Automated Application Security Testing

Rate this content
Bookmark

Traditional security testing for JS apps has focused on the front-end, but actual security issues most often lie in the backing REST API. Join StackHawk co-founder Scott Gerlach for a quick overview of why you need to rethink how you test your JS apps and how StackHawk can help you find and fix security bugs fast.

9 min
21 Jun, 2022

Comments

Sign in or register to post your comment.

Video Summary and Transcription

StackHawk is a dynamic application security testing tool that helps developers find and fix security issues. The scan identified a SQL injection issue and a cross site scripting issue. The StackHawk YAML is used to configure the scanner with important information such as the application's location, environment, and ID. The scanner can also be pointed at open API spec or GraphQL definitions. Try StackHawk for free at stackhawk.com and integrate it into your development process to improve software quality.

1. Introduction to StackHawk

Short description:

StackHawk is a dynamic application security testing tool that helps developers find and fix security issues. It runs active security tests against running applications, handles user input and output safely, and implements OWASP top 10 best practices. The scanner is configured via YAML and provides simple descriptions and examples of patterns to help identify and fix issues. StackHawk integrates with CI/CD workflows and major CI platforms, and it can notify scan results in Slack, Data Dog, or via web hook.

What's going on, React people? I'm Scott Gerlach, co-founder and chief security officer over here at StackHawk. I hope you're really enjoying React Summit.

Let's talk about StackHawk. Quickly, StackHawk is a dynamic application security testing tool. You can use it to test your running HTTP applications and API endpoints for security bugs and keep them from becoming vulnerable. You can use StackHawk to run active security tests on your running REST API, GraphQL API, soap API, server-side application, and single-page applications. StackHawk was built for automation and CI CDE to be part of your robust testing strategy for your application development life cycle. It also makes finding, understanding, and fixing security bugs easy.

How does StackHawk work, you ask? Great question! StackHawk runs active security tests against your running applications to ensure that your application is handling user input and output in a safe manner, as well as implementing OWASP top 10 best practices for application security. We can do this against your running application on your local host, in CI CDE workflows, and against applications that have yet to be published on the internet. We also made dynamic testing fast. By placing the scanner as close to the application as possible and by using open standards to inform the scanner, OpenAPI spec, GraphQL, introspection queries, SOAP, WSDL, in addition to the scanner tuning we've made, most StackHawk customer applications scan average around or under 10 minutes.

Finding and fixing security issues is simple with StackHawk. Our focus as a company is to help developers find and most importantly fix security issues. The Stackhawk scanner and platform are built around this simplicity model. The scanner is configured via YAML that lives with the code for the application that you're testing. When StackHawk findings are triaged, the platform is trying to give you the simplest version of the information needed to help you quickly understand what the problem is, with simple descriptions and examples of patterns to help you identify the anti-pattern, be able to recreate the issue with simple curl command to replay the attack, and get you into debug mode stepping through code as fast as possible to help you fix issues and get back to your regular job of creating value for your customers. All of this is CI CD enabled. Again, you can integrate this into your CI process and importantly get feedback into the CI process on scan findings. This information can be used to break a build if you choose. Based on severity of un-triage findings, most of the major CI player logos are shown here on this slide, and even if your particular one isn't, chances are pretty good Stackhawk will work in your platform as long as it can run a Docker container. You can run Docker, you can run Stackhawk. You can also see here Stackhawk integrates with your workflow and information tools. We can notify you of your scan results in a Slack channel, publish that information to Data Dog, or send you a simple web hook message that you can then use to process and do with the data what you choose.

Let's take a look at what running the Stackhawk scanner looks like. As you can see here, I've got a standard server side application. This one is a Pulse app that I want to test for security issues. So over here on my command line, I've got a simple Docker command that I ran. So Docker run Stackhawk, I fed it the stack on yamel, we'll look at that in a second. As you can see, it did a standard crawl looking for all the interesting things on the webpage that it could and then it did an attack.

2. Analysis of Scan Findings and SQL Injection Issue

Short description:

The scan identified a SQL injection issue and a cross site scripting issue. The SQL injection issue is explained, along with the risks it poses and links to prevent it in different language frameworks. A specific issue is highlighted on the polls SQL path, where a post method has an issue. The scanner's request and response are shown, including a Case When injection. The Validate button provides a curl command to reproduce the attack. The StackHawk YAML code for the polls application is also provided.

