Skip to content

A quick usability cooking through mindmap

Wednesday, January 4, 2012

Mindmap for Usability

Filed in Test Ideas | Tagged , , | Comments (2)

Guest Blog Post: Web Services Attacks

Monday, January 2, 2012

What is a Web Service?
A web service is any software that is used for communication over a network. One could imagine a web service as any function that performs a specific operation.Web service may or may not include input parameters and may or may not return output parameters. Input / Output parameters can be used as attack points to gain an entry into web service to access confidential information. This guest blog post is to brief you about some attacks one could perform to keep a tab on security vulnerabilities within the web service.

Enumeration & Profiling
Suppose, there is a shopping website http://shoppy.com. A user could place an order by clicking on “Place Order” button. The user is taken to http://shoppy.com/buy. An attacker can check if a web service is involved or not by accessing http://shoppy.com/buy?wsdl. WSDL file for the web service becomes accessible through a browser. In this particular case, “buy” is a web service whose WSDL file can be accessed by attaching “?wsdl” as the query parameter in the URL. The WSDL file shouldn’t be allowed for public view in the first place. An authentication process needs to be in place to check if an authorized user is accessing the WSDL or not. Once WSDL is accessible, attacker can get information about web methods, data types of input and output parameters, end point information and others. This in turn can be used to exploit it further.

Parameter Tampering
Attacker gets to know about input and output parameters through Enumeration & Profiling of web service. He can exploit web services using different types of parameters.

Meta characters: He could tamper using Meta characters like single quote, double quote, ampersand, percentage and dollar symbols as input values for web methods which consider an input.
Data type mismatch: Attacker may provide numeric values to string data type or null values to arrays.
Large Buffer / Abnormal values: Attacker could also provide large values in the range 0 – 2^31. Highest value or lowest value for the input parameters may also break the system.

Once inputs are provided and web methods are serviced by the web service, note the messages in the web service response to the user. These should not contain any confidential information about the web service.

 

Web Services Attacks

 

The following Web service accepts username and password as input and issues a security token as output.

Web Service Request
<?xml version=”1.0″?>
 <soap:Envelope xmlns:soap=http://schemas.xmlsoap.org/wsdl/soap/envelope/”
         xmlns:xsi=”http://www.w3.org/2001/XMLSchema-instance”
                       xmlns:xsd=”http://www.w3.org/2001/XMLSchema”>
  <Soap: Body>
   <getSecurityToken xmlns=http://tempuri.org/>
    <username>JohnA</username>
    <password>Eiffel6Tower</password>
   </getSecurityToken>
  </soap:Body>
 </soap:Envelope>

Web Service Response
<?xml version=”1.0″ encoding=”utf-8”>
 <soap:Envelope xmlns:soap=http://schemas.xmlsoap.org/wsdl/soap/envelope/”
         xmlns:xsi=”http://www.w3.org/2001/XMLSchema-instance”
         xmlns:xsd=”http://www.w3.org/2001/XMLSchema”>
  <Soap: Body>
   <getSecurityTokenResponse xmlns=http://tempuri.org/>
    <getSecurityTokenResult>304334</getSecurityTokenResult>
   </getSecurityTokenResponse>
  </soap: Body>
 </soap: Envelope>

XML Poisoning
One could add exploitable elements into existing XML build a SOAP envelope around it and process it as a web service request. If appropriate validation is not in place, exploitable elements might get into database or query critical information from the server. Attacker can also use this attack to observe messages returned in the response to gather information about the server.

Directory Traversal
Attacker could look for Autoexec.bat script by keying in../../../../Autoexec.bat or using different versions of the same command to get hold of automatically executable batch files. <faultstring> messages sometimes return directory paths.

Consider following example:
<faultstring>
Server was unable to process request. –&gt; Could not find file &amp; quot;c:\inetpub\wwwroot\news\junk&amp;quot;.
</faultstring>

Attacker now knows about c:\inetpub\wwwroot\news\junk!

SQL Injection
Keying in symbols like single quote, double quote, hyphen, asterisk, and common parenthesis may result in different <faultstring> messages provided the input parameters were acting as direct inputs to the database query executed at the server level.

Using 1’ or 1=1 may return complete records of username.

In above web service request, replace JohnA with 1’ or 1=1 as input. If the web service was performing a query like Select * from username where username=’JohnA’, using the input 1 or 1=1 would result in a query Select * from username where username=’1’ or 1=1 hence displaying complete details for the first record in the table. Using this, user may even drill down to other records in the table using smart SQL queries.

HTTP method tampering
Web services will include a GET or POST method to support its operations. Using GET method to transfer confidential data is not secure enough. Any services using GET need to be cross checked by processing them using Burpsuite or wsKnight tool and checking what data gets submitted and returned through the web service. POST methods need to be converted to GET and check if any confidential information gets revealed.

