Email Subscription Form

Saturday, February 23, 2019

Easy Free Automation Part VI: Security Tests

Often when people think of security testing, they think of complicated software scans, request intercepts, and IP address spoofing.  But some of the most crucial application security testing can be done simply through making API requests.  In this week's post, I'm taking a look at examples of authentication testing, authorization testing, and field validation testing.



As I have in every post in this Easy Free Automation series, I've created an example that you can download here.  This is a simple json file that can be run with Newman.  As you recall from Easy Free Automation Part III: Services Tests, Newman is the command-line runner for Postman, my favorite API testing tool.  If you need to install Postman or Newman, take a look at that post.

For my test application, I'm using the awesome Restful-Booker API.  It's worth noting that this API does come with some intentional bugs, two of which I'll mention below.

The json file I've made available on Github is for the test collection.  I didn't include an environment file this week, because I didn't need to store any variables.  Once you have downloaded the json file, open a command window, change directories to get to the directory where the file is stored, and type newman run easyFreeSecurityTests.json. You should see sixteen tests run and pass.

Let's take a look at the kinds of tests we're running.  The tests will be easier to interpret if you upload them into Postman; take a look at this post if you need help doing that.

The first six tests in the collection are authentication tests.  I am verifying that I can't log in with invalid credentials.  But I'm verifying six different invalid username and password combinations:

  • Create token with empty username
  • Create token with invalid username
  • Create token with empty password
  • Create token with invalid password
  • Create token with empty username and password
  • Create token with invalid username and password

This may seem like overkill, but I have actually encountered bugs where a user can log in if the password field is blank, and where a user can log in if both the username and password are incorrect. 

The assertion I am using for each of the six authentication tests is the following:
pm.test("Bad credential message returned", function () {
    pm.expect(pm.response.text()).to.include("Bad credentials");
});

Ordinarily I would assert that the response code I was getting was a 401, but since this request is (incorrectly) returning a 200, I'm instead verifying the text of the response: "Bad credentials".  (For more information on HTTP error codes, see this post.)

The next six tests in my collection are authorization tests.  There are three actions in the Restful-Booker that require a valid token: Put, Patch, and Delete.  So for each of these requests, I'm testing that I cannot run the request with a missing token, and I cannot run the request with an invalid token:

  • Update booking with no token
  • Update booking with invalid token
  • Partial update booking with no token
  • Partial update booking with invalid token
  • Delete booking with no token
  • Delete booking with invalid token

For each of these requests, I am asserting that I receive a 403 status code as a response:
pm.test("Status code is 403", function () {
     pm.response.to.have.status(403);
});

If a developer makes a change to the code and accidentally removes the token requirement for one of these operations, automated tests like these will discover the error right away, because the response code will change to a 200 or a 201.

Finally, I have four field validation tests.  I would like to have more tests here, but because some of the fields in this API aren't validated, I'm sticking to the date fields.  In each of these tests, I am sending in an invalid date:

  • Create booking invalid checkin month
  • Create booking invalid checkin day
  • Create booking invalid checkout month
  • Create booking invalid checkout day

In each of these tests, I am validating that I receive an invalid date message:
pm.test("Invalid date response", function () {
     pm.response.to.have.body("Invalid date");
});

Field validation might not seem like a security concern, but it's one of the easiest ways to hack an application, through entering in a script for XSS or a SQL command for SQL injection.  By verifying that the application's input fields are only allowing in certain data types or formats and only allowing in a certain number of characters, we are going a long way towards protecting ourselves from these attacks.

Astute readers will have noticed that we could also have date field validation on the PUT requests that update a booking, and the PATCH requests that partially update a booking.  And of course, if the other fields such as First Name and Last Name had validation (as they should), we would want to test that validation as well.

Running simple repetitive tests like this is not particularly glamorous and will never make headlines.  But it's simple tests like these that can catch a security problem way before it becomes an issue.  Just recently I was alerted that some tests I had set up to run nightly in a QA environment were failing.  Upon investigation, I discovered that my test user was now able to access information belonging to another user.  If I hadn't had authorization tests in place, that security hole might have been missed and might have made it to production.  

Next week, we'll move on to Easy Free Load Tests!


