![Page 1: OOPSLA'07 Security Testing with Selenium v107 Security Testing with Sele… · Cross Site Request Forgery (CSRF) The following characteristics are common to CSRF: Involve sites that](https://reader034.vdocuments.mx/reader034/viewer/2022051805/5ff50d25d1f8cd4121564e37/html5/thumbnails/1.jpg)
OOPSLA’07 Page 1
Security Testing with Selenium
Vidar Kongsli
Montréal, October 25th, 2007
Versjon 1.0
![Page 2: OOPSLA'07 Security Testing with Selenium v107 Security Testing with Sele… · Cross Site Request Forgery (CSRF) The following characteristics are common to CSRF: Involve sites that](https://reader034.vdocuments.mx/reader034/viewer/2022051805/5ff50d25d1f8cd4121564e37/html5/thumbnails/2.jpg)
whois 127.0.0.1?
� Vidar Kongsli
� System architect & developer
� Head of security group
� Bekk Consulting
� Technology and Management Consulting
� Based in Oslo, Norway
� Focus on agile methodologies
OOPSLA’07Security Testingwith Selenium
Page 2
![Page 3: OOPSLA'07 Security Testing with Selenium v107 Security Testing with Sele… · Cross Site Request Forgery (CSRF) The following characteristics are common to CSRF: Involve sites that](https://reader034.vdocuments.mx/reader034/viewer/2022051805/5ff50d25d1f8cd4121564e37/html5/thumbnails/3.jpg)
Agenda
� Security in an agile project
� Misuse stories – the evil counterparts of user stories
� Enter Selenium
� The demo application
� Examples
� Testing for cross site scripting (XSS)
Testing for cross site request forgery (CSRF)
OOPSLA’07Security Testingwith Selenium
� Testing for cross site request forgery (CSRF)
� Testing for insecure input handling
� Testing for session fixation
� Testing for information leakage
Page 3
![Page 4: OOPSLA'07 Security Testing with Selenium v107 Security Testing with Sele… · Cross Site Request Forgery (CSRF) The following characteristics are common to CSRF: Involve sites that](https://reader034.vdocuments.mx/reader034/viewer/2022051805/5ff50d25d1f8cd4121564e37/html5/thumbnails/4.jpg)
Agenda
� Security in an agile project
� Misuse stories – the evil counterparts of user stories
� Enter Selenium
� The demo application
� Examples
� Testing for cross site scripting (XSS)
Testing for cross site request forgery (CSRF)
OOPSLA’07Security Testingwith Selenium
� Testing for cross site request forgery (CSRF)
� Testing for insecure input handling
� Testing for session fixation
� Testing for information leakage
Page 4
![Page 5: OOPSLA'07 Security Testing with Selenium v107 Security Testing with Sele… · Cross Site Request Forgery (CSRF) The following characteristics are common to CSRF: Involve sites that](https://reader034.vdocuments.mx/reader034/viewer/2022051805/5ff50d25d1f8cd4121564e37/html5/thumbnails/5.jpg)
Agility meets security
� Processes
� A: System design and implementation grows incrementally
� S: Security review typically after design and after implementation
� People
� A: Focused team, co-located in same office space
� S: Security reviews should be done by externals, not part of the develoment team
� Documentation
OOPSLA’07Security Testingwith Selenium
Page 5
� Documentation
� A: Lean. More effective communication within team preferred
� S: Security reviews based on system documentation
� Model
� A: No modeling. Design emerges from test-driven development
� S: System, risk, theats, should be modeled
![Page 6: OOPSLA'07 Security Testing with Selenium v107 Security Testing with Sele… · Cross Site Request Forgery (CSRF) The following characteristics are common to CSRF: Involve sites that](https://reader034.vdocuments.mx/reader034/viewer/2022051805/5ff50d25d1f8cd4121564e37/html5/thumbnails/6.jpg)
How can we address security in agile projects?
� Leverage
� Techniques and tools of agile projects
� Common ownership
� Automated testing.
