Practical Web Security Testing Evolution of Web Application Modules and Open Source Testing Tools
Practical Web Security Testing Evolution of Web Application Modules and Open Source Testing Tools
III. G OALS AND A PPROACHES examine the vulnerabilities of web applications created using
Security testing and development in this project were ac- the Express and later Django frameworks.
complished in parallel. Such test-driven or early testing ap- C. Dealing with OWASP ZAP Security Alerts
proaches can eliminate any vulnerabilities in the initial stages
This section provides the possible solution/fix for the secu-
which is best practice to avoid any major issues in the future.
rity bugs found in the web application in section III-A1 for
Our developed website (https://mysmartsa.com/) can help San
OWASP ZAP.
Antonio public transportation commuters navigate local and
• Content Security Policy (CSP) Header is Not Set: This
public transportation information,i.e. arrival time, number of
alert got triggered because the content security policy
seats available, current location, etc.
header not set. which is a layer added for security which
Open-source tools such as OWASP ZAP (stands for Open Web
detects and prevents attacks like cross-site scripting and
Application Security Project Zed Attack Proxy) and SoapUI
data injection attacks.So to setup the header, testers had
are used in the security testing for our web application. These
to check with the framework documentation for CSP
tools do not require extensive knowledge of the target website
headers as there are many ways to configure it.One must
and usually just proving the URL can be enough. We will
set up your web server to return the Content-Security-
report in the next sections, our efforts using OWASP ZAP
Policy HTTP Header and provide its values in order to
and SoapUI.
regulate what resources the browser is permitted to load
A. Summary Of Security Testing Using OWASP ZAP And for your page in order to resolve the Content Security
SoapUI Policy (CSP) Header Not Set.
1) OWASP ZAP: The first report generated from the – The Syntax is:
ZAP detected the following 8 types of vulnerabilities. Content-Security-Policy:policy-directive
For details on those vulnerabilities, The following mate- where:
rials are available to readers and relate to those security policy-directive
testing tools, for ZAP alerts documentation, must visit: consists of: ¡directive¿ ¡value¿ with no internal
https://www.zaproxy.org/docs/alerts/ punctuation.
Example:
• CSP: Wildcard Directive, Risk: Medium, Count: 2
Content-Security-Policy: default-src ‘self’
• X-Frame-Options Header Not Set, Risk: Medium, Count:
http://example.com;
9
For a full list of possible directives and more
• Absence of Anti-CSRF tokens Risk: Low, Count: 2
examples please check
• Cross Domain JavaScript Source File Inclusion, Risk:
https://developer.mozilla.org/en-
Low, Count: 10
US/docs/Web/HTTP/Headers/Content-Security-
• Information Disclosure – Debug Error Messages, Risk:
Policy.
Low, Count: 1
• Server Leaks Information via ”X-Powered-By” HTTP
1) X-Frame-Options Header Not Set: This alert was
Response Header Field(s). Risk: Low, Count: 27 triggered because the X-frame option header was not
• X-Content-Type-Options Header Missing, Risk: Low,
set and the web pages can be embedded within any
Count: 24 other website with no restriction. This issue can be
• Cookie No HttpOnly Flag, Risk: Low, Count: 1
solved in different methods. In this case, we installed a
• Information Disclosure - Suspicious Comments, Risk:
package called Helmet.js. The package can help securing
Informational, Count: 7 express apps by setting various HTTP headers. After
complete installation and configuration of this package,
2) SoapUI: The first report generated from the SoapUI
this alert was resolved and X-frame option was configured
detected 1 vulnerability. For details on those vulnerabilities,
properly.
reader can find available resources related to those security
2) X-Content-Type-Options Header Missing: Similar to
testing tools
the previous alert, in this alert X-content-type options
• HTTP method fuzzing, Count: 12 header was missing or was not set properly. This issue
colorlinks=false, pdfborder=0 0 0 was also fixed using Helmet.js package. It provides us
with tools to set no-sniff option
B. Security Testing: Debugging and fixing security alerts
– Code for Express framwork:
In this section, we report our effort to debug and fix the
∗ app.use(helmet.nosniff())
security issues mentioned previously. Typically, to be able
to do that, we have to properly understand the alerts from – Code for Django framwork in settings.py:
the report. References can be a good start to understanding ∗ SECURE CONTENT TYPE NOSNIFF = True
the alert and when it is typically triggered. This can provide 3) Absence of Anti-CSRF tokens: With any forms on
security testers with the exact information that they will need the website, it’s very important to have security in place
to identify the issue and why it was triggered. We will to protect those forms from XSS attacks. The reason
153
Authorized licensed use limited to: Mukesh Patel School of Technology & Engineering. Downloaded on March 20,2024 at 08:09:56 UTC from IEEE Xplore. Restrictions apply.