35 comments:

  1. Hi Kristin, great post!

    I would just add to this post a disclaimer, that this example does not represents all security tests that could be done. For example, SQL injections could also be used to override authentication feature.

    Regards, Karlo.

    ReplyDelete
    Replies
    1. Hi Karlo- I'm glad you enjoyed this post! I totally agree that these API tests do NOT represent all the security testing that should be done on an application. The point of my "Easy Free Automation" series is to give people simple ways to get started with the eight types of testing on the Automation Test Wheel. From those starting points, testers can then expand their skills. I've written a number of posts about XSS, SQLi, and other security concerns; you can find those posts in May-July 2018.

      Delete
  2. Pretty article! I found some useful information in your blog, it was awesome to read, thanks for sharing this great content to my vision, keep sharing. Need to learn Security Testing Services

    ReplyDelete
  3. Amazing article...
    Thanks for this article on Security Testing

    ReplyDelete
  4. Thank you so much for this nice information. Hope so many people will get aware of this and useful as well. And please keep update like this.
    software testing course in chennai

    ReplyDelete
  5. Thanks for sharing this as quickbooks has one error that block the opening of the qb company file this is due communication server error and it shows the windows firewall is blocking quickbooks it can be solved by the quickbooks update error

    ReplyDelete
  6. Interesting post. I Have Been wondering about this issue, so thanks for posting. Pretty cool post. It’s really very nice and Useful post 사섀토토

    ReplyDelete
  7. So far only a less number of Internet casinos
    could be trusted for investing money, however their numbers are progressively growing.
    There is something enthralling and captivating in playing online flash games, especially gauzing from the different arrangement of cards and figuring the very
    best that matters. Check out the bingo reviews to obtain more specifics of
    particular online bingo site and you'll earn extensive money.κ°•λ‚¨μ˜€ν”Ό


    ReplyDelete
  8. μΉ΄μ§€λ…Έμ‚¬μ΄νŠΈ I'm no longer sure where you are getting your info, however good
    topic. I must spend some time studying much more or working
    out more. Thank you for excellent information I was
    searching for this info for my mission.


    ReplyDelete
  9. You have done a great job on this article. It’s very readable and highly intelligent. You have even managed to make it understandable and easy to read. You have some real writing talent. Thank you. 좜μž₯μ•ˆλ§ˆ
    I am sure this article has touched all the internet viewers, its really really
    pleasant piece of writing on building up new website. Wonderful illustrated information. I thank you about that. No doubt it will be very useful for my future projects. Would like to see some other posts on the same subject!



    ReplyDelete
  10. After exploring a few of the blog posts on your web site, I
    really like your way of blogging. I saved as a favorite it to my bookmark
    website list and will be checking back soon. Take
    a look at my web site as well and tell me how you feel. 카지노

    ReplyDelete
  11. You have made some decent points there. I checked on the net for more info about the issue and found most individuals will go along with your views on this site.
    μ˜¨λΌμΈμΉ΄μ§€λ…Έ

    wep.

    ReplyDelete
  12. When someone writes an post he/she keeps the idea of a user in his/her mind that how a user can be aware of it. Thus that’s why this article is perfect. Thanks!|
    μΈν„°λ„·κ²½λ§ˆ

    magosucowep

    ReplyDelete
  13. Every device needs to be pre-set for proper use. That’s why we have a web page mywifiext.net for our Netgear Wi-Fi Extender users. It’s quite easy to set up your Netgear Extender device. Just go to mywifiext.net and follow a few simple steps written on the page. We know how to value all our customers. So, we tried to keep the steps as simple as possible. We hope you do not encounter any problems during the process. But if you still can not get your device started, we are always happy to help. Just go to Netgear support for further assistance.

    μ•Όν•œλ™μ˜μƒ

    ReplyDelete
  14. Menuco helps you to grow your business online. We will create your website, an online ordering system, and a rock-solid online presence. With Menuco grow more. You will get more sales. Stop relying on other applications. Get your own application and website.

    μ˜€ν”Ό

    ReplyDelete
  15. You possess lifted an essential offspring. Bless for using. I would want to study better latest transactions from this blog. Preserve posting.