OOPSLA’07Security Testingwith Selenium
Page 6
![Page 7: OOPSLA'07 Security Testing with Selenium v107 Security Testing with Sele… · Cross Site Request Forgery (CSRF) The following characteristics are common to CSRF: Involve sites that](https://reader034.vdocuments.mx/reader034/viewer/2022051805/5ff50d25d1f8cd4121564e37/html5/thumbnails/7.jpg)
Agenda
� Security in an agile project
� Misuse stories – the evil counterparts of user stories
� Enter Selenium
� The demo application
� Examples
� Testing for cross site scripting (XSS)
Testing for cross site request forgery (CSRF)
OOPSLA’07Security Testingwith Selenium
� Testing for cross site request forgery (CSRF)
� Testing for insecure input handling
� Testing for session fixation
� Testing for information leakage
Page 7
![Page 8: OOPSLA'07 Security Testing with Selenium v107 Security Testing with Sele… · Cross Site Request Forgery (CSRF) The following characteristics are common to CSRF: Involve sites that](https://reader034.vdocuments.mx/reader034/viewer/2022051805/5ff50d25d1f8cd4121564e37/html5/thumbnails/8.jpg)
Introducing misuse stories
� What
� Describes illegal or non-normative use of the system
� How
� Derived from a user story or stories
� Question: ”how can this functionality be misused?”
OOPSLA’07Security Testingwith Selenium
Page 8
![Page 9: OOPSLA'07 Security Testing with Selenium v107 Security Testing with Sele… · Cross Site Request Forgery (CSRF) The following characteristics are common to CSRF: Involve sites that](https://reader034.vdocuments.mx/reader034/viewer/2022051805/5ff50d25d1f8cd4121564e37/html5/thumbnails/9.jpg)
A misuse story...
� Misuse story:
� “As a non-privileged anonymous user, I can create a new account with administrator privileges and use it“
� User story:
� ”As an anonymous user, I can create a user account”
� Flaw:
� Mass assignment allows a user to inject admin flag when submitting user account information.
OOPSLA’07Security Testingwith Selenium
Page 9
account information.
![Page 10: OOPSLA'07 Security Testing with Selenium v107 Security Testing with Sele… · Cross Site Request Forgery (CSRF) The following characteristics are common to CSRF: Involve sites that](https://reader034.vdocuments.mx/reader034/viewer/2022051805/5ff50d25d1f8cd4121564e37/html5/thumbnails/10.jpg)
Another misuse story...
� Misuse story:
� “As a logged in user, I can insert JavaScript in my post which will be executed when another person reads my post”
� User story:
� ”As a logged in user, I can post to my blog”
� Flaw:
� No meta character escaping or white listing of legal HTML tags in posts in place.
OOPSLA’07Security Testingwith Selenium
Page 10
place.
![Page 11: OOPSLA'07 Security Testing with Selenium v107 Security Testing with Sele… · Cross Site Request Forgery (CSRF) The following characteristics are common to CSRF: Involve sites that](https://reader034.vdocuments.mx/reader034/viewer/2022051805/5ff50d25d1f8cd4121564e37/html5/thumbnails/11.jpg)
Agenda
� Security in an agile project
� Misuse stories – the evil counterparts of user stories
� Enter Selenium
� The demo application
� Examples
� Testing for cross site scripting (XSS)
Testing for cross site request forgery (CSRF)
OOPSLA’07Security Testingwith Selenium
� Testing for cross site request forgery (CSRF)
� Testing for insecure input handling
� Testing for session fixation
� Testing for information leakage
Page 11
![Page 12: OOPSLA'07 Security Testing with Selenium v107 Security Testing with Sele… · Cross Site Request Forgery (CSRF) The following characteristics are common to CSRF: Involve sites that](https://reader034.vdocuments.mx/reader034/viewer/2022051805/5ff50d25d1f8cd4121564e37/html5/thumbnails/12.jpg)
Enter Selenium
� Web testing
� JavaScript based
� Runs the application under test in an HTML frame
� Test cases
� Can be recorded
� Can be written in several languages
OOPSLA’07Security Testingwith Selenium
Page 12
![Page 13: OOPSLA'07 Security Testing with Selenium v107 Security Testing with Sele… · Cross Site Request Forgery (CSRF) The following characteristics are common to CSRF: Involve sites that](https://reader034.vdocuments.mx/reader034/viewer/2022051805/5ff50d25d1f8cd4121564e37/html5/thumbnails/13.jpg)
Selenium Core
