Talking about the safety test in software test

This is the 16th day of my participation in Gwen Challenge

We’ve talked about black and white box testing and performance testing, but security testing is also very important for software. As the cover shows, the content is tantalizing, and once a user clicks in, it’s easy to force them to do something they didn’t intend to do. Imagine the results… Unthinkable. Therefore, it is very important to do a good job in software security testing and build a good software environment together.

In the following article, you will learn about security testing in software testing. Let’s learn

First, 💿 security test concept

1. Overview of safety testing

Security testing refers to the process of checking products to verify that they meet the definition of security requirements and product quality standards during the life cycle of IT software products, especially from the basic completion of product development to the release stage.

2. The relationship between security testing and software life cycle

Security testing runs through the entire software life cycle. As shown below:

3. Differences between routine testing and security testing

(1) Different test objectives

Normal testing is aimed at finding bugs;

The goal of security testing is to discover potential security risks.

(2) Different assumptions

Normal testing assumes that the data causing the problem is accidentally caused by the user, and interfaces are generally considered only user interfaces;

Security testing assumes that the data causing the problem is deliberately constructed by the attacker, and all possible avenues of attack need to be considered.

(3) Different thinking domains

The common test takes the function of the system as the thinking domain;

The thinking domain of security test not only includes system function, but also system mechanism, external environment, application and data security risk and security attribute.

(4) Different problem discovery modes

Normal tests are judged on the basis of violating the function definition.

Security testing is judged by violation of permission and capability constraints.

Two, 🔍 basic principles of safety testing

1. Develop the right way of thinking

Security testers need to be able to think creatively. Creative thinking can help us think from the attacker’s point of view about unexpected situations, and it can help us guess how the developer developed the program, circumvent the logic of application defense, and cause the program to fail in an unsafe pattern of behavior.

2. Test early and test often

Security defects are no different from common bugs, and the earlier you find them, the lower the cost of fixing them. To achieve this, the first step is to train the development and test teams on common security problems in the early stage of software development, and teach them how to detect and fix security defects.

Although emerging third-party libraries, tools, and programming languages can help developers to design more secure programs, but a new threat growing, developers can realize the best new security vulnerabilities of developing software, the influence of testers to change the way of thinking, every detail from the Angle of the attacker test application, make the software more secure.

3. Choose the right test tool

In many cases, security testing needs to simulate the behavior of hackers to attack the software system to ensure that the software system has stable defense ability. Simulation hacking requires security testers to be good at using various tools, such as vulnerability scanning tools, front and back related tools to simulate data behavior, data packet capture tools, etc.

There are many security scanners or application firewall tools available on the market that can automate many daily security tasks, but these tools are not a panacea. As testers, it is important that we understand exactly what these tools can and cannot do, and not overstate or misuse them.

4. Test the source code whenever possible

Using source code scanning tool for software code scanning, on the one hand can find out the potential risk, from the inside of the software to detect, improve the security of the code; On the other hand, you can further improve the quality of your code. The combination of black box penetration test and white box source code scan can greatly improve the security of software.

5. Document test results

During test summary, it is wise and effective to document test actions and results clearly and accurately, and to produce a test report that preferably includes the type of bug, security threat and severity of the problem, test techniques used to find the problem, bug fixes, bug risks, etc.

A good test report should help developers accurately locate software security vulnerabilities so that they can patch them effectively and make the software more secure and reliable.

Three, 🔦 common security vulnerabilities

1. SQL injection

(1) Definition

SQL injection is to artificially enter SQL commands into URLS, table fields, or other input parameters of dynamically generated SQL queries to trick the server into executing malicious SQL commands.

(2) Cases

Case 1:

str SQL="select * from users where (name='"+username+"')and (pw='"+password+");"Copy the code

str SQL="select * from users where (name='1'or ‘1'='1')and
(pw='1'or ‘1'='1');"Copy the code

Case 2:

str SQL="select * from users where (name='Zhang SAN';DROP TABLE users;-)"
Copy the code

Select *from users where name='Zhang SAN';DROP TABLE users
Copy the code

(3) How to prevent SQL injection

SQL injection is a high risk security vulnerability. We can check the validity of the data entered by the user in the application program, including the type and length of the data entered by the user, and filter the special characters (such as single quotation marks, double quotation marks, and semicolons) in the SQL statement.

Because Web applications attacked by SQL injection are at the application layer, most firewalls do not intercept them. In addition to improving the application code, it can also be defended in the database server, setting the authority of the database server, reducing the authority of the Web program to connect to the database, revoking unnecessary public license, using powerful encryption technology to protect sensitive data and review and track the sensitive data that is read away, etc.

2. XSS cross-site scripting attacks

(1) XSS naming

XSS stands for Cross Site Scripting, which originally stands for cross-site Scripting, but has been changed to XSS to distinguish itself from CSS, the acronym for Cascading Style Sheets in HTML.

