Automation in SecurityPrasanna K, Ketan Soni

AgendaTypical use of Selenium

Information Security

How To achieve complete coverage

Workflow

Injection Attacks

Conclusion

IntroductionsPrasanna Kanagasabai

Pentester @ ThoughtWorks

Author of IronSAP

Speaker @ various security conferences

Proud OSCP

Ketan Soni

QA @ ThoughtWorks

Typical use of SeleniumUI Automation

Cross Browser Testing

Could We do more …….

Information SecurityExploratory testing

Find Defects

Proactive Harming the system

One of the most Exciting Jobs

How To achieve complete coverage

Applications are ever increasing

Applications Tech stack has become vast

Security attacks have become complex

Security cannot be compromised

Trained resources are finite

Solution : Automation

Workflow

Define a Scenario

Generate Payload

Deliver Payload

Match Results for Success /

Failure

Test Scenario

Identify Test Data

Execution of Test

Scenario’s

Validation

QA Flow

Security Flow

Workflow -- ExampleLogin

without User

Credentials

Password List

Brute force

Script

Login Success /

Failure

How did we arrive @ Selenium

Ajax in Normal “Urllib” Libraries were difficult

Selenium could handle Ajax Requests easily.

Security !!!

SQL Injection

11

admin

adminPass

Username

Password

Submit

SELECT * FROM users WHERE username = ‘admin’ AND password = ‘adminPass’

SQL Injection

12

 ’OR 1=1--' 

BlahBlah

Username

Password

Submit

SELECT * FROM users WHERE username = ‘’

OR 1=1--’’AND password = ‘BlahBlah’

SQL Injection

13

 ’OR 1=1--' 

BlahBlah

Username

Password

Submit

SELECT * FROM users WHERE username = ‘’

OR 1=1

DEMO

14

XSS

15

Search

XSS

16

Hello there friendsSearch

Search results for “Hello there friends”

XSS

17

Hello <script>alert(“Hello World)</script> there friendsSearch

Search results for “Hello

DEMO

18

Command Injection

Ping Host 12.0.0.1

64 bytes from 127.0.0.1: icmp_seq=0 ttl=64 time=0.044 ms64 bytes from 127.0.0.1: icmp_seq=1 ttl=64 time=0.049 ms64 bytes from 127.0.0.1: icmp_seq=2 ttl=64 time=0.040 ms

--- 127.0.0.1 ping statistics ---3 packets transmitted, 3 packets received, 0.0% packet lossround-trip min/avg/max/stddev = 0.040/0.044/0.049/0.004 ms

Command Injection

How do we attack ??

Binary ProtocolsBinary Json, Protobuff

Data is travelling in Mostly HEX

Add code to teach tools

Presented this plugin @ C0C0N

DEMO

22

What More …Cookiejar – for Cookie Management

Suds – Web services Automation

Lxml – Similar to BS4

Json – To work with Json

pyAmf – AMF Protocol

SimpleHTTPServer – Simplest Webserver (python –m SimpleHTTPServer 9080)

Twisted

ConclusionHelps in larger code coverage

Saving time

Careful calibration is needed

Cant fully replace manual testing

Questions ??shifu@thoughtworks.com

Ketan.soni@thoughtworks.com

@prasannain

@ketan_soni

Thank You !!

References https://github.com/prasanna-in/Random-Scripts