OOPSLA’07Security Testingwith Selenium
Page 13
![Page 14: OOPSLA'07 Security Testing with Selenium v107 Security Testing with Sele… · Cross Site Request Forgery (CSRF) The following characteristics are common to CSRF: Involve sites that](https://reader034.vdocuments.mx/reader034/viewer/2022051805/5ff50d25d1f8cd4121564e37/html5/thumbnails/14.jpg)
Agenda
� Security in an agile project
� Misuse stories – the evil counterparts of user stories
� Enter Selenium
� The demo application
� Examples
� Testing for cross site scripting (XSS)
Testing for cross site request forgery (CSRF)
OOPSLA’07Security Testingwith Selenium
� Testing for cross site request forgery (CSRF)
� Testing for insecure input handling
� Testing for session fixation
� Testing for information leakage
Page 14
![Page 15: OOPSLA'07 Security Testing with Selenium v107 Security Testing with Sele… · Cross Site Request Forgery (CSRF) The following characteristics are common to CSRF: Involve sites that](https://reader034.vdocuments.mx/reader034/viewer/2022051805/5ff50d25d1f8cd4121564e37/html5/thumbnails/15.jpg)
The demo application
� Simple weblog application
� Register users
� Create blogs
� Write blog entries
� Written in Ruby on Rails
� Quick development
� Very good testability
� Not always secure – lets
OOPSLA’07Security Testingwith Selenium
� Not always secure – lets you run with scissors
Page 15
![Page 16: OOPSLA'07 Security Testing with Selenium v107 Security Testing with Sele… · Cross Site Request Forgery (CSRF) The following characteristics are common to CSRF: Involve sites that](https://reader034.vdocuments.mx/reader034/viewer/2022051805/5ff50d25d1f8cd4121564e37/html5/thumbnails/16.jpg)
Agenda
� Security in an agile project
� Misuse stories – the evil counterparts of user stories
� Enter Selenium
� The demo application
� Examples
� Testing for cross site scripting (XSS)
Testing for cross site request forgery (CSRF)
OOPSLA’07Security Testingwith Selenium
� Testing for cross site request forgery (CSRF)
� Testing for insecure input handling
� Testing for session fixation
� Testing for information leakage
Page 16
![Page 17: OOPSLA'07 Security Testing with Selenium v107 Security Testing with Sele… · Cross Site Request Forgery (CSRF) The following characteristics are common to CSRF: Involve sites that](https://reader034.vdocuments.mx/reader034/viewer/2022051805/5ff50d25d1f8cd4121564e37/html5/thumbnails/17.jpg)
Agenda
� Security in an agile project
� Misuse stories – the evil counterparts of user stories
� Enter Selenium
� The demo application
� Examples
� Testing for cross site scripting (XSS)
Testing for cross site request forgery (CSRF)
OOPSLA’07Security Testingwith Selenium
� Testing for cross site request forgery (CSRF)
� Testing for insecure input handling
� Testing for session fixation
� Testing for information leakage
Page 17
![Page 18: OOPSLA'07 Security Testing with Selenium v107 Security Testing with Sele… · Cross Site Request Forgery (CSRF) The following characteristics are common to CSRF: Involve sites that](https://reader034.vdocuments.mx/reader034/viewer/2022051805/5ff50d25d1f8cd4121564e37/html5/thumbnails/18.jpg)
Cross site scripting (XSS)
� Type 2 (Source: Wikipedia)
� Bob hosts a web site which allows users to post messages and other content to the site for later viewing by other members.
� Mallory notices that Bob's website is vulnerable to a type 2 XSS attack.
� Mallory posts a message, controversial in nature, which may encourage many other users of the site to view it.
� Upon merely viewing the posted message, site users' session cookies or other credentials could be taken and sent to Mallory's webserver without their knowledge.
OOPSLA’07Security Testingwith Selenium
their knowledge.
� Later, Mallory logs in as other site users and posts messages on their behalf....
Page 18
![Page 19: OOPSLA'07 Security Testing with Selenium v107 Security Testing with Sele… · Cross Site Request Forgery (CSRF) The following characteristics are common to CSRF: Involve sites that](https://reader034.vdocuments.mx/reader034/viewer/2022051805/5ff50d25d1f8cd4121564e37/html5/thumbnails/19.jpg)
Testing for cross site scripting (XSS)
� Test:
� Can I insert JavaScript code that is run when a victim views the page?
