Testing "Injection" Attacks with Selenium

schedule Sep 5th 03:15 PM - Jan 1st 12:00 AM place Grand Ball Room 2

Business applications are growing at a break neck speed to cater to ever increasing business need. The dream of ever-connected systems and information at fingertips is quickly becoming a fact. This dream has brought out an evolution of online-real time applications with multiple requirements and functionalities. The down side to this security is being forced to take a back seat. Add to this the sheer quantum of code to cover is overwhelming to a manual security tester.

One of the most common attacks against web applications is injection attack; injection flaw allows a malicious user to send malicious input to an application. The consequences of having injection flaw in your application can range from a user be able to steal all the data from your database to extreme situation like he having a command access to your infrastructure. We in this session want to show the power of automation using selenium. We will demonstrate how we are writing some interesting scripts to automate the testing of injection attacks in web applications. The outcome of automation is that we have been able get a fair code coverage and gives the time to security tester to concentrate on more tests that need his manual expertise say business logic failure or a design failure. 

Though selenium could be used to automate far larger scope but we choose Injections as a priority for these sessions as injections form a large part of the web application attack landscape. We intend to give you some of the learning’s we had in the past, and some pitfalls we noticed. One could take the same idea and extrapolate to other attacks too.

Attacks we plan to cover 

1. SQL Injection 

2. Command Injection 

3. XSS 

 
 

Outline/Structure of the Demonstration

1.This session would be a demo. We have built a vulnerable application. We will use selenium to automate the process of finding the vulnerabilities. 

2. Discussion on the attack and the script written to automate its testing. 

Learning Outcome

 1. The result of this session is that a functional tester could now get insights into how test automation can be achieved to test security    vulnerabilities.

2. We would also briefly discuss the background reason for the attack in this session, this would help in better scripts

Target Audience

Testers, Information Security Professionals, QA, Developers

schedule Submitted 5 years ago

Public Feedback

comment Suggest improvements to the Speaker
  • Mark Collin
    By Mark Collin  ~  5 years ago
    reply Reply

    Sounds interesting, it would be nice to see some nosql attacks as well (https://www.owasp.org/index.php/Testing_for_NoSQL_injection).  There is a common misconception that nosql is immune to injection attacks.

    Would you provide the application and code for people to download and play with after the presentation?

    • Prasanna Kanagasabai
      By Prasanna Kanagasabai  ~  5 years ago
      reply Reply

      Heloo, 

      Sure I will add No-SQL injection to the demo suite. No-SQl is immune to SQL-Injection but not injection attacks. We could do some interesting hacks in Key-value pair injection. 

      Sure I can provide the vulnerable app and the testing scripts to the attendees. 

      Thank You !