(2) Definition

XSS (Cross Site Scripting) is one of the most common security vulnerabilities in Web applications. It is mainly caused by the insufficient checking and filtering of user input by Web applications. Attackers can use XSS vulnerability to inject malicious code into a website, which will be executed when a user visits the site, so as to achieve the purpose of attack.

(3) XSS attack process

Here is a diagram to illustrate the XSS attack process:

The XSS attack consists of the following four steps:

• The attacker induces the user to click on the link containing malicious code by email or other means, for example, the attacker sends the user a website containing malicious code through E-mailhome.com 。
• After the user clicks on the link, the browser executes the malicious code contained in the link without the user’s knowledge.
• The user andhome.comThe interaction ofcookie 和 sessionAnd send the information to the attacker.
• Once the attacker has access to this data, he can pretend to be a user and engage in illegal activities with the real site.

(4) How to defend

For XSS vulnerability, the core defense measure is to check and filter user input, including URL, query keyword, HTTP header, POST data, etc., and only accept content with specified length range, appropriate format and meeting expectations, and filter other content that does not meet expectations.

In addition, when untrusted data is inserted into HTML tags or attributes, it is encoded accordingly. Important cookies are marked as HTTP only so that javascript scripts cannot access them, preventing attackers from using javascript scripts to obtain cookies.

CSRF cross-site request forgery attack

(1) Definition

Cross-site Request Forgery (CSRF) is an attack method targeting Web applications. An attacker uses the CSRF vulnerability to disguise the Request of a trusted user to access the attacked website.

(2) The attack process

Here’s a diagram to illustrateCSRFThe attack process of

(3) How to attack

In a CSRF attack, when a user visits a trusted site, the attacker induces the user to click on the malicious site without logging out of the session. The malicious site returns the attack code and requests access to the trusted site, so that the user unknowingly sends the code of the malicious site to the trusted site.

(4) Differences between CSRF and XSS

XSS is to steal user information disguised as malicious activities by users, while CSRF is to attack websites through users.

If the XSS attack process is compared to a thief stealing the user’s ID card to handle illegal business, then the CSRF attack is a fraudster “hijacking” the user and making the user handle illegal business by himself to achieve his own purpose.

(5) How to prevent CSRF

The main reason for CSRF vulnerability is the lack of a more secure authentication mechanism for user requests. The main idea to prevent CSRF vulnerability is to strengthen the background authentication of users and user requests, rather than the recognition of cookies.

For example, the Referer in the HTTP request header is used to verify the identity of the website source, add token authentication based on the current user’s identity, and fill in the verification code to verify the user’s source before submitting the request data to prevent unauthorized malicious operations.

(6) Referer

The HTTP Referer is the part of the request header that represents the source of the Web page (the address of the previous page). When the browser sends a request to the Web server, it usually carries the Referer to tell the server from which page the visit was linked, so that the server can obtain some information for processing.

4. 🩸 Penetration test

1. Definition of penetration test

Penetration test is a method to evaluate the security performance of computer network system by simulating hacker attack. This process is to stand on the attacker’s point of view of any weaknesses, technical defects or vulnerabilities of the system active analysis, and conditionally active use of security vulnerabilities.

2. Characteristics of penetration test

Penetration testing is a gradual and progressive process.

Penetration testing is the testing of attack methods that do not affect the normal operation of business systems.

3. Main steps of penetration test process

The main steps of penetration test are shown in the figure below:

4. Penetration test process

(1) Clear goals

• Identify testing requirements.
• Determine the scope of penetration testing required by the customer.
• Determine penetration test rules.

(2) Collect information

In the information collection stage, try to collect all kinds of information about the project software, for example, for a Web application, to collect the type of script, server type, database type, the framework used by the project, open source software, etc. Information collection is very important for penetration testing. Only by mastering enough information about the target program can we better detect vulnerabilities.

Information can be collected in two ways:

Active collection: collect the information you want by directly visiting or scanning the website. This way can collect more information, but the operation behavior of visitors will be recorded by the target host.

Passive collection: Using third-party services to learn about the target, such as searching the Internet for relevant information. This approach captures relatively little information and is not straightforward, but the target host is not aware of the tester’s behavior.

(3) Scanning vulnerabilities

In this stage, the collected information is comprehensively analyzed, and the target program is scanned with the help of scanning tools to find the existing security vulnerabilities.

(4) Verification vulnerability

In the vulnerability scanning stage, the tester will get a lot of security vulnerabilities about the target program, but these vulnerabilities are false positives. It is necessary for the tester to build a simulation test environment to verify these security vulnerabilities based on the actual situation. Only identified security holes can be exploited to execute an attack.

