Automated Application Security Testing

Rate this content
Bookmark

Traditional security testing for JS apps has focused on the front-end, but actual security issues most often lie in the backing REST API. Join StackHawk co-founder Scott Gerlach for a quick overview of why you need to rethink how you test your JS apps and how StackHawk can help you find and fix security bugs fast.

This talk has been presented at JSNation 2022, check out the latest edition of this JavaScript Conference.

FAQ

StackHawk is a dynamic application security testing tool designed to test running HTTP applications and API endpoints for security vulnerabilities to prevent them from becoming compromised.

StackHawk conducts active security tests against running applications to ensure safe handling of user input and output and implements OWASP top 10 best practices for application security. It can perform these tests in various environments including local host, CI/CD workflows, and pre-published applications.

StackHawk can run security tests on REST APIs, GraphQL APIs, SOAP APIs, server-side applications, and single-page applications.

StackHawk can be integrated into CI/CD workflows to run tests and provide feedback on scan findings. It supports breaking builds based on the severity of untriaged findings and works with most major CI tools.

StackHawk focuses on simplicity, helping developers quickly find and fix security issues. Its scanner is configured via YAML that accompanies the application code, and the platform provides clear descriptions, examples, and tools like curl commands for issue replication and debugging.

Yes, StackHawk can notify teams of scan results through various channels like Slack, Datadog, or via webhook messages, allowing teams to process and act on the data as needed.

Yes, StackHawk offers a free trial that allows users to test it on a single application. Additional details and sign-up options are available on their website at stackhawk.com.

StackHawk scans are designed to be fast, with most customer applications averaging around or under ten minutes per scan.

Scott Gerlach
Scott Gerlach
9 min
16 Jun, 2022

Comments

Sign in or register to post your comment.
Video Summary and Transcription
StackHawk is a dynamic application security testing tool that runs active security tests on various types of applications, providing simple descriptions and examples of security issues. It integrates with CI processes and provides feedback on scan findings. The StackHawk YAML is used to configure the scanner, including important information about the application and additional configuration options. OpenAPI and GraphQL integration is possible with minimal configuration.

1. Introduction to StackHawk

Short description:

StackHawk is a dynamic application security testing tool that helps you find and fix security issues in your running HTTP applications and API endpoints. It runs active security tests on various types of applications, including REST API, GraphQL API, SOAP API, server-side applications, and single-page applications. StackHawk is designed for automation and CICD, making it an essential part of your testing strategy. It provides simple descriptions and examples of security issues, allowing you to quickly understand and fix them. Integration with CI processes and feedback on scan findings are also supported.

What's going on JS Nation? I'm Scott Gerlach, co-founder and chief security officer at StackHawk. I hope you're really enjoying JS Nation and making the most out of it.

Let's talk about StackHawk. Quickly, StackHawk is a dynamic application security testing tool. You can use it to test your running HTTP applications and API endpoints for security bugs, and keep them from becoming vulnerable. You can use StackHawk to run active security tests on your running REST API, GraphQL API, SOAP API, server-side application, and single-page applications. StackHawk was built for automation and CICD, to be part of your robust testing strategy for your application development lifecycle. It also makes finding, understanding, and fixing security bugs easy.

How does StackHawk work, you ask? Great question. StackHawk runs active security tests against your running applications, to ensure that your application is handling user input and output in a safe manner, as well as implementing OWASP top 10 best practices for application security. We can do this against your running application on your local host, in CICD workflows, and against applications that have yet to be published on the Internet. We also made dynamic testing fast. By placing the scanner as close to the application as possible and by using open standards to inform the scanner, OpenAPI spec, GraphQL, introspection queries, SOAP, WSDL, in addition to the scanner tuning we've made, most StackHawk customer applications scan average around or under ten minutes.