So it actively attacked this application for potential security issues. When it was all done, we've got a summary of these findings. So I've actually got a SQL injection issue that I need to take care of, you can see that it's new. I also have a cross site scripting issue that I've done something with before, I actually made a ticket out of this. So now it's in an assigned status. We've got a bunch of other things that we can look at as well. But let's take a look at those two.

Down here at the bottom, we actually have a link to this scan. So we can actually take this link and paste it into a browser. By the way, output in a CICD system would look very much like this, because this is the standard output. So if you did choose to break a build, you would have this same link in CICD output. So we can go over here to our web browser and jump right into the scan that we were looking at. We were just looking at this exact same scan. We've got this SQL injection issue that we can look at quickly. You can see that we've got a SQL injection issue. We're quickly describing what SQL injection is, how to remediate it, what it's about, and what risks it might pose to an application. We also have links to different language frameworks that show you the pattern of how to prevent SQL injection in Spring, Laravel, Django, and Rails so that you can help identify the anti-pattern that we're looking for.

Let's take a look at this particular issue here. We can see that on the polls SQL path, we have a post method that has some kind of an issue. Over on our right-hand panel, we've got a request and response of what the scanner actually did and then came back with. We can see that the scanner made a request here against the application and it responded in some form or fashion. We can actually see that the scanner made a Case When injection here. We can replay this if we wanted to. This is all helping you understand what the scanner is trying to do and what issue it thinks it's found. But, interestingly, we've got this really cool Validate button up here. As I mentioned before, this Validate button gives you a curl command of exactly what the scanner did to identify this particular issue. So, you can copy and replay this attack against an application. Let's take a look at that StackHawk YAML. Here you can see the code that I've used to build my polls application. Inside of this repository, I've also stored the StackHawk YAML.

3. Configuring StackHawk Scanner

Short description:

The StackHawk YAML is used to configure the scanner with important information such as the application's location, environment, and ID. Additional configuration options include authentication, handling of cookies and CSRF tokens, and excluding specific scan targets. The scanner can also be pointed at open API spec or GraphQL definitions. If time is limited, issues can be quickly pushed to a JIRA ticket and prioritized for future sprints or epochs. Triaged issues will no longer trigger alerts, and builds can continue as normal. Try StackHawk for free at stackhawk.com and integrate it into your development process to improve software quality.

The StackHawk YAML is how you configure the StackHawk scanner. So, you can see the important information that's in here is, where do I find the application I need to test? In this case, it's running on my local machine, so local host 8020. What environment am I in? What is the application ID? That is the minimal amount of information you need to run a StackHawk scan against your application.

There are other pieces of information that help tune the scanner to your application, such as authentication, how to handle cookies and CSRF tokens, as well as things you don't want the scanner to scan. If you wanted to add open API spec or GraphQL, minimal additional configuration is needed to make that happen, to point the scanner at those industry standard definitions of REST API and GraphQL.

Now let's say we don't have time to fix this particular issue. We need to get this feature out for a customer, but we do want to fix it, so we can push this quickly to a JIRA ticket. I can send this to a JIRA Cloud or JIRA DataCenter ticket right now from this particular screen. I can push this issue straight out to JIRA and now I can prioritize that and bring it back out of the backlog when I'm ready to do it in the next sprint or in the next epoch.

As you will see, this has now turned into a triaged status issue, so when we come back here to our summary of findings, you can see that our cross site scripting has been triaged and our SQL injections have been triaged. The next time the scanner finds these things, it will remember that you have triaged them already and it will stop trying to bring your attention to it. If you've configured builds to break, this will undo the build break mechanism and your build will continue as normal.

I hope you enjoyed my talk today and perhaps learned something new about how StackHawk could be integrated into your development workflow. If you'd like to check out StackHawk and see how you can integrate it into your development process to keep pushing the limits on software development quality, you can always start a free trial at stackhawk.com and StackHawk is always free to use on a single application. Hey, thanks for watching everybody. I hope you really enjoy React Summit.

