Web Security Testing Cookbook by Paco Hope, Ben Walther

Boundary values take a given input and test very carefully around its acceptable boundaries. For example, if an input is supposed to allow integers that represent percentages, from zero to 100 inclusive, then we can produce the following boundary values: –1, 0, 1, 37, 99, 100, 101. To produce boundary cases, we focus on the two values at the top and bottom of the range (zero and 100). We use the boundary value itself, one less, and one more for each of the boundaries. For good measure, we pick something in the middle that should behave perfectly well. It’s a base case.

When we’re trying to develop negative values for testing, we know that the set of inputs that are unacceptable is an infinite set. Rather than try to test some huge set of inputs, we strategically sample them. We break the set of infinity into groups that have some commonality—equivalence classes—and then we pick a few representative sample values from each group.

Following the example from Boundary values, we need to choose a few classes of illegal input and try them out. We might choose classes like negative numbers, very large positive numbers, alphabetic strings, decimal numbers, and some significant special values like MAXINT. Typically we would pick a small number of values, say two, for each class and add it to our test input set.

The seven boundary values in Boundary values and the two values each from approximately nine equivalence classes in Equivalence classes reduce the set of negative data test cases from infinity to 25. That’s a good start. Now we start adding in security test cases, based on common attacks and vulnerabilities. This is how security testing can become a straightforward, common part of everyday functional testing. We choose special boundary values that have security significance and special equivalence class values that have security significance, and we fold those into our test planning and test strategy process.

There are a few commonly recognized security input classes: SQL injection strings, cross-site scripting strings, and encoded versions of other classes (as discussed in Recipes 5.8 and 12.1 and Chapter 4, respectively). For example, you can Base 64- or URL-encode some attack strings in order to slip past input validation routines of some applications. Now, unlike the boundary values and other equivalence classes, these security classes are effectively infinite. So, again, we strategically sample to make it a manageable set. In the case of encoding we can choose three or four encodings. This triples or quadruples our test set, taking 25 values to 75 or 100. There are ways around that because typically the system either fails on an encoding, or succeeds. If the system fails when you URL-encode –1, it will probably fail when you URL-encode 101, too. Thus, you could probably choose to Base 64 encode some values, URL-encode others, HTML-encode others, and multiply-encode some others. This gives you coverage over the encodings without quadrupling your test case size. Perhaps it only doubles to 50 test cases.

Now the attack strings for SQL injection and cross-site scripting are up to you. You have to exercise some discretion and choose a reasonable subset that you can get done in the time you have available. If you are working in a part of your system that is easy to automate, you might do dozens of test cases in each class. If you are performing manual testing, you should probably acquire a long list of different attack strings, and try different ones each time you do your testing. That way, although you don’t get every string tested on every test run, you will eventually get through a lot of different cases.

As we clearly indicated in the terminology section, clients make requests, and servers respond. It cannot be any other way. It is not possible for a server to decide “that computer over there needs some data. I’ll connect to it and send the data.” Any time you see behavior that looks like the server is suddenly showing you some information (when you didn’t click on it or ask for it expicitly), that’s usually a little bit of smoke and mirrors on the part of the application’s developer. Clients like web browsers and Flash applets can be programmed to poll a server, making regular requests at intervals or at specific times. For you, the tester, it means that you can focus your testing on the client side of the system—emulating what the client does and evaluating the server’s response.

The HTTP protocol itself does not have any notion of “state.” That is, one connection has no relationship to any other connection. If I click on a link now, and then I click on another link ten minutes later (or even one second later), the server has no concept that the same person made those two requests. Applications go through a lot of trouble to establish who is doing what. It is important for you to realize that the application itself is managing the session and determining that one connection is related to another. Nothing in HTTP makes that connection explicit.

What about my IP address? Doesn’t that make me unique and allow the server to figure out that all the connections from my IP address must be related? The answer is decidedly no. Think about the many households that have several computers, but one link to the Internet (e.g., a broadband cable link or DSL). That link gets only a single IP address, and a device in the network (a router of some kind) uses a trick called Network Address Translation (NAT) to hide how many computers are using that same IP address.

How about cookies? Do they track session and state? Yes, most of the time they do. In fact, because cookies are used so much to track session and state information, they become a focal point for a lot of testing. As you will see in Chapter 11, failures to track session and state correctly are the root cause of many security issues.

We can look at the actual messages that pass over the wire (or the air) and see exactly what’s going on. It’s very easy to capture HTTP, and it’s very easy for humans to interpret it and understand it. Most importantly, because it is so simple, it is very easy to simulate HTTP requests. Regardless of whether the usual application is a web browser, Flash player, PDF reader, or something else, we can simulate those requests using any client we want. In fact, this whole book ultimately boils down to using non-traditional clients (testing tools) or traditional clients (web browsers) in non-traditional ways (using test plug-ins).

