SOFTWARE SECURITY, FUZZ TESTING AND WEBSLAYER
In recent years, secured software product development has increased. Consequently, software security testing has become more important. According to me, basic way to provide security is to discover vulnerabilities of your own applications. So, you should be black hat hacker of your systems.
The vulnerabilities of systems can be identified with some attacks. Penetration testing is the common name of attack methods. Web based applications can be collapsed by a penetration testing method. There are several testing techniques in the software security testing literature like “Information Disclosure Attacks”, “Authentication/Authorization Attacks”, “Design Attacks”, “Input Attacks”, “Cryptographic Attacks”, “Logic/Implementation (business model) Attacks”.
Fuzz testing was developed at the University of Wisconsin Madison in 1989 by Professor Barton Miller and his students.
Status Of Security Testing In STLC:
Unit Test, Integration Test, System Test, Acceptance Test are constitute the core of the STLC, but security testings are protective shell of the system. Fuzzing is a security testing method that is a part of STLC (Software Testing Life Cycle). This technic sends random or nonrandom datas and gives informations about behaviours of the system. Fuzzing test can be use in Integration Test and Unit Test process. Fuzzing includes negative testcases which aim to crack down the system.
Lets’s consider input attacks methods. For example, fuzzing ( fuzz testing ) steps include input attacks. Fuzzing is a black box testing tecnique. Black box testing is a functional testing method which doesnt’t allow to see codes. Therefore it is based on shallow bugs. The aim is to understand the strengths and weaknesses of the system against external attacks. It’s a kind of brute force attack to systems.
Fuzzing Steps:
Fuzzing has six steps that are “Identity Interfaces”, “Generate Input”, “Send Input”, “Monitor Target”, “Analyse Exceptions” and last step is “Reporting”.
· Identifying Interfaces: First step, the test items to be fuzzed are determined. The test items are a test management activity plan, a specified system’s web link which has login page, network system, database, test cases that is negative terms. In this step, to be specified input resources.
· Generating Input: This activity requires a fuzzing tool that generates limited or unlimited and random or nonrandom datas for attack application’s input fields like textboxes ( user name, password…). The datas includes strings, numbers and other characters. It is desired to use different values with arrays.
· Sending Input: In this step, starts sending datas to selected inputs by the tool. Sending data will be in different combinations with characters in the arrays. Valid or invalid datas can be used.
· Monitoring Target:In monitor target step, system behaviours, vulnerabilities and the response of the system to attack recorded.
· Analysing Exceptions: The results of the test case execution to be analysed that understand to potential impacts on reliability and security.
· Reporting: After analysing exceptions the results reported. Multiple filters for improving the performance and for producing better results for the analysing. Such as used standards, sections, implementation specification, executed test cases, current status…
A Smart Fuzzing Tool : Webslayer
Webslayer tool is designed by OWASP for brute forcing web applications. It has multiplatform and it allows to brute force attacks of any kind in any part of the http request (Post, get, headers, Authentication,etc), parameter fuzzing and injection (XSS, SQL, etc), Basic and Ntml brute forcing, Predictable resource locator (File and directories discovery).
It is a smart fuzzing tool that is mean selected nonrandom datas and data types to attack to systems.In Webslayer tool terms, an array size, location of empty strings or boundaries, integer values or signed integers combinations can be changed.
At the same time the tool can to be adding invalid headers, generating double headers and permutation header’s values.
The possibilities will be increased if the array include large combination. For example;
The array values ; {0,1,2,3,4,5,6,7,8,9,a,b,c} and system is sending 3-digit numbers to the web application.
Can you imagine possibilities? : 12!13!13!=….
This situation negatively affects the system performance. So that by optimizing the number of possibilities that is provided for maximum performance with Webslayer tool.