Software Testing Blog

In the second part of his blog post “Security Testing Tips From a Bug Battle Winner”, uTester Bernard Lelchuk takes a closer look at some of the more effective tools to use when performing security testing.

There are quite a few attacking testing tools which can make security testing easier and more productive for both novice and veteran testing engineers alike. I will not list all of them here,  but rather cover the most essential, common and interesting FREE tools. So here they are, in no particular order:

Wireshark
A comprehensive yet easy-to-use protocol analyzer (sniffer) which will allow you to view, filter and analyze all network transmissions. (http://www.wireshark.org/)

Paros Proxy
Acts as a proxy which allows the tester to intercept and modify all HTTP/S data between server and client, including cookies and form fields. (http://www.parosproxy.org/index.shtml)

Burp Suite (Man-In-The-Middle)
Integrated platform for attacking web applications which contains several interfaces for handling HTTP requests, persistence, authentication, downstream proxies, logging, alerting and extensibility. Acts as a man-in-the-middle between client and server, thus allowing the tester to intercept and modify all HTTP requests between both parties. (http://portswigger.net/suite/)

WebScarab
Framework for analyzing and modifying all HTTP/S requests and responses between the browser and the server, which uses several plugins.  (http://www.owasp.org/index.php/OWASP_WebScarab_Project)

Here are a few Firefox add-ons that you may also find useful:

SQL Injection 1.2:
A component to transform check boxes, radio buttons, select elements to a input text and enable disabled elements from all forms in a page. It makes it easier to test and identify SQL injection vulnerabilities in web pages. (https://addons.mozilla.org/en-US/firefox/addon/6727)

Security Compass tools:
A set of 3 security testing attacking tools which are easy to execute at any time even with no early background in security testing. Just install and run each application on a website and review the generate report. This will give you a detailed report of all executed commands – just read and learn

Access Me
Accessing vulnerabilities in an application can allow an attacker to access those same resources without being authenticated. Access-Me is a Firefox extension used to test for these types of vulnerabilities. (https://addons.mozilla.org/en-US/firefox/addon/7595)

SQL Inject me
SQL Injection vulnerabilities can cause a lot of damage to a web application. A malicious user can possibly view records, delete records, drop tables or gain access to your server. SQL Inject-Me is Firefox Extension used to test for SQL Injection vulnerabilities.
https://addons.mozilla.org/en-US/firefox/addon/7597

XSS Me
Cross-Site Scripting (XSS) is a common flaw found in today’s web applications. XSS flaws can cause serious damage to a web application. Detecting XSS vulnerabilities early in the development process will help protect a web application from unnecessary flaws. XSS-Me is the Exploit-Me tool used to test for reflected XSS vulnerabilities.

https://addons.mozilla.org/en-US/firefox/addon/7598

Security Compass’s home page:
http://www.securitycompass.com/s

Tamper Data
View and modify HTTP/HTTPS headers and post parameters. It’s a similar tool to Burp suite, however, it features basic and limited data tampering capabilities directly via FF.
https://addons.mozilla.org/en-US/firefox/addon/966

Tool Selection:
Selecting a security testing tool from the list above (or an additional tool) should not be an hassle, no matter what your expertise level.

• If you need to start out with monitoring traffic, then use the Wireshark tool, which I find to be the easiest and most productive tool in my daily work as a QA professional.
• For tampering data, start with either BurpSuite or the FF add-on Tamper data if you feel more comfortable testing directly in your browser.
• For injection attacks, just install the 3-pack of Security Compass and experiment with it.

As an extra, here are some nice security testing sources for you.

Sources:
http://www.isecom.org/
http://www.owasp.org/index.php/Main_Page
http://www.opensourcetesting.org/security.php
http://www.sqaforums.com/postlist.php?Cat=0&Board=UBB19
http://www.cigital.com/papers/download/bsi4-testing.pdf

I’d love to receive your comments, questions or experiences you may have had with security testing.

Happy testing!
Bernard Lelchuk