Re: Security Test Cases for Testing

[Crispin Cowan <crispin () immunix com>]

Giri, Sandeep wrote:


To avoid security flaws in various applications, I started teaching people
about how to write secure code.
But I soon lost hope when I saw the same flaws again and again during code
audits.
So, now with a hope to get some of Security Flaws (like SQL injection,
buffer overflows and XSS problems etc.) foiled while testing,
I am planning to write Test Cases for QA team.
Has anyone already written test cases for same?

For buffer overflows and format bugs, look at "fuzzing" tools. The basic 
concept is to cram large amounts of input into program orifices until 
they seg fault. Enhanced for format bugs by shoving %n into the strings. 
The art is to format the data so that it is syntactically appropriate to 
the applications and network services at hand.


Original concept by Bart Miller http://www.cs.wisc.edu/~bart/fuzz/ 

Sharefuzz and other code auditing and testing tools indexed here 
http://sardonix.org/Auditing_Resources.html


Detecting SQL injection uses a similar concept. A trivial test is to 
enter a ' mark, or try to enter a name like O'tool. If it passes, it 
does not prove the system free from SQL injection, but if it fails then 
SQL injection is possible.


Detecting XSS is a different process, which I am less familiar with. 
Check out various web application, CGI application, etc. vulnerability 
scanners. Even nessus (a general vulnerability scanner) has some 
capability here. But I'm a curmudgeon, who thinks that XSS issues are 
really client-side issues in the form of browser vulnerabilities (IE's 
lame willingness to execute code) or a problem between the chair and the 
keyboard (IE users :-)


Crispin

--
Crispin Cowan, Ph.D.  http://immunix.com/~crispin/
CTO, Immunix          http://immunix.com
Immunix 7.3           http://www.immunix.com/shop/