Testing Tips

Determine all of the places in which attacker-controlled data is presented to the user or can be used to make a decision that affects security, such as in parts of the user interface or in log files.

Use the techniques discussed in Chapter 4 and Chapter 5, Becoming a Malicious Server, to send spoofed data over the network.

Understand the protocols used in your application. Many protocols contain contents that are trivial to spoof (for example, SMTP e-mail sender, HTTP Referer header, HTTP User-Agent header). These attacks are not limited to text-based protocols; they are also present in binary protocols.

Use a binary editor to modify files that could be controlled by attackers . For example, if you wanted to modify a Microsoft Office Word document, you can make the modifications in a binary editor to preserve the existing binary characters in the file and add control characters if necessary.

Try all ASCII characters (hex 0x00 through 0xFF) in attacker-controlled input. Applications might filter some characters or behave strangely when certain characters are used. Strange behavior includes not printing characters or printing incorrect characters. The total number of ASCII characters is only 256, so testing each character is realistic. The full ASCII table is available on http://www.asciitable.com .

Use Unicode characters in applications that support Unicode (for example, homograph attacks).

Test to see whether an attacker could potentially reword or reformat the user interface by including CR/LFs, nulls, tabs, and other control characters.

Try to mislead the user with your test input in places an attacker can control the input. Misleading input is the kind that by providing misleading statements or misleading URLs or filenames instructs the user to somehow compromise security.

Verify that the default selection in security dialog boxes is the most secure option.

Verify that the text in dialog boxes clearly explains the impact or danger of the user making an insecure choice.