20 Days Of Web Testing > Http and https

Why?

When transmitting private and confidential data over the Internet it should always be secured and encrypted so that prying eyes on the network cannot see the data being sent.

This mechanism typically uses the https protocol.

 

Hypertext Transfer Protocol Secure (HTTPS) is a widely-used communications protocol for secure communication over a computer network, with especially wide deployment on the Internet. Technically, it is not a protocol in itself; rather, it is the result of simply layering the Hypertext Transfer Protocol (HTTP) on top of the SSL/TLS protocol, thus adding the security capabilities of SSL/TLS to standard HTTP communications. – Wikipedia

 

If you are transmitting data and you are using the http protocol then it is not secure.

Hence, anyone can intercept the message and read the contents. Perfect for a “man in the middle” attack.

And that’s where you, as a Tester, come in.

 

How?

The easiest way to check whether the site you are connected to is secure is to check the browser address bar and look for https.

A padlock to symbolize that the connection is secure will also be shown.

There are a growing number of add-ons, extensions and tools for checking secure connections.

 

If the site is not HTTPS secured then you can use a web proxy tool to intercept the messages between the web client (browser) and the web server.

You can intercept the messages using tools such as Burpsuite (and many others).

Messages can be intercepted in both directions between the web server and the client, and the client and the webserver.

 

Once you have intercepted the messages using a proxy tool you can then do a number of different tests and attacks.

You could extract information from the message and see whether there is anything personal or private in it. It may provide minor clues or snippets of information that could be used for Social Engineering attacks.

You could delete the message and see what happens to the system. Do you lose information, lose states, break the client, break the server, handle it gracefully, or do nothing?

You could forward the message to the server with different values. There are countless examples where the price of goods to be purchased is included in the message unencrypted. A quick change and you could get goods for whatever price you want.

Intercepting messages is not just about security breaches and attacks.

There are loads of examples in most web systems where missing messages can cause grief.

Explore and learn from each test that you do and you will soon build up experience of what works and what doesn’t. I often find that each test leads to new ideas when using proxies to intercept messages.

 

Useful Hint

In many “test environments” https security may not be enabled and configured (but it will be on live) so double check before generating bugs.  Just make sure it’s on when the site goes live.

 

Useful Links

Good security for web checklist – http://www.techrepublic.com/blog/security/ensure-basic-web-site-security-with-this-checklist/424

Differences between http and https – http://www.virtu-software.com/ask-doug/QandA.asp?q=7

Another differences post – http://www.wisegeek.com/what-is-the-difference-between-http-and-https.htm

Burpsuite – http://portswigger.net/burp/

—-

If you want to talk Testing – catch me later this year at EuroSTAR conference.

 

2 thoughts to “20 Days Of Web Testing > Http and https”

  1. Useful hint:
    To be sure, one can disable http, to make sure it not only “looks as working” on https, but using some http in the background.

Comments are closed.