The document discusses tools and approaches for improving web security, reliability, and performance. It describes common attacks like CSRF and XSS, as well as vulnerabilities like SQL injection. It recommends using tools to augment manual testing by running automated tests regularly. Specific tools are mentioned for load testing, security testing, link checking, and measuring performance. Best practices include balancing automated and manual testing, understanding tools' capabilities and limitations, and regularly testing applications.

1. Towards a More Secure, Reliable,
and Performant Web:
Tools /Approaches to Help
September 22, 2010
Stephen Donner
WebQA Lead
Michael Coates
Web-Applications Security Guru
Mozilla Corporation

2. Overview
• Types of Attacks / Vulnerabilities (just a few)
• Why Use Tools / Benefits?
• Web-App Performance
• Load-Testing Sites
• Security / Fuzzing
• Link Checkers
• Gotchas / Pitfalls
• Recommendations / Best Practices
9/22/2010 2 Mozilla WebQA

3. Types of Attacks / Vulnerabilities (just a few)
• CSRF - Cross-Site Request Forgery
• “An attack which forces an end user to With a little help ofactions engineering (like sending a
which he/she is currently authenticated.
execute unwanted
social
on a web application in
link via email/chat), an attacker may force the users of a web application to execute actions
of the attacker's choosing.” [1]
• XSS - Cross-Site Scripting
• “...malicious scripts areoccur when an attacker usesbenign and trusted to send malicious
scripting (XSS) attacks
injected into the otherwise
a web application
web sites. Cross-site
code, generally in the form of a browser side script, to a different end user [...] the malicious
script can access any cookies, session tokens, or other sensitive information retained by
your browser and used with that site.” [2]
Sources:
• [1] http://www.owasp.org/index.php/CSRF
• [2] http://www.owasp.org/index.php/Cross-
site_Scripting_(XSS)
9/22/2010 3 Mozilla WebQA

4. Types of Attacks / Vulnerabilities (just a few)
• SQL Injection - http://www.owasp.org/index.php/SQL_Injection
• “injection of a SQL query via the input data from the client to the
application. A successful SQL injection exploit can read sensitive data
from the database, modify database data (Insert/Update/Delete), execute
administration operations on the database (such as shutdown the
DBMS), recover the content of a given file present on the DBMS file
system and in some cases issue commands to the operating system.” [3]
• ...and many more:
• OWASP list of attacks
• OWASP list of vulnerabilities
Sources:
• [3] http://www.owasp.org/index.php/
9/22/2010 4 Mozilla WebQA

5. Why Use Tools / Benefits?
• Saves time
• Increases/augments manual coverage
• Ensures a certain set of tests run every
time
• (Eliminates the human-failure component)
• Can help educate the tester
9/22/2010 5 Mozilla WebQA

6. Web-App Performance Sites / Add-ons
• Performance-Testing Sites:
• BrowserMob - http://browsermob.com
• Webpagetest - http://www.webpagetest.org/
• Firefox Add-ons:
• Firebug - http://getfirebug.com/
• YSlow! - http://developer.yahoo.com/yslow/
9/22/2010 6 Mozilla WebQA

7. Load-Testing Sites
• Load Impact - http://loadimpact.com/
• Load Labs - http://loadlabs.com/
• Gomez - http://www.gomez.com
9/22/2010 7 Mozilla WebQA

8. Load / Performance-Testing Tools
• Siege - http://www.joedog.org/index/siege-home
• siege -c50 -r150 -i http://input.stage.mozilla.com
• ab (Apache Benchmark) - http://httpd.apache.org/docs/2.0/programs/ab.html
• ab -c 150 -n 600 http://preview.addons.mozilla.org:81/en-US/
firefox/collection/enkei (run on Khan)
• JMeter - http://jakarta.apache.org/jmeter/
• Benchmarking/performance/stress-testing
• logreplay - http://github.com/oremj/logreplay
• Takes Apache access logs and, well, replays them :-)
• All but JMeter used for AMO: https://wiki.mozilla.org/User:Clouserw/AMO/loadtest
9/22/2010 8 Mozilla WebQA

9. Security / Fuzzing
• PowerFuzzer:
• http://www.powerfuzzer.com/
• XSS Me:
• http://labs.securitycompass.com/index.php/exploit-me/xss-me/
• SQL Inject Me:
• http://labs.securitycompass.com/index.php/exploit-me/sql-inject-me/
• TamperData:
• https://addons.mozilla.org/en-US/firefox/addon/966/
• Acunetix (XSS only):
• http://www.acunetix.com/cross-site-scripting/scanner.htm
9/22/2010 9 Mozilla WebQA

10. Link Checkers
• Xenu
• http://home.snafu.de/tilman/xenulink.html
• W3C
• http://validator.w3.org/checklink/
9/22/2010 10 Mozilla WebQA

11. Gotchas / Pitfalls
• Over-reliance on automated tools/websites
• “One test tool fits all” fallacy
• Not knowing the tool and its limits /
strengths
• Once is (usually) never enough
• Not knowing enough about your system /
infrastructure
9/22/2010 11 Mozilla WebQA

12. Recommendations / Guidelines
• Balance your testing: augment manual with
automation
• Pick the best tool for the task
• Read up on tools (from multiple sources) before
and during use
• Run them often: in the background of a VM while
manually testing
• Read up on/ask about your framework; look for
published vulnerabilities (Drupal, anyone?)
9/22/2010 12 Mozilla WebQA

13. References
• OWASP Top 10
• http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
• Security-coding guidelines for Developers:
• https://wiki.mozilla.org/WebAppSec/Secure_Coding_Guidelines
• Security-coding checklist for QA:
• https://wiki.mozilla.org/WebAppSec/Secure_Coding_QA_Checklist
• Web Test Tools:
• http://www.softwareqatest.com/qatweb1.html
• Security Test Tools:
• http://www.softwareqatest.com/qatweb1.html#SECURITY
9/22/2010 13 Mozilla WebQA

14. Thank You!
• WebQA homepage:
• https://wiki.mozilla.org/QA/Execution/Web_Testing
• Get Involved:
• http://quality.mozilla.org/docs/webqa/get-involved/
• Contact Us:
• IRC:
• #mozwebqa on irc.mozilla.org
• Mailing List:
• mozwebqa@mozilla.org
9/22/2010 14 Mozilla WebQA

15. Questions?
9/22/2010 15 Mozilla WebQA