Chapter 3: The Tools of the Trade – Security Testing Handbook for Banking Applications

43
CHAPTER 3: THE TOOLS OF THE TRADE
Thus far, we have seen how to create threat profiles, create
test plans and construct test cases. The actual testing is a
combination of manual testing techniques and automated
scanners. In this chapter, we’ll look at the tools used for
testing applications. As different types of applications
require different types of tools to test, we look at tools for
several popular categories of applications:
web applications
thick clients
terminal services
Java applets
web services
embedded systems
mobile/cell phones.
The emphasis is on tools for web applications and thick
client applications as they form the largest part of the
applications today.
Web applications
RoboForm
RoboForm is a useful support tool for the security tester. It
does not directly help find vulnerabilities, but it assists in
speeding up the testing. RoboForm remembers passwords
and is used to fill up passwords in login pages
automatically. You can have one master password to access
Roboform. Passcards are created in the tool and you have to
3: The Tools of the Trade
44
select the appropriate passcard for login. The tool is very
helpful in applications with a large number of privilege
levels where we have to remember and type in many
username–password combinations.
Figure 1: Roboform
Burp Intruder
SQL injection and cross-site scripting (XSS) attacks are
two important types of attack in application security testing.
Both of them have to be performed on many variables
throughout the application. XSS has to be tested on each
and every input variable, while SQL injection has to be
tested on all variables that form part of an SQL query.
3: The Tools of the Trade
45
Consider a 200-page application with an average of 5 user
inputs per page – that makes it 1,000 user inputs to test for
XSS, and probably a similar number to test for SQL
injection. It is tedious to manually test 1,000 variables.
Hence we automate the basic tests for both these attacks
and if the basic tests are successful, we’ll do specific
complex tests manually.
Burp Intruder, available as part of the Burp Suite, is a
useful tool for automating XSS and SQL injection testing.
Just send an HTTP request (by selecting it from history) to
Intruder, and Intruder automatically identifies the variables
to test. You can also select/de-select more variables, if you
want.
Figure 2: Burp Intruder
Select the payloads that you would like to use as your test
cases – these are usually test cases for basic SQL injection
or a basic XSS. In the options field, enter the string you
want to look for in the response. The presence of that string
confirms the presence of SQL injection or XSS. Burp
Intruder will now launch a range of attacks, using all your
payloads on all selected variables. The output will display
3: The Tools of the Trade
46
whether the responses contains the signature string you are
looking for to confirm the attack.
Figure 3: Burp Intruder – response
CSRFTester
Figure 4: CSRFTester
CSRFTester from the Open Web Application Security
Project (OWASP) is used to test applications for cross-site
request forgery. It simplifies the process of creating the
3: The Tools of the Trade
47
HTML pages to forge the request. For testing, we first
configure our browser to use CSRFTester as a proxy. Login
to the application and navigate to the section to be
tested. Click ‘Start Recording’ on the CSRFTester and
perform the activity that you want to test so that the tool
can capture the information. Finally, click on ‘Generate
HTML’ to generate a HTML page to perform CSRF.
Paros Proxy
Launching parameter manipulation attacks requires traffic
to be intercepted, manipulated and then forwarded to the
web server. Proxy editors are useful to intercept and edit
requests from our browser. We first run the proxy editor on
our computer and point our browser to it. The proxy in turn
forwards the traffic to the web server. All requests and
responses now get captured in the proxy editor and we can
manipulate them before forwarding. This way we can
launch a parameter manipulation attack.
There are various web proxies available freely, some of
them are described next.
Paros Proxy is a web proxy editor which provides us with
data capturing and other functionality. Using it as a local
proxy needs the browser to be pointed locally, i.e. to
127.0.0.1. Doing so, the data from browser gets captured in
the Paros local proxy, where we can edit, forward or drop
the requests. Also we can let the data pass through, and just
record everything in Paros for later analysis.