Push Your Functional Testing Further Technology Security
by user
Comments
Transcript
Push Your Functional Testing Further Technology Security
Push Your Functional Testing Further into Technology and Security Alan Richardson EvilTester.com @EvilTester Part the first, wherein we describe Functional Testing in terms of Systems and Models, and expand A model of testing to include Technical Testing. @EvilTester 2 Functional Testing ● Testers learn how to test systems – Requirements – 'What' a system 'should' do @EvilTester 3 Systems ● System under Development ● System of Development @EvilTester 4 System Under Development ● System under Development – Requirements – Architecture – Environments – etc. @EvilTester 5 System Of Development ● Methodological Context ● Social Constructs ● Model Different Systems of Testing – Systems of Feedback – Systems of Learning – Systems of Questioning – ... @EvilTester 6 Requirement Example – RestMud @EvilTester 7 A Model of Testing ● Modelling, ● Observation, ● Intent, ● Reflection, ● Manipulation @EvilTester 8 We can push our functional testing further ● “What is it supposed to do?” – vs “What does it do?” ● Comparison to other models ● Is it viable? ● Precondition analysis ● Presupposition analysis @EvilTester 9 We can push our functional testing further ● Explore 'How' the system does what it does ● Understand the technology used to build the system – Identify technology risks – Identify risks at different levels of the stack – Work at different levels of the stack @EvilTester 10 A Model of Technical Testing ● Modelling, ● Observation, ● Interrogation, ● Reflection (includes intent), ● Manipulation @EvilTester 11 Part the second, wherein two technical models are provided with a discussion of possible technical testing approaches. @EvilTester 12 Example – a Java App ● HouseOfTest.se – /2016/02/testers-contest-crappy-little-datagenerator/ @EvilTester 13 Observation Example – a Java App ● Double click run – see GUI ● tail -f DataGeneration.txt ● Text Editor ● – Line endings – Refresh No exceptions shown @EvilTester 14 Observation Example – a Java App ● java -jar crappy_little_datagenerator_v_1.0.jar – Now can see stdout written to command line, exceptions, errors etc. @EvilTester 15 Interrogation Example – a Java App ● Decompile e.g. http://jd.benow.ca/ ● Load .jar as a library into a Project @EvilTester 16 Interrogation Example – a Java App @EvilTester 17 Observe - Multiple Entry Points @EvilTester 18 Modelling Example – a Java App GUI DataGeneration CLI @EvilTester 19 Manipulation Example – a Java App @EvilTester 20 Manipulate Example – a Java App @EvilTester 21 Risks ● Does this test approach add risk? – Because testing at a lower level in the stack? – Because working against a non-deployed version? – Because it is not how the user would run it? @EvilTester 22 Risk ● Mitigating risk provides one reason for testing ● No test approach mitigates all risk ● Multiple test approaches required @EvilTester 23 Modelling – a Web App Browser Web Server App Server HTML GUI Web App @EvilTester 24 Observe & Interrogate – a Web App HTTP via Proxies Web Server App Server Web App HTTP via Dev Tools HTML & DOM View Source Dev Tools @EvilTester 25 Manipulate – a Web App HTTP via Proxies Web Server App Server Web App HTML & DOM Dev Tools @EvilTester 26 Modelling – this Web App Player GUI Web Server App Server Web App Rest API Admin GUI @EvilTester 27 Part the third, wherein the overlap between technical testing and security testing are explored. @EvilTester 28 Deeper Testing @EvilTester 29 Technical Testing ● We will find defects and issues we would otherwise miss – ● Observing, Interrogating, Manipulating lower Some defects normally associated with security testing – I am not a security tester – Technically Informed Modelling @EvilTester 30 Security Overlap Examples ● Code reviews find hard-coded security issues ● Form field inspection exposed emails, executable shell code, file names for survey answers ● HTML Commented URLs to 'secret' parts of the application ● User HTTP json contains more info than displayed as HTML @EvilTester 31 Security Overlap Examples Because... ● Code reviews find hard-coded security issues Observed More Deeply ● Form field inspection exposed emails, executable shell code, file names for survey Interrogated More Deeply answers ● HTML Commented URLs to 'secret' parts of the Interrogated More Deeply application ● UserObserved, HTTP json Interrogated, contains more Manipulated info than displayed as HTML More Deeply Because Modelled More Deeply @EvilTester 32 Any Methodology : Any Tester ● ● Methodology context does not dictate – 'Process' context might dictate – 'Social' context might dictate Any Tester can do this – Limited by technology knowledge – Limited by technical skill – Limited by choice @EvilTester 33 Part the fourth, wherein the steps to increase technical ability are made lay afore the public. @EvilTester 34 I am fairly Technical ● Books ● SeleniumSimplified.com ● EvilTester.com ● JavaForTesters.com ● Online Training Courses ● Consultancy, work hands on with teams @EvilTester 35 I grew up with computers... http://www.retrogamer.net/profiles/hardware/zx-spectrum-hardware-profile/ @EvilTester 36 I grew up reading computer books... @EvilTester http://www.usborne.com/catalogue/feature-page/computer-and-coding-books.aspx 37 ...but not with the internet http://www.worldofspectrum.org/hardware/feat24.html @EvilTester 38 I had to learn how to test the web @EvilTester 39 How to learn to test the web ● Model What You Know – ● HTML? HTTP? Browsers? Increase your ability to Observe at the GUI – View Source – Inspect Element - Dev Tools – You will see things you don't understand (add to your model & research) @EvilTester 40 How to learn to test the web ● ● Increase your ability to Manipulate at the GUI – Inspect Element - Dev Tools – Amend DOM prior to submitting a form – Inspect and manipulate URLs Cookies, Local Storage – Inspect – Figure out how to manipulate (plugins required?) @EvilTester 41 Basic Web Challenges ● View Source and inspect Element of: – Your favourite web sites ● ● Any free 'pdf' report that requires 'email' – ● How do they do 'that'? find the download without adding your email Newspapers - 'you have read too many articles today' – how can they tell? Manipulate to bypass? @EvilTester 42 How to learn to test the web ● Observe HTTP Traffic in Browser – ● Network tab in Dev Tools Observe HTTP Traffic outside Browser – HTTP Proxy – Fiddler, Charles, BurpSuite, Owasp ZAP – Interrogate and Manipulate Traffic with a Proxy @EvilTester 43 How to learn to test the web ● ● Learn features in the browser – View Source, Users, Dev Tools – How can the feature help you test? Learn features in the proxies – Replay Message, Fuzzers, Auto Responders – How can the feature help you test? @EvilTester 44 Technology Basics ● Model the Technology – Where are the gaps in your understanding? – These gaps are risks to your testing. ● How can I observe X? ● How can I interrogate X? ● How can I manipulate X? ● Repeat @EvilTester 45 Application Basics ● Model the application ● What is it actually doing? – ● Not just what is it supposed to do How does it do X? – Observe, Interrogate, Manipulate @EvilTester 46 Going Further @EvilTester 47 Even Pushing Functional Testing Further Go Even Further: Explore and automate systems below the GUI ● GUI as API ● Quickly enter more combinations of input than would otherwise be feasible ● Fuzzers, Setup Test Data ● Test at an API level without specialist tools ● Proxy message creation ● @EvilTester 48 Do the work! ● Research ● Experiment ● Learn ● Take Small Steps @EvilTester 49 Do The Work! ● Alan Richardson – @EvilTester – www.EvilTester.com – www.JavaForTester.com – www.SeleniumSimplified.com – www.CompendiumDev.co.uk @EvilTester 50