Secure Coding mailing list archives
Re: Security Test Cases for Testing
From: Crispin Cowan <crispin () immunix com>
Date: Thu, 18 Dec 2003 00:47:27 +0000
Giri, Sandeep wrote: To avoid security flaws in various applications, I started teaching people about how to write secure code. But I soon lost hope when I saw the same flaws again and again during code audits. So, now with a hope to get some of Security Flaws (like SQL injection, buffer overflows and XSS problems etc.) foiled while testing, I am planning to write Test Cases for QA team. Has anyone already written test cases for same? For buffer overflows and format bugs, look at "fuzzing" tools. The basic concept is to cram large amounts of input into program orifices until they seg fault. Enhanced for format bugs by shoving %n into the strings. The art is to format the data so that it is syntactically appropriate to the applications and network services at hand. Original concept by Bart Miller http://www.cs.wisc.edu/~bart/fuzz/ Sharefuzz and other code auditing and testing tools indexed here http://sardonix.org/Auditing_Resources.html Detecting SQL injection uses a similar concept. A trivial test is to enter a ' mark, or try to enter a name like O'tool. If it passes, it does not prove the system free from SQL injection, but if it fails then SQL injection is possible. Detecting XSS is a different process, which I am less familiar with. Check out various web application, CGI application, etc. vulnerability scanners. Even nessus (a general vulnerability scanner) has some capability here. But I'm a curmudgeon, who thinks that XSS issues are really client-side issues in the form of browser vulnerabilities (IE's lame willingness to execute code) or a problem between the chair and the keyboard (IE users :-) Crispin -- Crispin Cowan, Ph.D. http://immunix.com/~crispin/ CTO, Immunix http://immunix.com Immunix 7.3 http://www.immunix.com/shop/
Current thread:
- Security Test Cases for Testing Giri, Sandeep (Dec 17)
- Re: Security Test Cases for Testing ljknews (Dec 17)
- Re: Security Test Cases for Testing Gene Spafford (Dec 17)
- Re: Security Test Cases for Testing ljknews (Dec 18)
- Re: Security Test Cases for Testing Gene Spafford (Dec 19)
- Re: Is Open Source Software "more" secure? Jared W. Robinson (Dec 20)
- Re: Security Test Cases for Testing Gene Spafford (Dec 17)
- Re: Security Test Cases for Testing Kenneth R. van Wyk (Dec 19)
- Re: Security Test Cases for Testing Dana Epp (Dec 19)
- Re: Security Test Cases for Testing Gene Spafford (Dec 20)
- Re: Security Test Cases for Testing ljknews (Dec 17)
- Re: Security Test Cases for Testing Jeff Williams @ Aspect (Dec 17)