Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Plants vs thieves: Automated Tests in the World...

Ramona Schwering
January 23, 2025
Technology
0
130

Plants vs thieves: Automated Tests in the World of Web Security

Web security is crucial in a constantly evolving environment where potential threats are always present. To better understand this concept, we can imagine our web application as a garden or a home that needs to be protected from possible attacks. We can draw parallels with the popular game "Plants vs. Zombies," which aims to safeguard your garden from intruders.

Our automated tests function as diligent guardians whose primary objective is to identify and address potential vulnerabilities, much like the diverse plant arsenal in the game. Instead of framing the security process as a never-ending fight, we will explore how automated tests act as defenders against possible issues, whether they are zombies or intruders. Next to an overview of tools you can utilize, we emphasize the importance of fundamental testing types, such as unit or end-to-end tests, in securing your digital garden.

Join this session to understand how to create a secure environment for your web application through test automation. This approach ensures that your web applications can successfully navigate the challenges posed by cyber threats without the necessity of introducing entirely new dedicated tools.

Ramona Schwering

January 23, 2025
Tweet

More Decks by Ramona Schwering

See All by Ramona Schwering
From the Crypt to the Code
leichteckig
0
28
You shall not pass!? A short story of customizable login experiences
leichteckig
0
37
Access Granted!
leichteckig
0
84
Who are vue? Authn in Vue, the important parts
leichteckig
0
68
Vue Fortified: Best Practices for Web App Security
leichteckig
0
120
It's a (testing) trap! - Common end-to-end pitfalls and how to solve them
leichteckig
0
150
Measure and improve frontend performance by using test automation
leichteckig
0
150
You belong here! On hurdles and happiness as women in IT
leichteckig
0
53
Flaky Tests - Fighting Nightmares
leichteckig
0
310

Other Decks in Technology

See All in Technology
Re:Define 可用性を支える モニタリング、パフォーマンス最適化、そしてセキュリティ
pyama86
3
330
20250122_個人向けCopilotどうなん
ponponmikankan
0
160
20250116_自部署内でAmazon Nova体験会をやってみた話
riz3f7
1
130
LLM活用の現在とこれから:LayerXにおける事例とともに 2025/1 ver. / layerx-llm-202501
yuya4
3
190
スクラムマスターの活動と組織からの期待のズレへの対応 / Dealing with the gap between Scrum Master activities and organizational expectations
pauli
1
620
JAWS-UG20250116_iOSアプリエンジニアがAWSreInventに行ってきた(真面目編)
totokit4
0
170
タイミーのデータ活用を支えるdbt Cloud導入とこれから
ttccddtoki
2
370
色々なAWSサービス名の由来を調べてみた
iriikeita
0
130
ゼロからわかる!!AWSの構成図を書いてみようワークショップ 問題&解答解説 #デッカイギ #羽田デッカイギおつ
_mossann_t
0
1.6k
デザインシステムを始めるために取り組んだこと - TechTrain x ゆめみ ここを意識してほしい!リファクタリング勉強会
kajitack
2
260
デジタルアイデンティティ人材育成推進ワーキンググループ 翻訳サブワーキンググループ 活動報告 / 20250114-OIDF-J-EduWG-TranslationSWG
oidfj
0
570
「人物ごとのアルバム」の精度改善の軌跡/Improving accuracy of albums by person
mixi_engineers
PRO
2
150

Featured

See All Featured
Art, The Web, and Tiny UX
lynnandtonic
298
20k
Why You Should Never Use an ORM
jnunemaker
PRO
54
9.2k
GraphQLとの向き合い方2022年版
quramy
44
13k
How to Create Impact in a Changing Tech Landscape [PerfNow 2023]
tammyeverts
49
2.2k
Building Applications with DynamoDB
mza
93
6.2k
Building a Modern Day 
E-commerce SEO Strategy
aleyda
38
7.1k
Agile that works and the tools we love
rasmusluckow
328
21k
Code Reviewing Like a Champion
maltzj
521
39k
Documentation Writing (for coders)
carmenintech
67
4.5k
Stop Working from a Prison Cell
hatefulcrawdad
267
20k
The MySQL Ecosystem @ GitHub 2015
samlambert
250
12k
What's in a price? How to price your products and services
michaelherold
244
12k

Transcript

  1. Automated Tests in the World of Web Security

  2. None

  3. What does that have to do with web development?

  4. None
  5. None
  6. None
  7. None
  8. None
  9. None

  10. Garden

  11. Garden House = Protected parts

  12. Garden Garden = our defenses House = Protected parts

  13. ==

  14. None

  15. What’s our game plan?

  16. What’s our game plan?

  17. Know your house application

  18. What to automate first?

  19. Priority

  20. Priority Risk Level

  21. Priority Risk Level Automation Difficulty

  22. Priority Risk Level Automation Difficulty Business Value

  23. None
  24. None

  25. Broken Access Control

  26. Broken Access Control Cryptographic Failures

  27. Broken Access Control Cryptographic Failures Injection

  28. How do we “cover” our garden?

  29. None

  30. Garden Attackers arrive here

  31. Garden House = Infrastructure Attackers arrive here

  32. Garden House = Infrastructure Frontend Attackers arrive here

  33. Garden House = Infrastructure Frontend API Attackers arrive here

  34. Garden House = Infrastructure Frontend API Backend Attackers arrive here

  35. Test Cases

  36. Test Cases

  37. Injection

  38. None
  39. None
  40. None
  41. None
  42. None

  43. -> “Frame” -> “Test”

