Getting started with QA-Security Testing (Part-1)

First of all, these days many articles and discussions popping out between Manual & Automation testing “which one should learn”? “Manual or Automation testing?” “Manual testing is obsolete”. There’s no such thing as 100% manual testing or 100% complete automation testing. Now-a-days, as a futuristic QA should have multiple skills irrespective of the domain such as “Functional testing”, “Automation testing”, “API testing”, “Database testing”, “Load testing” & last but not least “Security testing” as-well.

As quality is everyone’s responsibility in Agile-driven-methodology, security is everyone's responsibility too. This article is written for QA’s who are looking for security testing knowledge with hands on experience. Most of the times QA’s are involved with Functional, Automation, API & Load testing but ignores one of the key non-functional type which is Security testing.

Security plays a key role in all aspects of the software development lifecycle. Security testing is a vast subject and contains numerous topics. This blog is targeted for beginners with main security testing areas to be carried out while testing websites for vulnerabilities.

In this article, few of the Security testing types will be covered to find vulnerabilities of the websites using manual pen-testing techniques & OWASP ZAP automated scanning.

For instance:

1. Security headers testing.
2. DDOS attacks prevention.
3. Authentication testing[Password Encryption & Hashing].
4. SQL Injection
5. Cross-Site-Scripting
6. AWS Cloud Security testing — etc.,

1. Security Headers Testing:

Manual Approach: Initially, lets check the security headers of websites manually & debug using chrome extensions.

Ex: HTTP Headers, Link redirect trace.

Above extensions can be helpful if want to:
* Debug web application
* Follow redirect path
* See cookies sent by remote site
* See which web server the remote site is using
* See the headers sent to the server
* See which headers the server returns
* See the HTTP verbs used.
* See Response Codes

Steps to execute:

a. Download the chrome extensions given above

b. Go to https://gamehacking.org/

c. Click on HTTP Headers or Link redirect trace extension

d. Manually debug website HTTP headers

Description & Types of Security Headers:

a. HTTP Strict Transport Security is an excellent feature to support on your site and strengthens your implementation of TLS by getting the User Agent to enforce the use of HTTPS. Recommended value “Strict-Transport-Security: max-age=31536000; includeSubDomains”.

b. Content Security Policy is an effective measure to protect your site from XSS attacks. By whitelisting sources of approved content, you can prevent the browser from loading malicious assets.

c. X-Frame-Options tells the browser whether you want to allow your site to be framed or not. By preventing a browser from framing your site you can defend against attacks like clickjacking. Recommended value “X-Frame-Options: SAMEORIGIN”.

d. X-Content-Type-Options stops a browser from trying to MIME-sniff the content type and forces it to stick with the declared content-type. The only valid value for this header is “X-Content-Type-Options: nosniff”.

e. Referrer Policy is a new header that allows a site to control how much information the browser includes with navigations away from a document and should be set by all sites.

f. Feature Policy is a new header that allows a site to control which features and APIs can be used in the browser.

g. X-Powered-By can usually be seen with values like “PHP/5.5.9–1ubuntu4.5” or “ASP.NET”. Trying to minimise the amount of information you give out about your server is a good idea. This header seems to have been altered to remove such information, but could still be removed.

Let’s check score of a fully secured & less secured website by using https://securityheaders.com/

Good Rating: https://www.icicibank.com/

Bad Rating: https://www.gameofhacks.com/

Automated Approach: Lets use OWASP ZAP open-source security testing tool used for checking security headers & detecting vulnerabilities of whole website using ZAP automation mode scanner. ZAP is known as a “man-in-the-middle-proxy”. It stands between the tester’s browser and the web application so that it can intercept and inspect messages sent between browser & application, modify the contents if needed.

Set-up OWASP ZAP:

Download the tool from https://www.zaproxy.org/.

After download & installation done, open ZAP & follow below steps

Pre-Cond: Set proxy

1. Go to Tools > Options > Local Proxies

2. Enter Address & Port as given below

3. Click Ok

4. Open chrome or firefox to set browser proxy

5. Enter Web proxy server & Port as given below

6. Click Ok

Note: Port number should be matched with ZAP proxy port.

Steps to execute: Automated Scanner

a. Go to File > New session

b. Select option — No, I do not to persist this session at this moment in time

c. Select mode of attack. ex: Safe mode

Safe Mode: This mode doesn’t allow to do anything that is potentially dangerous.

Protected Mode: This mode allows to simulate potentially dangerous vulnerabilities.

Standard Mode: This mode is used to do anything that is relevant.

Attack Mode: New nodes in scope are actively scanned as soon as they are discovered.

d. Select Automated Scan

e. Enter URL to test & click Attack. ex: https://www.gameofhacks.com/

Note: Only use ZAP if you have permission to test websites with active attack.

f. Scanning will be started and shows scan progress

Request Tab: Shows the data your browser send to the application

Response Tab: Shows the data the application sends back to your browser

g. To check the missing headers go to Alerts tab and expand

h. After scan completed, ZAP will provide alerts with High, Medium, Low & Informational risk level vulnerabilities

Reports:

To generate HTML reports after scan completion —

Steps:

a. Go to Report from ZAP menu

b. Select generate HTML report

c. Enter location to save reports

d. Click html report file

Info: Risk level, Number of alerts, description & solution to the alert fixes will be provided in detail.

To be continued….

In the future blog, will be covered other kinds of security testing, vulnerabilities and prevention techniques. Ex:

1. OWASP ZAP plugin integration with Jenkins- CI/CD [ Continuous Functional + Security testing].
2. DDOS attacks prevention.
3. Authentication testing[Password Encryption & Hashing].
4. SQL Injection.
5. Cross-Site-Scripting.
6. AWS Cloud Security testing — etc.,

Happy Learning!!!

Reference links:

https://www.zaproxy.org/docs/desktop/start/

https://scotthelme.co.uk/hardening-your-http-response-headers/#x-frame-options?