Check out more articles and videos

We constantly think of articles and videos that might spark Git people interest / skill us up or help building a stellar career

TestJS Summit 2021TestJS Summit 2021
33 min
Network Requests with Cypress
Top Content
Whether you're testing your UI or API, Cypress gives you all the tools needed to work with and manage network requests. This intermediate-level task demonstrates how to use the cy.request and cy.intercept commands to execute, spy on, and stub network requests while testing your application in the browser. Learn how the commands work as well as use cases for each, including best practices for testing and mocking your network requests.
TestJS Summit 2021TestJS Summit 2021
38 min
Testing Pyramid Makes Little Sense, What We Can Use Instead
Top Content
Featured Video
The testing pyramid - the canonical shape of tests that defined what types of tests we need to write to make sure the app works - is ... obsolete. In this presentation, Roman Sandler and Gleb Bahmutov argue what the testing shape works better for today's web applications.
TestJS Summit 2022TestJS Summit 2022
27 min
Full-Circle Testing With Cypress
Top Content
Cypress has taken the world by storm by brining an easy to use tool for end to end testing. It’s capabilities have proven to be be useful for creating stable tests for frontend applications. But end to end testing is just a small part of testing efforts. What about your API? What about your components? Well, in my talk I would like to show you how we can start with end-to-end tests, go deeper with component testing and then move up to testing our API, circ
Node Congress 2022Node Congress 2022
26 min
It's a Jungle Out There: What's Really Going on Inside Your Node_Modules Folder
Top Content
Do you know what’s really going on in your node_modules folder? Software supply chain attacks have exploded over the past 12 months and they’re only accelerating in 2022 and beyond. We’ll dive into examples of recent supply chain attacks and what concrete steps you can take to protect your team from this emerging threat.
You can check the slides for Feross' talk here.
TestJS Summit 2021TestJS Summit 2021
31 min
Test Effective Development
Top Content
Developers want to sleep tight knowing they didn't break production. Companies want to be efficient in order to meet their customer needs faster and to gain competitive advantage sooner. We ALL want to be cost effective... or shall I say... TEST EFFECTIVE!But how do we do that?Are the "unit" and "integration" terminology serves us right?Or is it time for a change? When should we use either strategy to maximize our "test effectiveness"?In this talk I'll show you a brand new way to think about cost effective testing with new strategies and new testing terms!It’s time to go DEEPER!

