Security Testing

You know, unless you want to spend 10's of thousands of dollars, there is very little out there for tools that perform fault injection for security testing, or even functional testing for that matter. In the new year I am going to be spending some time writing some generic security tests that can be used to do a gambit of different things. I am going to also open a free site so other developers can
use and exchange their tests to hopefully help us all write better quality code with security in mind. A few tests I hope to write include:

• Dangerous Function Scanner - Scan an entire master sources tree looking for dangerous functions and API calls that should not be used, or atleast used with care. Examples would be strcpy vs. strncpy, using SetSecurityDescriptorDacl( ..., ..., NULL, ... ) incorrectly [shouldn't use a NULL Dacl] etc.

  
  

• Rogue TCP/IP Client/Server - Simple socket client and server to purposely stress-test network clients and servers by attacking and tainting the data stream in malicious ways.

  
  

• Script-Injector - To test against cross-site scripting and invalid script injection code in web forms and services. Especially useful for those PHP and ASP boneheads off the world that don't properly validate user data.

  
  

• XML Tainter - XML is starting to become a defacto standard for data manipulation, especially in newer tcp/ip protocol communication paradigms. Did you know though that there are limits in the size of the tag, as well as the characters that can be used? May as well create a test to maliciously create payloads of XML data and see how the data abstraction layer in an application can handle the information. On the flip side... I am routinely seeing misuse of XML where tags are EXPECTED in the file, but don't actually exist. Non-existant tags are just as bad as malicious ones if not handled correctly.

  
  

• Sizeof op checker - Wanna know the classic way to overflow a windows application? Find one that uses both multibyte and wide characters and uses the sizeof() operator to calculate dynamic memory allocation. Routinely developers screw that up and allocate enough room for a string, only to find it is multibyte and needs double the amount of room. The result? A memcpy/strcpy etc can overflow and allow you to go to town. Microsoft's printer spool is a perfect example of an app that had this issue for a VERY long time.

  
  

• SQL Misuse - Scan code to see if it exposes priviledged SQL information such as username/password to connect, or functions that could easily be stored procedures rather than raw code. Top that off with SQL injection checks, and SQL builder issues, this test should hopefully stomp out a lot of issues surrounding database access with SQL.

  
  

There are others, but I see those ones being of immediate use to many of us. If you have any other ideas of good security tests that should be written, please let me know. I will be writing all my security tests in Perl which can be used in unix environments and Windows environments(with cygwin) natively, which means they can easily add these into your make files or build environment scripts for your daily builds.