-
Notifications
You must be signed in to change notification settings - Fork 0
Testing Tools
During the testing phase, the following tools should be used to test for certain aspects of security.
The functional and basic security tests should be developed as end-to-end tests.
Two key aspects of server side and API security are SQL Injection and XSS (Cross Site Scripting), as described by OWASP Top 10. To check whether our software is susceptible to such attacks, we will use sqlmap.
sqlmap is an automated tool that mainly checks the certain endpoints and parameters for potential SQL injection flaws. It supports multiple database engines, and multiple SQL injection techniques, moreover it can also report potential XSS vulnerability.
During the testing phase, the testing team should check each endpoint (or GraphQL query), and each endpoint parameter (GraphQL query parameters) for possible SQL injection and XSS vulnerabilities with the tool.
The native component is a critical component in terms of testing, as it is implemented in a low-level language. It follows, that during the testing phase, key aspects, such as memory safety, defending against buffer overflow attacks should be tested.
One aspect of testing is to be fuzzing, which will be performed by using Google's AFL. AFL instruments the code, then uses a generic algorithm to generate test cases that test every aspect of the underlying software. During the testing phase, the native component should be fuzzed with AFL, and the generated tests should be used to test the component for security.
When working with low-level languages, memory safety is also of paramount importance. To check memory safety, the tool valgrind should be used. The tests generated by AFL should be executed using valgrind to evaluate memory safety.
As the native component is a critical component, formal verification is also advised, and the tool to be used will be CPAChecker. CPAChecker can formally check for integer overflows, memory safety as well as the violation of user defined assertions. During the testing phase, the overflows and memory safety should be checked with CPAChecker, as well as assertions that encode certain expected preconditions, provided postconditions and loop invariants provided by the developer implementing the functionality.
The client side Android application should also be tested for security vulnerabilities. The tool to be used for this purpose is Drozer developed by F-Secure. Drozer helps to audit the security of mobile applications. It contains automated tools (modules) to identify and exploit vulnerabilities.
During the testing phases, Drozer should be used to identify the attack surface of the android application. These attack surfaces should be tested for vulnerabilities using Drozer's modules. One test that should be performed is fuzzing the intents the android application receives on any of its interface (may it be activity, fragment, service, content provider or broadcast receiver), as intents play an integral part in communicating between processes.
© Grotesque Gecko, 2020
- Functional Requirements and Use Cases
- Security Requirements and Objectives
- Threat Assessment
- Quality Gates
- Chosen Technologies
- Required Security Functionalities
- Structural Model of the System
- Behavioral Model of the System