Workshops on related topic

React Summit 2023React Summit 2023
151 min
Designing Effective Tests With React Testing Library
Featured Workshop
React Testing Library is a great framework for React component tests because there are a lot of questions it answers for you, so you don’t need to worry about those questions. But that doesn’t mean testing is easy. There are still a lot of questions you have to figure out for yourself: How many component tests should you write vs end-to-end tests or lower-level unit tests? How can you test a certain line of code that is tricky to test? And what in the world are you supposed to do about that persistent act() warning?
In this three-hour workshop we’ll introduce React Testing Library along with a mental model for how to think about designing your component tests. This mental model will help you see how to test each bit of logic, whether or not to mock dependencies, and will help improve the design of your components. You’ll walk away with the tools, techniques, and principles you need to implement low-cost, high-value component tests.
Table of contents- The different kinds of React application tests, and where component tests fit in- A mental model for thinking about the inputs and outputs of the components you test- Options for selecting DOM elements to verify and interact with them- The value of mocks and why they shouldn’t be avoided- The challenges with asynchrony in RTL tests and how to handle them
Prerequisites- Familiarity with building applications with React- Basic experience writing automated tests with Jest or another unit testing framework- You do not need any experience with React Testing Library- Machine setup: Node LTS, Yarn
TestJS Summit 2022TestJS Summit 2022
146 min
How to Start With Cypress
Featured WorkshopFree
The web has evolved. Finally, testing has also. Cypress is a modern testing tool that answers the testing needs of modern web applications. It has been gaining a lot of traction in the last couple of years, gaining worldwide popularity. If you have been waiting to learn Cypress, wait no more! Filip Hric will guide you through the first steps on how to start using Cypress and set up a project on your own. The good news is, learning Cypress is incredibly easy. You'll write your first test in no time, and then you'll discover how to write a full end-to-end test for a modern web application. You'll learn the core concepts like retry-ability. Discover how to work and interact with your application and learn how to combine API and UI tests. Throughout this whole workshop, we will write code and do practical exercises. You will leave with a hands-on experience that you can translate to your own project.
React Summit 2022React Summit 2022
117 min
Detox 101: How to write stable end-to-end tests for your React Native application
Top Content
WorkshopFree
Compared to unit testing, end-to-end testing aims to interact with your application just like a real user. And as we all know it can be pretty challenging. Especially when we talk about Mobile applications.
Tests rely on many conditions and are considered to be slow and flaky. On the other hand - end-to-end tests can give the greatest confidence that your app is working. And if done right - can become an amazing tool for boosting developer velocity.
Detox is a gray-box end-to-end testing framework for mobile apps. Developed by Wix to solve the problem of slowness and flakiness and used by React Native itself as its E2E testing tool.
Join me on this workshop to learn how to make your mobile end-to-end tests with Detox rock.
Prerequisites- iOS/Android: MacOS Catalina or newer- Android only: Linux- Install before the workshop
TestJS Summit 2023TestJS Summit 2023
48 min
API Testing with Postman Workshop
WorkshopFree
In the ever-evolving landscape of software development, ensuring the reliability and functionality of APIs has become paramount. "API Testing with Postman" is a comprehensive workshop designed to equip participants with the knowledge and skills needed to excel in API testing using Postman, a powerful tool widely adopted by professionals in the field. This workshop delves into the fundamentals of API testing, progresses to advanced testing techniques, and explores automation, performance testing, and multi-protocol support, providing attendees with a holistic understanding of API testing with Postman.
1. Welcome to Postman- Explaining the Postman User Interface (UI)2. Workspace and Collections Collaboration- Understanding Workspaces and their role in collaboration- Exploring the concept of Collections for organizing and executing API requests3. Introduction to API Testing- Covering the basics of API testing and its significance4. Variable Management- Managing environment, global, and collection variables- Utilizing scripting snippets for dynamic data5. Building Testing Workflows- Creating effective testing workflows for comprehensive testing- Utilizing the Collection Runner for test execution- Introduction to Postbot for automated testing6. Advanced Testing- Contract Testing for ensuring API contracts- Using Mock Servers for effective testing- Maximizing productivity with Collection/Workspace templates- Integration Testing and Regression Testing strategies7. Automation with Postman- Leveraging the Postman CLI for automation- Scheduled Runs for regular testing- Integrating Postman into CI/CD pipelines8. Performance Testing- Demonstrating performance testing capabilities (showing the desktop client)- Synchronizing tests with VS Code for streamlined development9. Exploring Advanced Features - Working with Multiple Protocols: GraphQL, gRPC, and more
Join us for this workshop to unlock the full potential of Postman for API testing, streamline your testing processes, and enhance the quality and reliability of your software. Whether you're a beginner or an experienced tester, this workshop will equip you with the skills needed to excel in API testing with Postman.
TestJS Summit - January, 2021TestJS Summit - January, 2021
173 min
Testing Web Applications Using Cypress
WorkshopFree
This workshop will teach you the basics of writing useful end-to-end tests using Cypress Test Runner.
We will cover writing tests, covering every application feature, structuring tests, intercepting network requests, and setting up the backend data.
Anyone who knows JavaScript programming language and has NPM installed would be able to follow along.
GraphQL Galaxy 2021GraphQL Galaxy 2021
48 min
Building GraphQL APIs on top of Ethereum with The Graph
WorkshopFree
The Graph is an indexing protocol for querying networks like Ethereum, IPFS, and other blockchains. Anyone can build and publish open APIs, called subgraphs, making data easily accessible.

In this workshop you’ll learn how to build a subgraph that indexes NFT blockchain data from the Foundation smart contract. We’ll deploy the API, and learn how to perform queries to retrieve data using various types of data access patterns, implementing filters and sorting.

By the end of the workshop, you should understand how to build and deploy performant APIs to The Graph to index data from any smart contract deployed to Ethereum.