Category Archives: security

One character to rule them all

Reading Time: 1 minute

TL;DR

In this post I will provide example how just one character can make a significant difference regarding security of Django web application.

The issue is sql injection. When I test for sql injections and I have access to client codebase (which can save significant amount of money for client), I first search code for using raw sql code. I am using simple unix utilities, less and grep:

grep -H -r 'what_you_search' * | less

In Django code system, you should search for raw function because it accepts for input raw sql.

You should learn what is proper way to send sql parameters to that function. For Django raw, this is proper way:

>>> lname = 'Doe'
>>> Person.objects.raw('SELECT * FROM myapp_person WHERE last_name = %s', [lname])

I searched the codebase, and found following:

>>> lname = 'Doe'
>>> Person.objects.raw('SELECT * FROM myapp_person WHERE last_name = %s' % lname)

Have you noticed the difference? % instead of ,

Here is how you can easily construct strings in Python (Django is Python framework):

"welcome sql injection %s" % hacker_string

This just replaces hacher_string with %s. And does not check hacker_string for possible sql code injection, which raw function does, but only when user input is send as raw function parameter, as explained in documentation.

%, one character to rule them all!

Facebooktwittergoogle_plusredditpinterestlinkedinmailby feather

How to smart test minor version Ruby on Rails upgrade?

Reading Time: 1 minute

TL;DR

In this post I will explain what should be checked after Ruby on Rails minor version upgrade. Minor version upgrades are usually connected with security releases.

As I am subscribed to Ruby on Rails security Google group, when I receive information about latest security issue, I need to act very fast. Update must be pushed to production almost immediately, so there is no time for extensive regression testing.

How can we do quick test and be sure that everything still works as before upgrade?

Heuristic 1. Rails upgrade was extensively regression tested.

That heuristic proved itself to be always true.

Heuristic 2. Inspect Gemfile.lock to be sure that only Rails gem is upgraded.

How do we actually upgrade Ruby on Rails?

Edit gemfile:gem 'rails', '4.2.5.2'
bundle update rails

Investigate Gemfile.lock changes using git diff to see what else was updated beside Rails. If some other gem (not part of Rails) was also updated, check, using Google search, possible issues for that gem that are connected with Rails upgrade.

Heuristic 3. Search Google for Ruby on rails upgrade to n.n.n.n version issues (bugs, problems)

Conclusion.

For minor Ruby on Rails upgrades, using those three heuristics, you can do regression test in smart and quick way.

Facebooktwittergoogle_plusredditpinterestlinkedinmailby feather

How to set regression test scope for HTTPS only access?

Reading Time: 2 minutes

TL;DR

In this post I will provide an example how to set the scope of system regression test in order to achieve coverage of features that need to be tested.

Context

The trigger for regression system test was HTTPS only access to client Ruby on Rails application. Prior to that feature, it was possible to use both HTTP and HTTPS protocols. Developers use TDD concept, and prior to my test, all developer tests passed on CircleCI environment.

There was also set of selenium-webdriver tests, but those tests do not cover all application features.

My strategy was to include them in the regression test. All test passed. But I had not finished regression test yet.

I did not know all application features at that time. So I started risk analysis, which features could fail if HTTPS only protocol was introduced to web application. Let’s call OWASP for help.

There is transport layer cheat sheet. Reading through the rules, I pinpointed rules that were potential risk for application functionality:

  • Do Not Mix TLS and Non-TLS Content – because browser (modern browsers) will AUTOMATICALLY prohibit access to non HTTPS urls.
  • Use a Certificate That Supports Required Domain Names – if this is not the case for your application, browser will present to user a security error

First risk could be mitigated by using the application in Chrome and observing javascript console for mixed content errors. Could I automate that task? First thought would be: write selenium-webdriver test suite that covers all the features! But I do not have that time. Was there a simpler way?

My heuristic was to search all the code base for keywords HTTP and IFRAME.

grep -H -r ‘iframe’ * | grep http:// | grep -v elements.txt | grep -v ‘README.md’ | less

That piped command searched through the all code base in terminal and returned code that uses mixing content.

And we discovered additional issue, it was not possible to immediately set all HTTP urls to HTTPS protocol. Those urls were referencing external applications, like blog. For example, in order to set this blog to HTTPS protocol, I need to buy another plan that costs more money. And I need to have a certificate for tentamen.eu domain. Which brings us to second risk.

Use a certificate that supports required domain names. And this is environment dependant test. This risk was mitigated on my testing environment, but I should also check it on production environment (production is hosted on different domain).

Doing risk analysis is fun. You will learn something new and the most importantly, you will properly set scope for your regression test.

Facebooktwittergoogle_plusredditpinterestlinkedinmailby feather

How to automate remember me feature using selenium webdriver and cucumber

Reading Time: 2 minutes

TL;DR

 

In this post I will explain problems I encountered and how I resolved them while I was designing automated test for remember me feature.

 

Context of this post is automation of end to end feature that are visible to user via the browser. You will see remember me checkbox on your login page, but that is the point where visibility of this feature ends.

 

How remember me feature actually works?

If you do not check remember me, then when you close browser after you have finished using web application, next time you come back to the application, you will need to login in again.

 

If you check remember me, then when you close browser and come back again to your application, you will be automatically logged in.

Magic behind this feature are cookies. Cookie contains session for your application and information how long that session in cookie is valid. Server side creates the cookie, but browser must act based on the information in that cookie.

 

So when you test remember me feature, you actually test browser and web application features.

 

First issue in test design

 

In order to have faster execution of browser automation tests, I do not close browser between scenarios (Watirmelon first page object anti pattern). But in order to test remember me feature, you need to close the browser. Here is the code that should be put in cucumber env.rb file that resolves this issue:

 

Second issue is scenario run order dependency

 

But that solution introduces another anti pattern, now scenario run from remember me feature file must be always run in same order:

 

 

That means you can not use following cucumber run option:

 

cucumber –order random :5738 remember_me.feature

Here is step that loads cookies:

 

Third issue selenium webdriver cookie domains

In my first implementation, in env.rb file, I just saved all browser cookies to file. But when I loaded those cookies, i got following exception:

 

 

Note: By observing that exception I learned that Firefox webdriver is actually Firefox extension written in javascript. That extension is automatically installed in Firefox before test run.

And here is the line of code that produces exception:

 

 

Observe comment in line 8 🙂 For me it implies that developer did not know how to properly implement cookie domain check. But as it is open source project, we will forgive him.

 

The issue here was that Google Analytics cookies had subdomain:

.app.domain.com

as cookie domain value. As application domain was:

app.domain.com

Google Analytics cookie domain was rejected in firefox webdriver. So before saving cookie values in file, I deleted Google Analytics cookies.

 

Conclusion

 

I am moving this blog from Blogger. While I was publishing this post, I discovered that WordPress needs plugin in order to embed gists to posts. Blogger had that feature out of the post.

 

Finding proper WordPress heuristic: install one that has more stars.

Facebooktwittergoogle_plusredditpinterestlinkedinmailby feather