2022 International Conference on Intelligent Data Science Technologies and Applications (IDSTA)
this alert got triggered is that since there was no CSRF E. Penetration testing tools and usage
token validation. Packages like CSURF creates a middle-
Thanks to the open-source community’s contributions, there
ware for CSRF token creation and validation. Using
are numerous penetration tools publicly available. In this
this package to create a middle-ware, the anti-csrf token
research paper we will evaluate three of those tools: Jok3r,
worked and the anti-csrf token alert was solved.
SQLmap, Nikto as this tools provides the most of the testing
4) Cross-Domain JavaScript Source File Inclusion: This
functions which is need for the security testing like network
alert was triggered because ZAP detects that there were
infratructure and web black-box testing, SQL injections, http
external JavaScript files that were used in the project such
headers, Cross site scripting, etc.
as Bootstrap, Google API font, etc. This alert is triggered
to notify the security tester to check if the sources are
trust-able. After careful examination, all the JavaScript F. Jok3r, [1]
files and sources were verified to be genuine. Jok3r [1] is a Python-based CLI program which is designed
5) Information Disclosure – Debug Error Messages: to assist penetration testers with network infrastructure and
Generally for documentation, developer teams create web black-box security tests, [2]. The tests below summarized
comments in the code which ZAP identified as debugging our testing activities and results:
messages that can help the attacker. This alert was fixed
• After installing the tool, create a database first that will
by removing the comments so that ZAP doesn’t identify
contain all of the test results.
it as a debugging message. Comments are important for
• Choose the different options which is suitable for your
developers in future releases to make code more readable
web application security testing. Check all the various
and maintainable. However, from a security perspective,
features for testing using the -h option.
comments should not exist to give hints for attackers who
• Run the attack with custom scripts for a particular type
can reverse engineer applications and retrieve original
of testing.
code.
• To view the test results, open the database used to store
6) Information Disclosure - Suspicious Comments: Sim- scan results.
ilar to the previous one, this alert got triggered because • Test scan results:
some comments were too detailed and gave information
about storing the data in the database. Website’s code – robots.txt is not found or empty.This text file indi-
extraction is typically simple; comments can be viewed cates the need for search engine crawlers to know
by anyone using inspect element or view source code. which URLs are accessible and which are blocked.
– SSLv2 & SSLv3 not offered: These secure sockets
7) Cookie No HttpOnly Flag: A cookie has been
layers, which have versions 2 and 3, maintain the
established without the HttpOnly flag, which allows
safety and security of internet connections but they
JavaScript to access the cookie. To prevent this alert,
aren’t provided.
Tester has enable the HttpOnly settings, as this web-
– Null ciphers, anonymous null cipher (no authentica-
site is built using Django, here is how it can
tion), export ciphers are not offered.
be fixed using this line of code in settings.py :
– Strict transport security is not offered: This is the
(” ‘CSRF COOKIE HTTPONLY = True’. ”).
layer in charge of making sure websites connect
8) Server Leaks Information via ”X-Powered-By” HTTP
to HTTPS (This layer does not exist in the tested
Response Header Field(s): This alert notifies the tester
application).
that while making HTTP requests, the server name is
leaked which can be helpful for attackers. To fix this in
express, we used this piece of code which can disable and G. SQLMap’ [3]
hide the section where HTTP request shows the server. SQLMap ( [3] ) is an open-source penetration testing tool
– app.disable( x-powered-by’) that automates the process of finding and exploiting SQL
injection vulnerabilities and controlling database servers, [4].
The tests below summarized our testing activities and results:
D. Dealing with SOAPUI Security alerts • Start the offensive test on the target website with the
payload you wish to use to test the database for SQL
Referring to section III-A2, the following solution has
injection vulnerabilities.
been suggested in this section to address the vulnerability
• Scan: If there is no secure layer in between to protect the
discovered as well as how it was initially triggered in soapUI.
database from SQL injection, SQLMap tools locate and
• HTTP Method Fuzzing: The approach is to block HTTP display the information obtained from the database.
methods, GET and POST as these two methods are • Test results may include user name and password, ta-
defined in the API. The attacker should not be able to ble names from the database, column names from the
overwrite data on a server or get data that shouldn’t be database, create tables, update & retrieve information,
revealed to clients by unexpected HTTP methods delete users, delete tables, etc.
154
Authorized licensed use limited to: Mukesh Patel School of Technology & Engineering. Downloaded on March 20,2024 at 08:09:56 UTC from IEEE Xplore. Restrictions apply.