SOAP message tampering
1. Providing * in input fields in web service request above may return several records if suitable validations are absent
2. Attackers could use brute force method to continuously key in username and password to gain illegal entry into secure area of the server. Note that there is no account lockout policy at Soap request level (Good Catch?)
3. Parameter Guessing can be used to continuously guess username and password using social engineering attacks, observe the <faultstring> messages, and fine tune guessing method to get access to web service.

OS command execution
Users could append valid operating system commands to input parameters and get access to confidential information.

For eg. “JohnA” | ls –r

Above input may process JohnA as username and also pass on ls –r command to list down directories in Unix OS.

Summary
This blog post is a guideline on how web services can be exploited during testing. Attackers can devise many more powerful attacks to gain access to web services.

Author Biography

Parimala
Parimala has eight plus years of experience in testing, managing and mentoring teams of software testers. Apart from testing that she is most passionate about, she loves mentoring testers and has mentored over 30 testers. She frequently writes about her testing experiences at http://curioustester.blogspot.com. She has authored/co-authored articles for testing magazines like Better Software, Testing Circus and Testing Planet. Apart from testing, she loves to play with her two lovely kids, read books, magazines, articles and many more. She is a self-claimed emotional over eater who eats to beat every emotion in the world!
 
Parimala currently works as a Test Manager at Moolya Software Testing Pvt Ltd, Bangalore. She can be reached at parimala@moolya.com

Filed in General | Tagged , , | Comments (5)

Do you really understand Usability?

Monday, December 5, 2011

Usability is not a quick meal that could be prepared. Whenever someone talks about some thing in Usability, I usually do not give my opinion because the topic requires a lot of thought process to go behind before providing the conclusion and remember that conclusions might change tomorrow because it is always better factor that what we have today. So, please do not think these conclusions as standards. Some concerns require brainstorming from a group to discuss or argue over the thoughts from individuals.

 

Few things that I understand and suggest others to understand too,

  1. Usability is not what is usable for you however; you might be one of the end-users too.
  2. Do not change your design based on the feedback from one of the end-user from 100 end-users. The nightmare could be tomorrow for that one change it could reverse wherein, 99 end-users dislike and that one end-user likes.
  3. If your product is for web developers and you are using traditional web components instead of jazzy stuff which fall under Web 2.0 then you are not considered in the competition at the first place.
  4. Do not follow someone just because they are quite well-known in the field of usability. What you need to do is – Question yourself these things, how this design helps end-user from the current one? Is it an intelligent change that we are making to our system? Why are we making this change? (Classic example: Gmail was good before till it got its new version released where there are GUI changes and most of us do not like it compared to the earlier versions).
  5. Ask this question to other testers in your team, how do you feel about the GUI of this product? Is it engaging? Attractive? Does it achieve the goals for which it is built for?

 

For those who are enthusiastic about “Usability and User eXperience” here are some sources which they could make use of,

  1. http://useit.com/
  2. http://userfocus.com/
  3. http://boxesandarrows.com/

Filed in Bugs, General, Test Ideas | Tagged , | Comments (0)

How to test better with add-on(s)?

Wednesday, October 26, 2011

You must have known the add-on(s) mindmap which we (Moolyavans) created (URL: http://moolya.com/blog/2011/03/04/addon-mindmap-for-testers-from-moolya/). Now, here I am going to put some light on how we can use them. I have chosen some add-on(s) where I have mentioned about how we can utilize them in our testing activity. Here I go,

 

Web Developer Add-on

There are different categories under Web Developer add-on and below are some and explanation on how we use them in our testing activity;

1. Validation

I would use this add-on to quickly validate CSS, HTML, find broken links or 404 pages. We would be using tools from W3C which is a standard and that would help me to give a quick report.

2. Forms

Under this I would get to know the risks like; server side validation is being done or not, maxlengths could be by-passed and get some system error message or any unexpected behaviour, can the methods of forms be converted from GET to POST and vice-versa

3. Images

This helps in performing section 508 standard tests (Web Accessibility) in very quick approach. We use navigate to a page and click on “Display ALT / Title attributes” and in the page itself all the list is displayed including existing ones and non-existing ones (No need of hovering over every image and seeing whether ALT or tooltip is visible).

 

Resolution Test

I use this to get coverage on how a web page looks on different screen resolutions. Some might have different resolutions set and this add-on would help us quickly to know if there are any risks associated with resolution of a webpage.

 

Also try ScreenFly (http://quirktools.com/screenfly/) which can provide resolution for Tablets like iPad / Motorola, Mobile Phones, Desktop and TV.

