? QA Design Gurus: Fiddler for Security Testing

Jul 10, 2015

Fiddler for Security Testing

In today's cloud world every application is a web application, and each application has many components. Every component communicates with other components. 

Inter-component communication requires authentication. This authentication mechanism generally happens with a secure token. Some people use current date and time to generate this secure token and this token may valid for some amount of time(E.g., 20 mins). 

If secure token is generated based on current date and time then using this security token anybody can do any action on the application without authentication. Most of the time while logging people may not bother much about security and they use this kind of tokens to log the information without any authentication.

Most of the cloud vendors are providing public cloud and private cloud applications. If they use this kind of security token then hackers may use private cloud application generated token to access public cloud application and they can perform any action until that token expires.

To verify/test  this kind of security defects we need a tool to find security tokens. Fiddler is http(s) traffic recorder tool. Using this we can record all http(s) requests and responses.


Automate SSL decryption

With Fiddler it’s up to you to decide which HTTP(s) requests and responses to decrypt and which not. If you have the decryption feature enabled, you can choose the processes which will be automatically decrypted for you. You can select between:
  • All processes
  • Browsers only
  • Non-Browsers
  • Remote clients
Use the decryption process filter to avoid decrypting traffic that you do not care about—you can exclude such traffic easily using this option.

Fiddler security add-ons

Fiddler can help you achieve many security testing goals: Eric Lawrence, the creator of Fiddler, as well as some web security experts have built several robust add-ons that empower even newbies to discover and resolve security issues. Here’s a quick list of these:
  • Watcher – Developed by the Casaba Security team, Watcher observes a browser’s interactions with your site. The tool scans requests and responses, flagging potential security vulnerabilities.
  • x5s – Another add-on from Casaba Security, x5s evaluates your website’s vulnerability to cross-site scripting bugs caused by character-set related issues.
  • intruder21 – This add-on enables fuzz-testing of your web applications. Once your target requests are identified in Fiddler, this extension generates fuzzed payloads and launches them against your site.
  • Ammonite – Detects common website vulnerabilities including SQL injection, OS command injection, cross-site scripting, file inclusion, and buffer overflows.

1 comment:

  1. Pretty article! I found some useful information in your blog, it was awesome to read, thanks for sharing this great content to my vision, keep sharing. Need to learn
    Security Testing Services
    Test Automation Services
    Software Testing Services
    Compatibility Testing Services
    Regression Testing Services

    ReplyDelete