    좜μž₯μ•ˆλ§ˆ

    ReplyDelete
  16. In the Color Pink bonus the Pink Panther paints a wall. All the pink numbers are totaled to give the player’s cash prize. Wheel of Pink Bonus is another exciting game. The wheel has two layers. The outer one gives the multiplier.

    μ•ˆλ§ˆ

    ReplyDelete
  17. Thank you for posting such a great article. Keep it up mate.

    ECHS 64kb Card Status

    ReplyDelete
  18. I think the admin of this site is in fact working hard.Thanks for ones marvelous posting! μ˜¨λΌμΈμΉ΄μ§€λ…Έ

    ReplyDelete
  19. Thank you for sharing such a great post. Penetration testing is a systematic evaluation of security measures in an IT infrastructure. Waiting for more content about security testing services.

    ReplyDelete
  20. This is a very interesting post. Thank you for posting a lot of interesting posts.
    With AT&T Customer Service, users can remove all their technical glitches without any issue. The techies solve the issues of ATT Mail Login, account recovery, etc with ease. Make sure to speak to the ATT team via the helpline number to get precise technical solutions. Get in touch with the techies any time of the day.

    ReplyDelete
  21. Thanks for sharing post. Are you struggling with How To Transfer Money From Cash App To Google Pay and looking for an exact way to solve these issues then you have launched at the right destination? The simplest method available by following, Cash App users are easily able to Add Cash App Card To Google Pay. Click here and know the exact way to solve this issue in one go.

    ReplyDelete
  22. Welldone information. I appreciate your ideas and your knowledge. Thanks for sharing with us.
    Are you looking for a solution how to Create Cash App Account? If yes, then don't go anywhere. Our Cash App techies are here to provide you with top solutions to related issues. If you are unable to create a Cash App account, you may contact our Cash App customer service and visit our website for more information.

    ReplyDelete
  23. Totosite refers to a betting site for sports events held online. Most private Totos are included in this category, and excellent Toto sites are referred to as safety playgrounds or major sites. A list of recommendations for verification sites for sports betting is useful for finding Toto sites. ν† ν† μ‚¬μ΄νŠΈ cragro μ•ˆμ „λ†€μ΄ν„°

    ReplyDelete
  24. What a nice post! I'm so happy to read this. ν† ν† μ‚¬μ΄νŠΈμΆ”μ²œ^ What you wrote was very helpful to me. Thank you. Actually, I run a site similar to you. If you have time, could you visit my site? Please leave your comments after reading what I wrote. If you do so, I will actively reflect your opinion. I think it will be a great help to run my site. Have a good day.

    ReplyDelete
  25. I must say, your content never disappoints. This latest post is no exception. The personal anecdotes you shared added a nice touch and made the article relatable. Keep up the fantastic work, and I'm eagerly awaiting your next post! New Jersey District Court Protective Order

    ReplyDelete
  26. I should assert barely that its astounding! The blog is informational also always fabricate amazing entitys. Muhammad taha

    ReplyDelete
  27. Delhi University stands as a venerable institution, not merely as a center for academic excellence but also as a cultural mosaic that embodies the diversity and vibrancy of India. Established in 1922, it spans a vast academic landscape, boasting a multitude of colleges renowned for their academic rigor and diverse courses across disciplines. Its sprawling campus breathes history, hosting iconic buildings that blend heritage with modernity. The university's commitment to fostering critical thinking, innovation, and inclusivity reflects in its dynamic student body hailing from different corners of the country and beyond. Beyond academics, it serves as a melting pot of ideas, where extracurricular activities, debates, and cultural events thrive, shaping well-rounded individuals prepared for the challenges of a globalized world.

    ReplyDelete
  28. Part VI of Easy Free Automation, focusing on security tests—how intriguing! Your comprehensive guide adds immense value. Looking forward to mastering automation effortlessly with your insightful tips!
    Middlesex County Trespassing Attorney
    Domestic Violence Central Registry New Jersey

    ReplyDelete
  29. Their experts have those amazing roadside assistance jump start offering speedy response times and continuously reliable consequences.

    ReplyDelete

New Blog Location!

I've moved!  I've really enjoyed using Blogger for my blog, but it didn't integrate with my website in the way I wanted.  So I...