Security Testing Automation
Security Analyst Consultant | Arogya.ai
Trainer | SCADEMY - Secure Coding Academy
Community Volunteer | winja.nullcon.net
Conference Speaker | BSides, c0c0n, Nullcon, ISC2, Hack-In-The-Box, TexasCyber, Wicked6
GitHub: riddhi-shree Linkedin: riddhi-shree-001
Twitter: @_riddhishree
When conducting security assessments:
Is it possible to build our own tool that can consume other tools, add its own steps, reduce the manual intervention, and generate a consolidated report? How hard could this be?
Let the robots do the grunt work.
In traditional software development, security is a bottleneck
https://portswigger.net/solutions/devsecops/guide-to-devsecops
https://robotframework.org/
VARIABLES:
KEYWORDS:
TEST CASES
TEST LOG:
Analyze the data captured by the robots as per your instructions.
TEST TEMPLATE:
Maintain a folder structure
Python Libraries:
Test Template:
It is possible to repeat a set of test steps easily for an entirely different data set.
CUSTOM KEYWORDS:
Intercepting API Requests & Responses
While robots are busy exploring the web pages, mitmproxy intercepts and saves server requests and responses.
$ mitmweb -r traffic.mitm
mitmweb can be used to further analyze the saved server requests and responses.
While the robots were at work, it was a break for you. With a refreshed mind, now is the time to look at all the gathered data and identify potential attack vectors. You can get a good understanding about the target application.
If there's a need, the robot test cases can be enhanced further to automate the form filling process, or any other manual task, including reading emails from your email account or running commands in your bash shell, etc.
If you have clarity in your mind regarding the exact steps that you wish to perform, writing robot test cases is really a trivial process.
Split one execution into multiple and save test execution time
If same action needs to be performed on different URL's, then parallel processing can be applied
It's easy to take our automation to the next level:
Jenkins
Jenkinsfile
$ ngrok http 8080
https://github.com/aws-samples/amazon-cloudfront-secure-static-site#user-content-amazon-cloudfront-secure-static-website
Serving Test Report via S3 and CloudFront