  44. Sample repo

  45. None
  46. None

  47. it('injects XSS payload into search field’, () => { cy.get('.mat-search_icon-search').click();

    cy.get('.mat-toolbar-row .mat-form-field-infix') .type('<iframe src="javascript:alert(`xss`)">'); cy.get('.mat-toolbar-row .mat-form-field-infix’) .type('{enter}'); // Check if the payload is executed let spy = cy.spy(window, 'alert'); expect(spy).to.haveOwnProperty('callCount'); expect(spy).to.not.be.called; });

  48. it('injects XSS payload into search field’, () => { cy.get('.mat-search_icon-search').click();

    cy.get('.mat-toolbar-row .mat-form-field-infix') .type('<iframe src="javascript:alert(`xss`)">'); cy.get('.mat-toolbar-row .mat-form-field-infix’) .type('{enter}'); // Check if the payload is executed let spy = cy.spy(window, 'alert'); expect(spy).to.haveOwnProperty('callCount'); expect(spy).to.not.be.called; });

  49. it('injects XSS payload into search field’, () => { cy.get('.mat-search_icon-search').click();

    cy.get('.mat-toolbar-row .mat-form-field-infix') .type('<iframe src="javascript:alert(`xss`)">'); cy.get('.mat-toolbar-row .mat-form-field-infix’) .type('{enter}'); // Check if the payload is executed let spy = cy.spy(window, 'alert'); expect(spy).to.haveOwnProperty('callCount'); expect(spy).to.not.be.called; });
  50. None
  51. None
  52. None
  53. None

  54. Broken Access Control

  55. Cover protected areas

  56. None
  57. None
  58. None
  59. None

  60. CSRF via API Testing

  61. None
  62. None
  63. None
  64. None
  65. None
  66. None

  67. OpenFGA

  68. Cryptographic Failures

  69. HTTPS!?

  70. HTTPS!?

  71. Get better sample by randomizing

  72. None

  73. Use fixtures or helpers to store routes or input fields

    Helper

  74. cy.sample by cypress map Cypress-map Cypress-map Use fixtures or helpers

    to store routes or input fields Helper

  75. Use faker.js for test data cy.sample by cypress map Cypress-map

    Cypress-map Use fixtures or helpers to store routes or input fields Helper

  76. Utilize API Schema Docs

  77. How… or well, does it fit into our life(cycle)? Garden

  78. Development Testing Staging Production

  79. Development Testing Staging Production

  80. Development Testing Staging Production Pre-Commit Hook SAST Linting

  81. Development Testing Staging Production Pre-Commit Hook SAST Linting Built time

    tests DAST / IAST

  82. Development Testing Staging Production Pre-Commit Hook SAST Linting Built time

    tests DAST / IAST Deploy Gates Pen Testing

  83. Development Testing Staging Production Pre-Commit Hook SAST Linting Built time

    tests DAST / IAST Deploy Gates Pen Testing Runtime Monitoring Security Monitoring

  84. Development Testing Staging Production Pre-Commit Hook SAST Linting Built time

    tests DAST / IAST Deploy Gates Pen Testing Runtime Monitoring Security Monitoring OWASP Web Security Testing Guide
  85. None

  86. Fast check Testing JSVerify

  87. None

  88. Shall we waive tool support?

  89. The unknown thread?!

  90. Cypress + OWASP ZAP ZAP as a proxy

  91. Recommendations

  92. SAST Tools Recommendations

  93. SAST Tools DAST Tools Recommendations

  94. SAST Tools DAST Tools IAST Tools Recommendations

  95. SAST Tools DAST Tools IAST Tools Static Code Quality Analysis

    Recommendations

  96. SAST Tools Keeping dependencies up-to-date DAST Tools IAST Tools Static

    Code Quality Analysis Recommendations
  97. None
  98. None

  99. Only saving money and less of a learning curve?

  100. Great messenger!!

  101. Regression Tests

  102. Building trust

  103. Use Test Runner / Tracer for Reproducability

  104. Learn what external tools do

  105. None
  106. None
  107. None
  108. None

  109. Automation = great complement

  110. Automation = great complement Intentional Test Cases as low hanging

    fruits

  111. Automation = great complement Intentional Test Cases as low hanging

    fruits Combine own test cases + Tools

  112. Automation = great complement Intentional Test Cases as low hanging

    fruits Combine own test cases + Tools All testing types can be utilized, including property-based testing

  113. Auth0

  114. Additional

  115. Iframe!? - clickjacking

  116. Rate limiter testing

  117. Web vitals for performace topics?