2022 International Conference on Intelligent Data Science Technologies and Applications (IDSTA)
H. Nikto, [7] express we can hide the server name on server side by
Nikto ( [7]) is a open source web application scanner. It runs using ‘app.disable(‘x-powered-by’)’
thorough testing on web servers for a variety of things like • X-Content-Type-Options Header Missing: X-content
potentially harmful files and applications, checks for out-of- option can be set by enabling the nosniff mode,in frame-
date versions on more than 1250 servers, and version-specific work require a line of code which set the value of nosniff
issues on more than 270 servers, [6]. to true.
The tests below summarized our testing activities and results: • Cookie No HttpOnly Flag: Enable Httponly flag for
all cookie, In Django, you can accomplish this via
• Run the vulnerability scanner with specific test options
‘CSRF COOKIE HTTPONLY = True’.
on the web application.
• Information Disclosure - Suspicious Comments: Make
• Scans results:
sure to remove the comments in the code which provides
– The anti-click-jacking X-frame-options header is not important and critical information about storing the data,
present, There is a potential danger of a click-jacking functionality, etc.
attack on the web application since the anti-click- • HTTP Method Fuzzing: Configure https methods so
jacking X-frame-options header is missing. that attacker should not able to overwrite data by sending
– The X-content-type-options header is not set, the unexpected HTTP methods
browser will be able to perform MIME type sniffing.
The browser will determine what type of content IV. C ONCLUSION
is present and how to handle it when it receives a In this paper, we reported our experience to test a recently
response from the server. developed website for security issues or vulnerabilities. As
– The X-XSS protection header is not defined. Any a show case, we reported in this paper, using two desktop
pages on this website may be vulnerable to an XSS and three command-line interface open source security testing
attack because the server is not set up to return a tools. We also reported our efforts to debug and fix those
’X-XSS-Protection’ header. security issues as well as comparison of open-source providing
Here is a summary of ZAP and Soapui security alerts and an overview of the kind of testing the tools can perform as well
our debugging efforts: as the application type whether it is desktop, web or command-
• Content Security Policy (CSP) Header Not Set: Set- line interface interface and further demonstrated a five-step
ting the content security policy header by consulting security testing work cycle. Lastly, we wanted to demonstrate
the framework documentation for syntax and using the in this paper what vulnerabilities can exist, why they were
inspect tools is helpful since it enables debugging of triggered, and how to fix the security issues to make web
resources that were omitted from the header and allows applications secure.
for their addition to the content security policy. ACKNOWLEDGMENTS
• X-Frame-Options Header Not Set: Depending on
which framework is used for building the web appli- This material is based upon work supported by the Na-
cation, tester should refer to framework documentation tional Science Foundation (NSF) under Grant No. 2131193.
for syntax, the X-frame-option can set, in express frame- Any opinions, findings, and conclusions or recommendations
work, install helmet.js package and configure the X-frame expressed in this material are those of the author(s) and
header which will fix this issue and secure your web do not necessarily reflect the views of the National Science
application Foundation.
• Absence of Anti-CSRF tokens: Whenever we use forms R EFERENCES
in web application, its important to make it secure
[1] Jérémy Brun-Nouvion. Jok3r - network web pentest automation frame-
with tokenization, its simply validation the data was not work, 2019.
changed. There are many was to generate anti-csrf token, [2] Jérémy Brun-Nouvion. Jok3r - network web pentest automation frame-
you can generate token on server side and validate on work, 2019.
[3] Bernardo Damele and Miroslav Stampar. Sqlmap, 2022.
client side but different frameworks have their unique way [4] Bernardo Damele and Miroslav Stampar. sqlmapproject/sqlmap, 2022.
of validating forms with tokens. [5] Martin Lněnička and Jan Capek. Classification and evaluation of cloud-
• Cross Domain JavaScript Source File Inclusion: Make
based testing tools: The case study of web applications’ security testing.
Acta Informatica Pragensia, 7:40–57, 06 2018.
sure all the external javascripts are from credible sources [6] Chris Sullo and David Lodge. Nikto, 2022.
or load those JavaScript file locally which means have [7] Chris Sullo and David Lodge. sqlmapproject/sqlmap, 2022.
javascript code in the project locally.
• Information Disclosure – Debug Error Messages:
Remove any debugging message during https request
which can help attacker to gain inside information.
• Server Leaks Information via ”X-Powered-By” HTTP
Response Header Field(s): Hide the server name in the
HTTP request which used for building web application,in
155
Authorized licensed use limited to: Mukesh Patel School of Technology & Engineering. Downloaded on March 20,2024 at 08:09:56 UTC from IEEE Xplore. Restrictions apply.