Web Developer's Virtual Library: Encyclopedia of Web Design Tutorials, Articles and Discussions

WDVL Newsletter
jobs.webdeveloper.com
e-commerce
Partner With Us

Developer Channel
FlashKit.com
JavaScript.com
JavaScriptSource
Developer Jobs
ScriptSearch
StreamingMediaWorld
Web Developer's Journal
Web Developer's Virtual Library
WebDeveloper.com
Webreference
Web Hosts
XMLfiles.com

internet.com
IT
Developer
Internet News
Small Business
Personal Technology

Search internet.com
Advertise
Corporate Info
Newsletters
Tech Jobs
E-mail Offers


Securing PHP Web Applications

Introduction to Exploit Testing

August 04, 2009

Exploit testing is an important step in making solid code.

Excerpted from Securing PHP Web Applications. By Tricia Ballad and William Ballad. ISBN: ISBN-10: 0-321-53434-4, ISBN-13: 978-0-321-53434-7, Copyright 2009. Used with the permission of InformIt.

At this point, you've examined your application from several security angles and we hope you've closed a few holes in the process. You've written some automated tests to make sure your code works and will continue to work. Now we find out how effective your input validation and variable sanitation really are by emulating hacker activity, in a controlled environment.

What Is Exploit Testing?

Whenever you attempt to harden an application, there are really only two ways to know how effective your work is:

  • Wait and see if your application or server is attacked, and whether the attack is successful or not.
  • Emulate a hacker and try to find weaknesses in your own application or server.

This chapter is all about the second option. We'll show you some tools that will emulate various hacker activities in a controlled environment, then produce reports that pinpoint where the weaknesses in your defenses are.

There are two main goals of exploit testing:

  • Testing the effectiveness of filters and input validation functions
  • Penetration testing

We focus primarily on testing filters and input validation functions, since creating those functions has been the bulk of the work we've done throughout the book. Penetration testing is really outside the scope of this book, which is to give you, the PHP Web application programmer, enough understanding of security concepts and tools to defend your applications against attack, so you can spend more of your time creating and less time cleaning up the mess after a security incident. To really carry out effective penetration testing, you need someone with a deep understanding of hacking methods and the low-level systems hackers exploit. The tools we discuss in this chapter don't replace that level of knowledge and experience, but they will give you a fairly good idea of how secure your application is and where the weaknesses are.

It's important to note before we get started that you have to be very careful when performing exploit testing. This is part of the security field where the line between legitimate work in securing Web sites and applications and hacking is really blurred. You have to go through some of the same processes, and in some cases use the same tools, that hackers use in order to test the secure code you've written. As long as you are only testing your own Web sites and applications, you're solidly on the correct side of that line. Because many of the testing tools are so useful in finding vulnerabilities, hackers use them also. In fact, many of the tools that are used for legitimate exploit testing were originally created by hackers looking for vulnerable Web sites to attack, so you have to be careful about the tools you use and where you get them. Some testing tools are really Trojan horses with hidden virus code that infects your system as soon as you install them. Others are available only from Web sites infected with malicious code.

The tools we demonstrate in this chapter are legitimate and available from safe sources. When you download these tools, make sure you are downloading them from the original sources (which we include in each section) rather than from a third party. The only way you can be sure you are getting the legitimate tool, without any modifications, is by getting it directly from the original vendor.

Now that we've got the warnings out of the way, let's move on to how to test the security of your application.

Fuzzing

Fuzz testing is an extremely simple concept that also happens to be very effective at finding obscure weaknesses in applications. The idea behind fuzzing is that by sending strings of random, or pseudo-random, data at the application, you'll find ways to break it that a human tester wouldn't think of. When we designed our tests in Chapter 14, Introduction to Automated Testing, one of the biggest challenges was trying to think like a hacker whose goal is to break the application. Fuzz testing eliminates the necessity of changing our thought process. The idea is that by throwing large amounts of random data at an application, the fuzz tester will accidentally hit some or all of the boundary conditions inherent in the system.

Fuzz testing isn't a substitute for carefully designed unit and system tests. It's useful because it tests your application from a perspective that's different from that of human-designed tests. The more ways you have of examining and testing your code, the more certain you can be that what you've designed is solid and will stand up to attack. Fuzzers are generally very good at finding these types of vulnerabilities:

  • Buffer overflows
  • Denial of service
  • SQL injections
  • Cross-site scripting

These all have one thing in common: They tend to cause erratic application behavior and server crashes. Fuzzers aren't as useful for finding holes related to weak encryption or information disclosure.

There are a lot of fuzz testing tools available, and some are more useful than others. We've had success with one called PowerFuzzer, which we'll demonstrate in the following sections.

Installing and Configuring PowerFuzzer

PowerFuzzer is a Python tool, which means it is OS independent. Follow these steps to install and configure PowerFuzzer:

  1. Go to http://sourceforge.net/projects/powerfuzzer and click the Download _PowerFuzzer link, as shown in Figure 1.



    2. Click here for larger image
    Figure 1 - Click the Download PowerFuzzer link on the PowerFuzzer Web site.

  2. This will take you to the PowerFuzzer download page. Click the Download link, as shown in Figure 2.



    3. Click here for larger image
    Figure 2 - Click the Download link.

  3. Finally, select a mirror (there's only one, so the choice is pretty easy) and download PowerFuzzer, as shown in Figure 3.



    4. Click here for larger image
    Figure 15.3 - Select a mirror to download PowerFuzzer.

  4. After the file downloads, go to http://powerfuzzer .sourceforge.net. Scroll down to the section called "Prerequisites and Installation," as shown in Figure 4. You'll need to install five other packages that PowerFuzzer depends upon. You may already have some or all of these packages:
    • Python 2.5 or greater
    • wxPython 2.8 or greater
    • HTML Tidy library
    • cytpes
    • TidyLib Python wrapper



    Click here for larger image
    Figure 15.4 - Find the prerequisites section of the PowerFuzzer Web site.

    Be careful to install the latest version of each package.

  5. Run the powerfuzzer.py script to launch PowerFuzzer. The starting screen for PowerFuzzer is shown in Figure 5.



    6. Click here for larger image
    Figure 15.5 - The starting screen in PowerFuzzer.

At this point, you've successfully installed PowerFuzzer. In the next section, we'll walk through the process of using PowerFuzzer to test a Web application.

Introduction to Exploit Testing
Using PowerFuzzer

Up to => Home / Authoring / Tutorials / PHP



Jupiter Online Media: internet.comearthweb.comDevx.commediabistro.comGraphics.com

Search:

Jupitermedia Corporation has two divisions: Jupiterimages and Jupiter Online Media

Jupitermedia Corporate Info


Legal Notices, Licensing, & Permissions, Privacy Policy.

Web Hosting | Newsletters | Tech Jobs | Shopping | E-mail Offers