In any web application we must consider a set of technologies that are typically described as a stack. At the lowest level, you have an operating system providing access to primitive operations like reading and writing files and network communications. Above that is some kind of server software that accepts HTTP connections, parses them, and determines how to respond. Above that is some amount of logic that really thinks about the input and ultimately determines the output. That top layer can be subdivided into many different, specialized layers.

Figure 1-1 shows an abstract notion of the technology stack, and then two specific instances: Windows and Unix.

Figure 1-1. Abstract web technology stack

There are several technologies at work in any web application, even though you may only be testing one or a handful of them. We describe each of them in an abstract way from the bottom up. By “bottom” we mean the lowest level of functionality—the most primitive and fundamental technology up to the top, most abstract technology.

The most common web applications are built on a Model-View-Controller (MVC) design. The purpose of this development paradigm is to separate the functions of input and output (the “View”) from the operations of the business requirements (the “Model”) integrated by the “Controller.” This permits separate development, testing, and maintenance of these aspects of the web application. When arranged in a web application, these components take on a few pretty common roles.

Given the many components that are possible, the number of separate layers that are present in the system influence its complexity a great deal. They also serve as focal points or interfaces for testing. You must make sure you test each component and know what sorts of tests make sense at each layer.

An application that has a single layer puts all its business logic, data, and other resources in the same place. There is no explicit separation of duties between, say, handling the HTTP connection itself, session management, data management, and enforcing the business rules. An example one-layer application would be a simple Java server page (JSP) or servlet that takes a few parameters as input and chooses to offer different files for download as a result.

Imagine an application that simply stores thousands of files, each containing the current weather report for a given zip code. When the user enters their zip code, the application displays the corresponding file. There is logic to test (what if the user enters xyz as her zip code?) and there are even security tests possible (what if the user enters /etc/passwd as her zip code?). There is only the one logic (e.g., the one servlet) to consider, though. Finding an error means you look in just the one place. Since we are supposing that session tracking is performed right within the same logic, and we are not using any special data storage (just files that are stored on the web server), there is no session or data layer in this example.

How do you test a one-layer web app? You have to identify its inputs and its outputs, as you would with any application, and perform your usual testing of positive, negative, and security values. This will contrast considerably with what you do in multilayer applications.

As an application’s needs expand, a second component offloads some of the work to a separate process or system. Most commonly, if there are only two layers, there is usually a single session/application component and a data component. Adding a database or sophisticated data storage mechanism is usually one of the first optimizations developers make to an application whose needs are expanding.

A common abbreviation in describing web applications is LAMP, standing for Linux, Apache, MySQL, and PHP. There are many applications built on this paradigm, and most are two-layer applications. Apache and PHP collaborate to provide a combined session/application component, and MySQL provides a separate data component. Linux is not important for our purposes. It is mentioned here because it is part of the abbreviation. Any operating system can host the Apache, MySQL, and PHP components. This allows expansion, replication, and redundancy because multiple independent systems can provide session and application logic while a different set of individual machines can provide MySQL data services.

Good examples of two-layer applications include any number of blogging, content-management, and website hosting packages. The Apache/PHP software controls the application, while the MySQL database stores things like blog entries, file metadata, or website content. Access control and application functions are implemented in PHP code. The use of a MySQL database allows it to easily deliver features like searching content, indexing content, and efficiently replicating it to multiple data stores.

Knowing that you have a two-layer application means that you have to consider tests across the boundary between the layers. If your presentation/app layer is making SQL queries to a data layer, then you need to consider tests that address the data layer directly. What can you find out about the data layer, the relationships in the data, and the way the application uses data? You will want to test for ways that the application can scramble the data, and ways that bad data can confuse the application.

When developers decide to divide their work into three or more layers, they have a lot of choices about which components they choose. Most applications that are complex enough to have three components tend to use heavyweight frameworks like J2EE and .NET. JSPs can serve as the session layer, while servlets implement the application layer. Finally, an additional data storage component, like an Oracle or SQL Server database implements the data layer.

When you have several layers, you have several autonomous application programming interfaces (APIs) that you can test. For example, if the presentation layer handles sessions, you will want to see whether the application layer can be tricked into executing instructions for one session when it masquerades as another.

Knowing the relationships between the components in your application makes an important difference to your testing. The application is only going to fulfill its mission when all the components are working correctly. You already have several ways that you can examine your tests to evaluate their effectiveness. Test coverage, for example, is measured in a variety of ways: how many lines of code are covered by tests? How many requirements are covered by tests? How many known error conditions can we produce? Now that you understand the presence and function of architectural components, you can consider how many components of the application are tested.

The more information you, as a tester, can provide to a developer about the root cause or location of an error, the faster and more correctly the error can be fixed. Knowing that an error, for example, is in the session layer or data layer goes a long way towards pointing the developer in the right direction to solve it. When the inevitable pressure comes to reduce the number of tests executed to verify a patch or change, you can factor in the architecture when making the decision on which tests are most important to execute. Did they make modifications to the data schema? Try to organize your tests around data-focused tests and focus on that component. Did they modify how sessions are handled? Identify your session management tests and do those first.