OOPSLA’07Security Testingwith Selenium
Page 19
![Page 20: OOPSLA'07 Security Testing with Selenium v107 Security Testing with Sele… · Cross Site Request Forgery (CSRF) The following characteristics are common to CSRF: Involve sites that](https://reader034.vdocuments.mx/reader034/viewer/2022051805/5ff50d25d1f8cd4121564e37/html5/thumbnails/20.jpg)
Agenda
� Security in an agile project
� Misuse stories – the evil counterparts of user stories
� Enter Selenium
� The demo application
� Examples
� Testing for cross site scripting (XSS)
Testing for cross site request forgery (CSRF)
OOPSLA’07Security Testingwith Selenium
� Testing for cross site request forgery (CSRF)
� Testing for insecure input handling
� Testing for session fixation
� Testing for information leakage
Page 20
![Page 21: OOPSLA'07 Security Testing with Selenium v107 Security Testing with Sele… · Cross Site Request Forgery (CSRF) The following characteristics are common to CSRF: Involve sites that](https://reader034.vdocuments.mx/reader034/viewer/2022051805/5ff50d25d1f8cd4121564e37/html5/thumbnails/21.jpg)
Cross Site Request Forgery (CSRF)
� The following characteristics are common to CSRF:
� Involve sites that rely on a user's identity
� Exploit the site's trust in that identity
� Trick the user's browser into sending HTTP requests to a target site
� Involve HTTP requests that have side effects
� (Source: Wikipedia)
� Scenario in our demo app:
� Post a blog entry on behalf of another, logged in, user
OOPSLA’07Security Testingwith Selenium
� Post a blog entry on behalf of another, logged in, user
� Countermeasures:
� Preventing XSS is a good start
� Including a secret, user specific ”ticket” that is validated when the user submits the form
Page 21
![Page 22: OOPSLA'07 Security Testing with Selenium v107 Security Testing with Sele… · Cross Site Request Forgery (CSRF) The following characteristics are common to CSRF: Involve sites that](https://reader034.vdocuments.mx/reader034/viewer/2022051805/5ff50d25d1f8cd4121564e37/html5/thumbnails/22.jpg)
Testing for Cross Site Request Forgery
� Test:
� Can we post a form (postback) without reading it first?
OOPSLA’07Security Testingwith Selenium
Page 22
![Page 23: OOPSLA'07 Security Testing with Selenium v107 Security Testing with Sele… · Cross Site Request Forgery (CSRF) The following characteristics are common to CSRF: Involve sites that](https://reader034.vdocuments.mx/reader034/viewer/2022051805/5ff50d25d1f8cd4121564e37/html5/thumbnails/23.jpg)
Agenda
� Security in an agile project
� Misuse stories – the evil counterparts of user stories
� Enter Selenium
� The demo application
� Examples
� Testing for cross site scripting (XSS)
Testing for cross site request forgery (CSRF)
OOPSLA’07Security Testingwith Selenium
� Testing for cross site request forgery (CSRF)
� Testing for insecure input handling
� Testing for session fixation
� Testing for information leakage
Page 23
![Page 24: OOPSLA'07 Security Testing with Selenium v107 Security Testing with Sele… · Cross Site Request Forgery (CSRF) The following characteristics are common to CSRF: Involve sites that](https://reader034.vdocuments.mx/reader034/viewer/2022051805/5ff50d25d1f8cd4121564e37/html5/thumbnails/24.jpg)
Testing for insecure input handling
� Test:
� Can I register a user that has administrator privileges?
OOPSLA’07Security Testingwith Selenium
Page 24
![Page 25: OOPSLA'07 Security Testing with Selenium v107 Security Testing with Sele… · Cross Site Request Forgery (CSRF) The following characteristics are common to CSRF: Involve sites that](https://reader034.vdocuments.mx/reader034/viewer/2022051805/5ff50d25d1f8cd4121564e37/html5/thumbnails/25.jpg)
Why did this work
� Database table contains a flag which tells if the user is an administrator
� Rails uses ”mass assignment” where it automatically maps form parameters into database table by name
� For the test, I added an action in Selenium that inserts a hidden field into the form
� Test inserted a hidden ”admin” field into the form before submitting it.
OOPSLA’07Security Testingwith Selenium
before submitting it.
Page 25
![Page 26: OOPSLA'07 Security Testing with Selenium v107 Security Testing with Sele… · Cross Site Request Forgery (CSRF) The following characteristics are common to CSRF: Involve sites that](https://reader034.vdocuments.mx/reader034/viewer/2022051805/5ff50d25d1f8cd4121564e37/html5/thumbnails/26.jpg)
Agenda
� Security in an agile project
� Misuse stories – the evil counterparts of user stories
� Enter Selenium
� The demo application
� Examples
� Testing for cross site scripting (XSS)
Testing for cross site request forgery (CSRF)
OOPSLA’07Security Testingwith Selenium
� Testing for cross site request forgery (CSRF)
� Testing for insecure input handling
� Testing for session fixation
� Testing for information leakage
Page 26
![Page 27: OOPSLA'07 Security Testing with Selenium v107 Security Testing with Sele… · Cross Site Request Forgery (CSRF) The following characteristics are common to CSRF: Involve sites that](https://reader034.vdocuments.mx/reader034/viewer/2022051805/5ff50d25d1f8cd4121564e37/html5/thumbnails/27.jpg)
Testing for session fixation
� Session fixation
� One person (attacker) sets (and exploits) another user’s session id
� Test:
� If I set the id of the session cookie, will the application accept it?
