Sunday, September 15, 2019

Continuous Security - take care of your regression


1) Introduction
2) OWASP Juice Shop
3) Rest Template
4) Vulnerability a - client-side error
5) Vulnerability b - open redirect
6) Vulnerability c - admin access
7) Summary

1. Introduction

In my last 'Continuous Security - how to get involved?' post I showed you quickstart guide on how to start helping your team in reaching the desired security level. The article contained simple OWASP ZAP scanning technique and very easy Rest Assured tests which were ensuring HTTP headers presence. Today I'll focus on yet another avenue where testers can excel: regression testing.

Software testing can never prove that application under test contains no bugs. Even if we spend a significant amount of time doing all things correctly, bugs may still get through. It's a good practice to add automated tests which check that bugs found on production can never happen again. Security bugs are no different. Once detected, they should never happen again. 

As usual, there will be a practical demo explaining a theory in action.

2. OWASP Juice Shop

OWASP Juice Shop will be an application under test. According to the official description, it's the most modern and sophisticated insecure web application. It can be used in security training, awareness demos, CTFs and as a guinea pig for security tools. Juice Shop encompasses vulnerabilities from the entire OWASP Top Ten along with many other security flaws found in real-world applications.

WARNING: This article contains spoilers for existing vulnerabilities in Juice Shop. If you prefer to find them by yourself come back here later.

3. Rest Template

Just to change things a bit we will use Spring Rest Template. If you are not familiar with this library I recommend Baeldung tutorial. A more complete description can be found in Spring in Action book.

To start we need to add a couple of dependencies:
a) Spring web for core Rest Template methods
b) Jackson for Java JSON serialization
c) JSON-Java 

Each test will require simple setup. Juice Shop runs on default port 3000.

4. Vulnerability a - client-side error

The secure application should never show internal errors to end-user. It does not only create a terrible user experience for the customer but also leaves a risk of exposing sensitive data. Attacker benefits a lot in such a situation because he can understand what's going on internally on server-side. 

When we try to login as an inexisting user we receive HTTP 401 which is correct.

However when we use ' as login server responds with HTTP 500 and exposes implementation details.

The following test reproduces this vulnerability:

5. Vulnerability b - open redirect

Juice shop allows for redirection on a whitelisted GitHub page. When we try to change this URL application correctly blocks us with HTTP 406.

Unfortunately whitelisting isn't implemented on to parameter but on any of them. Adding a dummy parameter meeting whitelisting criteria results in redirection to any website.

The following test reproduces this vulnerability:

6. Vulnerability 3 - admin access

The last vulnerability is probably the worst one. An attacker can prepare JSON request which will register him as shop admin. Only a couple of Java code lines are required!

7. Summary

I didn't delve too deep into why those bugs exist (although it's perfectly reasonable for you to do a root cause analysis in a similar situation) or how those tests implementation (details on my GitHub project). I just wanted to you show a certain mindset. If there is a bug on production you should thing how to avoid it next time, but also add a regression tests just to make sure it never happens again. For security bugs there is an additional benefit, you expand your knowledge in much-needed field!