Welcome to the Security Tools for Testers Part II, in Part I we looked at security tools available for developers which can enable them to indentify security issues upfront in the development cycle. Let’s move up the chain and see what tools testers can leverage when they test web applications.

1. HTTP Debuggers type tools

Fiddler -  Public version V1.2 is available at http://www.fiddlertool.com/fiddler

Single liner = Fiddler allows you to fiddle with HTTP traffic :)

Basically it is an HTTP debugging proxy that logs all HTTP traffic between your computer and the Internet. Fiddler enables you to inspect all HTTP traffic, set breakpoints, and "fiddle" with incoming or outgoing data. Fiddler can investigate SSL http connections as well.  Fiddler is a tool to be used by security testers who are looking for vulnerabilities in Web applications or client applications that integrate with the Web.

it has powerful features where you can intercept a request, change it & send it to the server OR you can intercept a response , change it & then send it to the client. You can even replay a captured session by hand crafting a custom request. very cool feature.....  now let’s hit the nail question - What all security issues can fiddler help me indentify?

  • Input validation issues - specifically bypassing client side validations
  • Cross site scripting issues - fiddle with Query string, forms fields etc to verify this
  • SQL injection issues
  • Authorization issues
  • Information disclosure
  • Many more.....

IMO if testers while conducting functional testing on the web applications, can also test for these low hanging fruits security issues , using tools like fiddler, we can really decrease the number of security issues which pass on to our productions systems.

Fiddler

2. Network Analyzers

NetMon 3.0 has been released  & i am in love with this tool:) specially with the powerful filter feature which allows you to filter captured or displayed packets. It has got a brand new User interface and many cool features. Network monitor is a sniffer tool which can help you analyze network traffic.

With Network Monitor, you can:

  • Capture frames (packets) directly from the network.
  • Display and filter the captured frames
  • Much more

Network monitor 3.0  has a command line tool as well to capture traffic. You can use the ‘Nmcap.exe’ tool to capture frames without the GUI. This tool is available in the Network Monitor 3 installation directory.
From a testing perspective, netmon can help you identify -

  • verify if the communication channel is in clear or encrypted text (very important)
  • identify performance bottlenecks

This tool will come in handy when you are reviewing a third party thick client & are not sure of the communication channel (clear or encrypted) it is talking on.

Where to find Network Monitor 3.0 ? -- simply click the link below....:)

http://blogs.technet.com/netmon/default.aspx  

Cheers,

Anmol Malhotra