OOPSLA’07Security Testingwith Selenium
Page 27
![Page 28: OOPSLA'07 Security Testing with Selenium v107 Security Testing with Sele… · Cross Site Request Forgery (CSRF) The following characteristics are common to CSRF: Involve sites that](https://reader034.vdocuments.mx/reader034/viewer/2022051805/5ff50d25d1f8cd4121564e37/html5/thumbnails/28.jpg)
Testing for session fixation (2)
� Test:
� When I log in (my privileges are elevated), will my session id change?
OOPSLA’07Security Testingwith Selenium
Page 28
![Page 29: OOPSLA'07 Security Testing with Selenium v107 Security Testing with Sele… · Cross Site Request Forgery (CSRF) The following characteristics are common to CSRF: Involve sites that](https://reader034.vdocuments.mx/reader034/viewer/2022051805/5ff50d25d1f8cd4121564e37/html5/thumbnails/29.jpg)
Agenda
� Security in an agile project
� Misuse stories – the evil counterparts of user stories
� Enter Selenium
� The demo application
� Examples
� Testing for cross site scripting (XSS)
Testing for cross site request forgery (CSRF)
OOPSLA’07Security Testingwith Selenium
� Testing for cross site request forgery (CSRF)
� Testing for insecure input handling
� Testing for session fixation
� Testing for information leakage
Page 29
![Page 30: OOPSLA'07 Security Testing with Selenium v107 Security Testing with Sele… · Cross Site Request Forgery (CSRF) The following characteristics are common to CSRF: Involve sites that](https://reader034.vdocuments.mx/reader034/viewer/2022051805/5ff50d25d1f8cd4121564e37/html5/thumbnails/30.jpg)
Testing for information leakage
� Scan page source for words and phrases
� ”debug”, ”filename”, ”password”, ”SQL”
� Wrote a new Selenium assertion ”assertNotExists”
� Word or phrase does not exist in the page source code (including comments)
OOPSLA’07Security Testingwith Selenium
Page 30
![Page 31: OOPSLA'07 Security Testing with Selenium v107 Security Testing with Sele… · Cross Site Request Forgery (CSRF) The following characteristics are common to CSRF: Involve sites that](https://reader034.vdocuments.mx/reader034/viewer/2022051805/5ff50d25d1f8cd4121564e37/html5/thumbnails/31.jpg)
Testing for information leakage (2)
� Partial tests – reuse test code
OOPSLA’07Security Testingwith Selenium
Page 31
![Page 32: OOPSLA'07 Security Testing with Selenium v107 Security Testing with Sele… · Cross Site Request Forgery (CSRF) The following characteristics are common to CSRF: Involve sites that](https://reader034.vdocuments.mx/reader034/viewer/2022051805/5ff50d25d1f8cd4121564e37/html5/thumbnails/32.jpg)
Summary
� We have created rather simple tests that manifest vulnerabilities
� We have leveraged a general testing tool
� We have discovered, tested, and fixed security issues incrementally
OOPSLA’07Security Testingwith Selenium
Page 32
![Page 33: OOPSLA'07 Security Testing with Selenium v107 Security Testing with Sele… · Cross Site Request Forgery (CSRF) The following characteristics are common to CSRF: Involve sites that](https://reader034.vdocuments.mx/reader034/viewer/2022051805/5ff50d25d1f8cd4121564e37/html5/thumbnails/33.jpg)
Questions?
Contact me:
vidar.kongsli [at] bekk.no
OOPSLA’07Security Testingwith Selenium
Page 33
![Page 34: OOPSLA'07 Security Testing with Selenium v107 Security Testing with Sele… · Cross Site Request Forgery (CSRF) The following characteristics are common to CSRF: Involve sites that](https://reader034.vdocuments.mx/reader034/viewer/2022051805/5ff50d25d1f8cd4121564e37/html5/thumbnails/34.jpg)
Testing for insecure communications
� Test:
� Will SSL be enforced on pages where sensitive information is transferred?
OOPSLA’07Security Testingwith Selenium
Page 34
![Page 35: OOPSLA'07 Security Testing with Selenium v107 Security Testing with Sele… · Cross Site Request Forgery (CSRF) The following characteristics are common to CSRF: Involve sites that](https://reader034.vdocuments.mx/reader034/viewer/2022051805/5ff50d25d1f8cd4121564e37/html5/thumbnails/35.jpg)
Be aware
� Selenium (core) is JavaScript-based
� Sandbox model
� An insecure page (non-SSL) cannot access a secure page (SSL)
� A page can only interact with pages from the same origin as it self
� Alternative
� Use Selenium Remote Control (RC)
OOPSLA’07Security Testingwith Selenium
Page 35