Many people know that the technology learned in school, the technology of start-ups, the technology of outsourcing companies, and the technology of self-developed companies are very different from the technology of big Internet companies. Almost all people in the Internet circle have a “big factory dream”, because entering a big factory means more advanced technology, higher salary, better colleagues and leaders, and better growth space. Even if you come out of a big factory, it will be much easier to find a job in the future.
Today, we will be closer to the big factory and learn from AlibabaAlibaba group web security testing specification
In order to avoid security risks, standardize the security development of code, and how to systematically conduct security testing, there is a lack of corresponding theory and method support. To this end, we have formulated the “security test specification”, which allows testers to systematically conduct rapid security tests on the tested system against common security vulnerabilities or attacks.
The readers and users of this specification are mainly testers, developers, etc.
Scope of application
This specification is mainly aimed at the web application system based on general server as an example, and other systems can also be referred to. The following figure illustrates a typical web application system based on general server:
The method in the specification is mainly aggressive testing. In addition to covering the common web security testing methods in the industry, it also draws on some industry best security practices.
The position of safety testing in the overall process of the project
It is generally recommended to complete the security test requirements analysis and test design according to the product implementation architecture and security requirements before the integration test, and prepare the security test cases.
After the integration version is officially transferred to the test, the security test can be carried out. If the product quality is unstable and there are many functional problems in the early stage, the safety test can be postponed appropriately.
Web security test method
Safety function verification
Function verification adopts the black box test method in software testing to test the software functions related to security, such as user management module, authority management module, encryption system, authentication system, etc., mainly to verify whether the above functions are effective and there are no security vulnerabilities. The specific method can use the black box test method.
Vulnerability scanning refers to a security detection (penetration attack) behavior that detects the security vulnerability of a specified remote or local computer system by scanning based on the vulnerability database and finds exploitable vulnerabilities.
Vulnerability scanning technology is an important network security technology. It cooperates with firewall and intrusion detection system, which can effectively improve the security of the network. By scanning the network, the network administrator can understand the security settings and running application services of the network, discover security vulnerabilities in time, and objectively evaluate the network risk level. Network administrators can correct network security vulnerabilities and wrong settings in the system according to the scanning results, and take precautions before hacker attacks. If firewall and network monitoring system are passive defense means, then security scanning is an active preventive measure, which can effectively avoid hacker attacks and prevent them before they happen.
Introduction to appscan tool
Appscan scanning tool can only detect some common vulnerabilities (such as cross site scripting, SQL injection, etc.), which are not aimed at user code, that is, it cannot understand business logic and make further business judgments on these vulnerabilities. Often the most serious security problem is not common vulnerabilities, but attacks against business logic and applications through these vulnerabilities.
At present, the web is divided into “application” and “web service”. Application refers to web application in the general sense, and web service is a service-oriented architecture technology, which provides services through standard web protocols (such as HTTP, XML, soap, WSDL).
How appscan works
1. Discover the entire web application structure by searching (crawling).
2. According to the analysis, send the modified HTTP request for attack attempts (scan the rule base).
3. Verify whether there are security vulnerabilities through the analysis of response.
Test cases and specifications
Test cases and specifications can be divided into active mode and passive mode. In the passive mode, the tester understands the application logic as much as possible: for example, use tools to analyze all HTTP requests and responses, so that the tester can master all the access points of the application (including HTTP headers, parameters, cookies, etc.); In the active mode, testers try to penetrate the application and its system, background, etc. as hackers, which may cause data destruction, denial of service, etc. Generally, testers need to be familiar with the target system, that is, the test in passive mode, and then carry out further analysis, that is, the test in active mode. The active test will directly interact with the tested target, while the passive test does not need it. Refer to the following schematic diagram
Test tools involved in this specification
The application and use of security tools should comply with the relevant provisions of the company on information security.
AppScanIBM Rational appscan, an automated scanning tool used in web security testing
WebScarabWeb proxy software can edit and modify the communication data between the browser and the web server
DirBusterTools used to traverse directories and files in web security testing
WSDiggerWeb service security testing tool
JadJava class file decompiler
CAJAVAJava class file decompiler software (compatible with multiple JDK versions)
PangolinSQL injection test tool
WireSharkNetwork protocol capture and analysis tool
The expert version of Alibaba web security testing specification can be downloaded here
>> > learning route + reading notes + test practical dry goods selection summary, you canPay attention to my official account to see the details. It is the minimum standard for official account to do “valuable output” for a long time. Thank you for reading.
>> > discuss and exchange together, learn software testing technology together, and enter the Q group for testing. There are supporting tutorials and technical documents we collect for self-study partners. Please click here「Check the bulletin board」Join the community (← you can click directly to the announcement Office)
Recommendation of previous technical articles