Integrated Web Application Security Testing

The basic idea behind SDLC is that if you consider security early on in your development process, in theory, you should end up with more secure software. Of course, this is easier said than done and there are many challenges you need to face in order to embed the SDLC principles properly.

In this blog post, I would like to suggest a simple, ad-hock way to jump-start your SDLC program without the need to over-engineer things too much, too early. In this example we will use a nodejs app but the same principles can be applied to other frameworks and programming environments. We will also make use of SecApps embeddable sharing capabilities as the basic component for this design.

Let's Build An App

First, let's build a simple nodejs app. We will make it deliberately vulnerable to a simple XSS for the sake of this example. The app looks more or less like this:

express = require('express')
bodyParser = require('body-parser')

app = express()

app.use(bodyParser.urlencoded({ extended: false }))

app.get('/', function (req, res) {
  res.send(
    '<form method="POST"><input name="name" placeholder="Type your name and press return." style="width:100%"/></form>'
  )
})

app.post('/', function (req, res) {
  res.send('<h1>Hello ' + req.body.name + '</h1>')
})

server = app.listen(3000, function () {
  console.log('listening on ' + server.address().port)
})

This is simple enough. If we put this code in production then we have a problem. So we need to create a mechanism to catch any of these XSS vulnerabilities whenever we like.

Integrating Security Tests

At this stage you may be considering writing security unit tests which generally is a good idea. However, in practice this approach may not scale very well unless you already have a good infrastructure to support it. Security testing heavily relies on fuzzing which is a very time-consuming task and what we want, in our case, is a simple, ad-hock solution.

To do this we will create another special page, for internal use only, that will act as a point of reference for all kinds of security tests we want to do to our applications. The page will be shared so that we can scale security and make it part of our development culture. Let's build it.

app.get('/security', function (req, res) {
  // Add urls you want to test here

  var urls = {
    Main: 'http://localhost:3000/',
  }

  // Add requests you want to test here

  var requests = {
    'Post Name':
      'POST http://localhost:3000/ HTTP/1.1\r\nContent-Type: application/x-www-form-urlencoded\r\n\r\nname=Bob',
  }

  // The actual page to render

  var page = []

  // Build urls to test

  page.push('<h1>URLs</h1>')
  page.push('<ul>')
  for (var key in urls) {
    var url = urls[key]
    url = 'http://secapps.com/apps/scanner/#target=' + encodeURIComponent(url)
    page.push('<li><a target="_blank" href="' + url + '">' + key + '</a></li>')
  }
  page.push('</ul>')

  // Build requests to test

  page.push('<h1>Requests</h1>')
  page.push('<ul>')
  for (var key in requests) {
    var request = requests[key]
    request =
      'http://secapps.com/apps/retest/#request=' + encodeURIComponent(request)
    page.push(
      '<li><a target="_blank" href="' + request + '">' + key + '</a></li>'
    )
  }
  page.push('</ul>')

  // Render the page

  res.send(page.join(''))
})

Please don't mind the sloppiness of the example. It can be built better with a templating engine such as Jade.

Anyway, what we are doing here is constructing a special security page that will helps us run some tests. Now, because we don't want to write all of these tests ourselves, we simply use SecApps' toolkit to launch the right application to do the job for us. So for example, if I want to fire up a test on the Main page we can simply click on the link and get the test going in no time as it is illustrated in the following video.

<video autoplay loop src="/uploads/a8680171-4f0c-46e8-a1ca-d869e90f3820.mp4"></video>

Now we can add all interesting areas into this special page that my team can use for finding security vulnerabilities without wasting too much time. They don't need to configure security scanners. They don't even need to install additional software because all of it runs inside the browser.

Taking It Forward

We have built this solution in no time. It is simple and elegant. It doesn't require complex infrastructure to handle testing and scales out extremely well. Literally everyone in my development team can run security tests and when I decide to involve some pentesters, I can show them this page which they can use for their tests in order to save me some time and money. I believe that this works well and it is inline with the KISS principle.

We can do so much more though. Because SecApps have JSON, XML and FORM fuzzers we can create special links to fuzz our backend and customer-facing services. We can embed the entire security testing lifecycle in a Wiki page, email or even PowerPoint/Keynote presentation (why not). It could be an automated email that I receive every month with embed links of tests that I need to perform in production (it is ok).

The bottom line is that it is really up to you how you will design the solution. It does not have to be complex and you don't have to build security processes too soon. You can leave this for later stage when you have a better idea where you are going with it and most of the time you will end up sticking with a simpler solution anyway.