WebQA
  4. 4. Types of Attacks / Vulnerabilities (just a few) • SQL Injection - http://www.owasp.org/index.php/SQL_Injection • “injection of a SQL query via the input data from the client to the application. A successful SQL injection exploit can read sensitive data from the database, modify database data (Insert/Update/Delete), execute administration operations on the database (such as shutdown the DBMS), recover the content of a given file present on the DBMS file system and in some cases issue commands to the operating system.” [3] • ...and many more: • OWASP list of attacks • OWASP list of vulnerabilities Sources: • [3] http://www.owasp.org/index.php/ 9/22/2010 4 Mozilla WebQA
  5. 5. Why Use Tools / Benefits? • Saves time • Increases/augments manual coverage • Ensures a certain set of tests run every time • (Eliminates the human-failure component) • Can help educate the tester 9/22/2010 5 Mozilla WebQA
  6. 6. Web-App Performance Sites / Add-ons • Performance-Testing Sites: • BrowserMob - http://browsermob.com • Webpagetest - http://www.webpagetest.org/ • Firefox Add-ons: • Firebug - http://getfirebug.com/ • YSlow! - http://developer.yahoo.com/yslow/ 9/22/2010 6 Mozilla WebQA
  7. 7. Load-Testing Sites • Load Impact - http://loadimpact.com/ • Load Labs - http://loadlabs.com/ • Gomez - http://www.gomez.com 9/22/2010 7 Mozilla WebQA
  8. 8. Load / Performance-Testing Tools • Siege - http://www.joedog.org/index/siege-home • siege -c50 -r150 -i http://input.stage.mozilla.com • ab (Apache Benchmark) - http://httpd.apache.org/docs/2.0/programs/ab.html • ab -c 150 -n 600 http://preview.addons.mozilla.org:81/en-US/ firefox/collection/enkei (run on Khan) • JMeter - http://jakarta.apache.org/jmeter/ • Benchmarking/performance/stress-testing • logreplay - http://github.com/oremj/logreplay • Takes Apache access logs and, well, replays them :-) • All but JMeter used for AMO: https://wiki.mozilla.org/User:Clouserw/AMO/loadtest 9/22/2010 8 Mozilla WebQA
  9. 9. Security / Fuzzing • PowerFuzzer: • http://www.powerfuzzer.com/ • XSS Me: • http://labs.securitycompass.com/index.php/exploit-me/xss-me/ • SQL Inject Me: • http://labs.securitycompass.com/index.php/exploit-me/sql-inject-me/ • TamperData: • https://addons.mozilla.org/en-US/firefox/addon/966/ • Acunetix (XSS only): • http://www.acunetix.com/cross-site-scripting/scanner.htm 9/22/2010 9 Mozilla WebQA
  10. 10. Link Checkers • Xenu • http://home.snafu.de/tilman/xenulink.html • W3C • http://validator.w3.org/checklink/ 9/22/2010 10 Mozilla WebQA
  11. 11. Gotchas / Pitfalls • Over-reliance on automated tools/websites • “One test tool fits all” fallacy • Not knowing the tool and its limits / strengths • Once is (usually) never enough • Not knowing enough about your system / infrastructure 9/22/2010 11 Mozilla WebQA
  12. 12. Recommendations / Guidelines • Balance your testing: augment manual with automation • Pick the best tool for the task • Read up on tools (from multiple sources) before and during use • Run them often: in the background of a VM while manually testing • Read up on/ask about your framework; look for published vulnerabilities (Drupal, anyone?) 9/22/2010 12 Mozilla WebQA
  13. 13. References • OWASP Top 10 • http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project • Security-coding guidelines for Developers: • https://wiki.mozilla.org/WebAppSec/Secure_Coding_Guidelines • Security-coding checklist for QA: • https://wiki.mozilla.org/WebAppSec/Secure_Coding_QA_Checklist • Web Test Tools: • http://www.softwareqatest.com/qatweb1.html • Security Test Tools: • http://www.softwareqatest.com/qatweb1.html#SECURITY 9/22/2010 13 Mozilla WebQA
  14. 14. Thank You! • WebQA homepage: • https://wiki.mozilla.org/QA/Execution/Web_Testing • Get Involved: • http://quality.mozilla.org/docs/webqa/get-involved/ • Contact Us: • IRC: • #mozwebqa on irc.mozilla.org • Mailing List: • mozwebqa@mozilla.org 9/22/2010 14 Mozilla WebQA
  15. 15. Questions? 9/22/2010 15 Mozilla WebQA

×