 

iMacros

Let’s say we want to test My Profile page for new registered user. Now, this is a repetitive process if the test is about creating new users. So, we automate it very quickly. Let’s say within 30 seconds we could automate the register form (Without captcha or else we need to enter captcha and then submit the form). iMacros is supportable on Internet Explorer, Mozilla Firefox and Google Chrome; now even these iMacros which are recorded would help for running them on different web browsers except Apple Safari. This is just an example; we know many other contexts where we could use iMacros.

 

Form Fuzzer

I use this to populate the text fields with different characters from different character set. Example: !@#$%^&*()-+ etc. – I have test data and with just one click we populate every text field with the test data and then submit the form which helps in validation of input.

 

Check All / CheckFox

Let’s say there are 100 checkboxes and one of the tests for it is to check all 100 and submit the form. Now, doing it one by one takes a lot of time but, with CheckAll or CheckFox add-on I could do it within few seconds with dragging for the area that we want to check the required checkboxes or else with just one click. Even I can do inverse and uncheck.

 

Tamper Data / IE Tamper

I use this add-on for tampering the input values and submitting it to the server. This is man in the middle attack.

 

Example: Let’s say the item that I have purchased is of $100 but, there is a client side validation which is not allowing me to edit it. Now; I would use TamperData add-on and once you click on “Submit” Tamper Data shows the input in it’s own window and there I can edit it to only $10 and submit it. This helps us to find the risk if tampering of data could be done or not.

 

RegEx Tester

I use this add-on to test for regular expressions. Let’s say there is javascript code which exists for validation but; still the form is not fully built of functional. In this case, I need not stop my testing activity for validation. We could take those (A-Z, a-z, 0-9 etc.) regular expressions and perform the tests. So, even if the functionality is not implemented our testing is not blocked for input validation.

 

Edit This Cookie

I use this to reveal the risks (if any) like; modifying the cookie value and getting into different account which does not belong to us. Know the information that is being stored in cookie value; we look for what data should not be there in cookie information.

 

Lipsum

If I want to add some text (Alphabets) for 100 lines in text area we use Lipsum which is Lorem Ipsum text generator. So, I have the test data ready in few seconds.

 

Pendule

Helps in getting the coverage on Javascript and CSS; we use this on specific page and all the code is extracted in separate window for CSS and Javascript. So, we have all this on one page and we can go through this on a single page. Even indentation feature is available which is under “Beautify CSS”. There are other cool features too which would add value.

Filed in Bugs, General, Investigation, Test Ideas | | Comments (1)

Auto-complete can put your customers under threat

Monday, September 26, 2011

You must know the auto-complete feature in your web browser and also web applications like Google search engine. I am going to speak where to use them and where not to use them. You might like below 2 points;

 

  1. Auto-complete will help in improved UX
  2. Auto-complete can put your customers under threat if no good care is taken in avoiding it in some places

 

I will concentrate on the 2nd point which you are interested in; let us consider a web application which doesn’t have auto-complete feature but, the web browser saves history and there is auto-complete feature with it. Now, most of them use auto complete with on in web browsers. Below is a mind-blowing example on how not disabling auto complete in the code of web application would lead to unauthorized access by a non-owner of some account,

 

There is a Secret Answer text field and it is in plain text (First of all this itself is a bad one because secret answer acts like a authentication too and it got to be masked; you are masking password because others should not see however; keeping secret answer in plain text – Does it make sense?) and there are users who would use shared computer. Let us say 10 customers sign up and they have chosen different secret answers – These are non-computer savvy’s. Now, someone like me (An example) who is evil hacker starts using the website where the 10 customers registered. I go to sign up page and double click on “Secret Answer” text field and guess what – I have 10 secret answers of one or the other end-user and now I should know what e-mail address they were using. That’s simple; double click on “e-mail address” text field and I get 10 e-mail addresses” – Wow! Let me have a mug of beer now and dance.

 

Above, you saw how not disabling auto-complete in the code of web application could impact on your customers and you too.

 

Where auto-complete should be handled as off?

  1. E-mail address (Use Remember Me to help your users of not making them enter e-mail address always)
  2. Secret Answer (Consider masking it too or else the one who is shoulder surfing might exploit)
  3. Credit Card Numbers
  4. Bank Account Numbers

 

Any confidential information should not be visible under auto-complete and should not be allowed to save in history of a web-browser. Question yourself; what is the impact of not having “auto-complete” and also what is the impact of having “auto complete” – This helps in adding usability as well as security to your web application.

 

You could maintain a checklist of what should not go as auto-complete in your web application. You might want to communicate about this even with the test team working in different projects in your organization to benefit your customers and your organization too. I hope you had a good reading.

Filed in Bugs, General | | Comments (6)