(5) Analyze information

Proven security holes can be used to target attack, but different security vulnerabilities, attack mechanism is not the same, for different security holes need to be further analysis, including the principle of security holes, available tools, whether target detection mechanism, the attack to bypass firewalls, etc., to develop a detailed plan to precision attack, This will ensure that the test runs smoothly.

(6) Penetration attack

Penetration attack is to launch a real attack on the target program to achieve testing purposes, such as obtaining user account passwords, intercepting the data transmitted by the target program, and controlling the target host. The general penetration test is a one-time test. After the attack is completed, the cleaning work should be performed, such as deleting system logs and program logs, to erase the traces of entering the system.

(7) Sort out information

After the penetration attack is completed, the information obtained from the attack is sorted out to provide the basis for writing the test report later.

(8) Prepare test reports

To write the test report after testing is completed, the project safety test target, way of information collection, vulnerability scanning tools and vulnerability, the results of the attack plan, the actual attack, the problems in the testing process, etc., in addition, but also to the target program the analysis of existing vulnerabilities, provide safe and effective solution.

5. 🛠️ Common security testing tools

1. AppScan, a Web vulnerability scanning tool

(1) Definition

AppScan is a Web application security test tool developed by IBM. It uses the black-box test method to scan for common Web application security vulnerabilities.

(2) The scanning process of AppScan

The scanning process of AppScan includes detection, test, and scan.

In the detection stage, AppScan accesses links and forms within the site by sending requests, and detects potential security risks of the target program according to the response information, so as to determine the scope of security vulnerabilities.

In the test phase, AppScan attacks potential security vulnerabilities. AppScan has a built-in test policy library. The test policy library can generate test inputs based on corresponding security risk detection rules. AppScan uses the generated test inputs to attack security vulnerabilities.

In the scanning phase, AppScan will detect the response result of the target program to the attack, and determine whether the detected security vulnerability is a real security vulnerability according to the result. If it is a real security vulnerability, the danger level will be determined according to its danger level, providing a basis for the developer to repair the defect.

2. Port scanning tool -Nmap

(1) Definition

Nmap is a network connection port scanning tool used to scan open network connection ports of computers on the network. Determine the port on which the service is running, and infer the operating system on which the computer is running. It is one of the necessary tools for network administrator to evaluate network system security.

(2) Specific functions of Nmap

Nmap provides the following functions:

• The host scanning
• Port Status Scanning
• Application version detection
• Operating system detection
• Firewall /IDS evasion and spoofing
• Support for test object interaction scripts

3. Packet capture tool -Fiddler

(1) Definition

Fiddler is an HTTP protocol debugging proxy that works as a proxy Web server to help users log all HTTP(HTTPS) traffic passing between their computers and the Internet.

As shown in the figure:

(2) Functions of Fiddler

Fiddler captures all traffic from locally running programs to record server-to-server and device-to-server traffic. Fiddler also supports a variety of filters to filter out the desired traffic data, saving a lot of time and effort. Compared to other packet capture tools, Fiddler is small and easy to use, and has a full set of features, including archiving captured traffic data for subsequent analysis.

4. Web penetration testing tool -Metasploit

(1) Definition

Metasploit is an penetration testing platform that finds, verifies and exploits vulnerabilities for penetration attacks. It is an open source project that provides the infrastructure, content, and tools to perform penetration testing and extensive security audits.

(2) Specific functions of Metasploit

For infiltration attacks, Metasploit mainly provides the following functional modules:

Penetration module (exploit) : The run time exploits a target’s security vulnerability.

Attack payload: After a successful penetration of the target, the test program starts to run on the target computer. It can help users to obtain the required access and action rights on the target system.

Auxiliary module: a series of auxiliary support modules, including scanning module, vulnerability detection module, network protocol spoofing module.

Encoder modules: Encoder modules are used to obfuscate our attack modules and evade the detection of target security mechanisms, such as antivirus software and firewalls.

Meterpreter: Attack payloads using memory technology that can be injected into a process. It provides various functions that can be performed on the target.

(3) The role of Metasploit

Metasploit is a multi-user collaboration tool that allows team members to share host data, view collected evidence, and create host notes to share knowledge about specific goals. Ultimately, Metasploit can help users identify the target’s weakest points and demonstrate vulnerabilities or security issues.

Vi. 🔚 Conclusion

For software testing, in addition to black and white box testing, performance testing, security testing is also particularly important. Once a web page has a bug, it’s easy for an attacker to force the victim to perform unintentional actions, which is not something anyone wants to see. Therefore, for software, to do a good job of security testing 🙋

So much for security testing! If you don’t understand or the article is wrong, please leave a message in the comment area or send me a private message!

At the same time, if you need to understand other content related to software testing, you can go to the “Software Testing” section to view and learn ~

• Pay attention to the public number Monday laboratory, the first time to pay attention to learning dry goods, more interesting columns for you to unlock ~
• If this article is useful to you, be sure to like it and follow it
• See you next time! 🥂 🥂 🥂