Although your web application's security is a critical issue nowadays, some companies tend to underestimate the magnitude. This is very unfortunate as security holes can affect not only your brand or profitability but more importantly, your users’ data which can potentially lead to further problems. It's obviously a good practice for a company to seek services of a specialist firm specializing in web security (especially if it doesn’t have an information security wing). The intent of this post however, is to delve into what a QA's role is when it comes to security.
In an ideal world, the QA team should have a security specialist. But what if this isn't always possible? Well, even if we can’t do something perfectly (due to the lack of specialized knowledge), let's at least do what we can. Anyone can really perform a basic security audit that will detect and eliminate so called “low-hanging fruits” (I'm referring to obvious security holes that could be exploited by an inexperienced attacker).
Even if you have absolutely no knowledge of security, you can use a wide range of tools available on the market that will help you scan for some potential problems.Of course, to use a tool however it would be good to have some basic knowledge so we know what we’re actually testing. ;-)
For starters, it may be a good idea to visit the OWASP Top 10 Project
that lists top security vulnerabilities for the previous year. Chances are that not all of them will be applicable to your project (i.e. if your website does not use any database then you are definitely not vulnerable to SQL injection).
Let’s go a step further and try to run a test using one of tools mentioned in the OWASP Top 10 Projects list. At Cognifide, our team uses both Netsparker and Acunetix to test against XSS holes and Wapiti to check for SQL injection issues. Both have nice, user-friendly interfaces, but can only be run on the Windows system. Wapiti, on the other hand is cross-platform and can be run from the console which is quite important if you want to be running your tests using continuous integration tool (like Jenkins or CruiseControl).
Starting a scan in Netsparker is pretty straightforward and doesn't require much explanation. After opening the program, the "Start a New Scan" window appears automatically. If it doesn't, press Alt+N or click "Start New Scan button" on the top left of the window. Generally, you can leave all the settings as they are. The only thing you should do is to make sure that a proper database is set in the "Advanced Settings" tab. In case that website requires authentication or if clicking some kind of disclaimer is necessary, one needs to set the cookie manually. You can do it in "Authentication" tab in "Custom Cookies" field. Simply type cookieName1=value1; cookieName2=value2;... etc. The report is very clear and you should not encounter any problems with interpreting results.
Now, let’s now move on to Acunetix. After you run the program, the "Scan Wizard" window should appear. If it doesn't simply click "New Scan" button which can be found in the toolbar on the top. The wizard has a few steps, but again, they don't require much description.
- Scan type -> Scan single website -> provide base url of a website to be scanned
- Select targers -> optimize for following technologies -> check options that apply for your project
- Crawling Options -> leave all settings as they are (default)
- Scan options -> Scanning mode -> I recommend to set it to "Extensive", but this will result in greater amount of scanning time. Therefore "Heuristic" mode can be better in some situations.
- Login - if site requires login or clicking on some kind of disclaimer click "Record Login Sequence" button. New wizar will appear, follow the steps to record login sequence. A new browser window will open within the program and you will be allowed to record all the necessary actions.
After completing all steps in the wizard, the scan will start automatically. Acunetix reports are rather vague but it's still more readable than those from some open source tools. The report contains both exploited url and attack string. However, note that they are in different sections so in order to get the whole picture it's advisable to look at HTTP Request Headers. Look at the picture below to get a better idea.
Example of Acunetix report
And last but not least: Wapiti. Unfortunately, it does not have a user friendly GUI, but running a scan from console is very simple. You just need to type “wapiti.py http://your.site
”. After the scan is done, report can be found in generated_report/index.html file.
As you can see, using vulnerability scanner is pretty easy and it can save you a lot of trouble in the future! Just remember: it’s only an automated scan and although it’s better than nothing, it cannot replace a professional audit!
If you have any questions on how to use the tools, please share the question so that everyone who shares the same thoughts, can benefit.