This article provides useful information for creating security test sets. Custom security test sets are also available upon request from Cyara support. Read on to learn more.
OWASP Top Ten
The OWASP Top Ten is a list of the current security threats for web applications. Some of them are very content-specific and should be covered by conversational flow tests:
-
Broken Authentication and Broken Access Control: These can be addressed by a custom “Authentication & Authorization” regression test set.
-
Sensitive Data Exposure: This is very application specific and should also be addresses with custom test sets.
- XML External Entities (XEE): If XML processing is involved (e.g., when using AIML), XEE should be part of a custom test set.
-
Insecure Deserialization: This can be detected as part of UI tests
Standard Security Tests
Other points from the list are covered by the standard Security Testing with ZAProxy.
-
Security Misconfiguration: Typically detected through security scans and spiders.
-
Same applies to Using Components with Known Vulnerabilities: Also typically detected through security scans and spiders.
Custom Test Sets
Several points on the OWASP Top Ten list can be detected by writing custom test sets, simulating the actions of a malicious hacker:
- Injection (SQL, NoSQL): An attacker might send malicious input that is typically interpreted by SQL or NoSQL databases. If no data store is involved, your application is most likely safe.
- Cross-Site Scripting (XSS): An attacker might send input that is interpreted by the web browser, injecting malicious functionality into a website. If your chatbot doesn’t allow text input, it is most likely safe.
You can then import these
files using the Import from file function in Botium and run them
against your chatbot: go to Botium Tools & Settings > Test Sets
> Test Cases > New > Import from file
Running XSS and SQL Injection Tests
-
XSS Injection: This test is most effective when running end-to-end (E2E) tests in a web browser:
-
SQL Injection: This test should be run on the HTTP(S) endpoint of your chatbot (refer to the Generic HTTP(S)/JSON Connector documentation