Finding and fixing security issues is simple with StackHawk. Our focus as a company is to help developers find and most importantly fix security issues. The StackHawk scanner and platform are built around this simplicity model. The scanner is configured via YAML that lives with the code for the application that you're testing. When StackHawk findings are triaged, the platform is trying to give you the simplest version of information needed to help you quickly understand what the problem is with simple descriptions and examples of patterns to help you identify the anti-pattern, be able to recreate the issue with tools like simple curl command to replay the attack, and get you into debug mode, stepping through code as fast as possible to help you fix issues and get back to your regular job of creating value for your customers. All of this is CICD enabled. Again, you can integrate this into your CI process and importantly get feedback into the CI process on scan findings. This information can be used to break a build if you choose. Based on severity of untriached findings, most of the major CI player logos are shown here on this slide, and even if your particular one isn't, chances are pretty good Stackhawk will work in your platform as long as it can run a docker container. You can run Docker, you can run Stackhawk. You can also see here, Stackhawk integrates with your workflow and information tools. We can notify you of your scan results in a Slack channel, publish that information to Datadog, or send you a simple webhook message that you can then use to process and do with the data what you choose.

Let's take a look at what running the Stackhawk scanner looks like. As you can see here, I've got a standard server side application. This one is a Pulse app that I want to test for security issues. So over here on my command line, I've got a simple Docker command that I ran. So Docker run Stackhawk.

2. Analyzing Scan Findings and Examining Issues

Short description:

I fed it the Stackhawk YAML. It did a standard crawl and actively attacked the application for potential security issues. We have a summary of the findings, including a new SQL ejection issue and a previously addressed cross-site scripting issue. There are other issues to look at as well. We can access the scan results through a link provided. The SQL injection issue is described along with the risks it poses and links to prevent it in different language frameworks. We can examine the specific issue, view the request and response, and even replay the attack using the scanner's validate button.

I fed it the Stackhawk YAML. We'll look at that in a second. As you can see, it did a standard crawl looking for all the interesting things on the web page that it could, and then it did an attack. So it actively attacked this application for potential security issues. When it was all done, we've got a summary of these findings.

So I've actually got a SQL ejection issue that I need to take care of. You can see that it's new. I also have a cross-site scripting issue that I've done something with before. I actually made a ticket out of this, so now it's in a signed status. We've got a bunch of other things that we can look at as well, but let's take a look at those too.

Down here at the bottom we actually have a link to this scan, so we can actually take this link and paste it into a browser. By the way, output in a CI-CD system would look very much like this, because this is the standard output. So if you did choose to break a build, you would have this same link in CI-CD output. So we can go over here to our web browser and jump right into the scan that we were looking at. We were just looking at this exact same scan. We've got this SQL injection issue that we can look at quickly.

You can see that we've got a SQL injection issue. We're quickly describing what SQL injection is, how to remediate it, what it's about, and what risks it might pose to an application. We also have links to different language frameworks that show you the pattern of how to prevent SQL injection in Spring, Laravel, Django, and Rails, so that you can help identify the anti-pattern that we're looking for. Let's take a look at this particular issue here. We can see that on the polls SQL path, we have a post method that has some kind of an issue. Over on our right-hand panel, we've got a request and response of what the scanner actually did and then came back with. We can see that the scanner made a request here against the application, and it responded in some form or fashion. We can actually see that the scanner made a case when injection here. We can replay this if we wanted to. This is all helping you understand what the scanner is trying to do and what issue it thinks it's found. Interestingly, we've got this really cool validate button up here. As I mentioned before, this validate button gives you a curl command of exactly what the scanner did to identify this particular issue. You can copy and replay this attack against an application. Let's take a look at that StackHawk YAML.

Check out more articles and videos

We constantly think of articles and videos that might spark Git people interest / skill us up or help building a stellar career

It's a Jungle Out There: What's Really Going on Inside Your Node_Modules Folder
Node Congress 2022Node Congress 2022
26 min
It's a Jungle Out There: What's Really Going on Inside Your Node_Modules Folder
Top Content
The talk discusses the importance of supply chain security in the open source ecosystem, highlighting the risks of relying on open source code without proper code review. It explores the trend of supply chain attacks and the need for a new approach to detect and block malicious dependencies. The talk also introduces Socket, a tool that assesses the security of packages and provides automation and analysis to protect against malware and supply chain attacks. It emphasizes the need to prioritize security in software development and offers insights into potential solutions such as realms and Deno's command line flags.
The State of Passwordless Auth on the Web
JSNation 2023JSNation 2023
30 min
The State of Passwordless Auth on the Web
Passwords are terrible and easily hacked, with most people not using password managers. The credential management API and autocomplete attribute can improve user experience and security. Two-factor authentication enhances security but regresses user experience. Passkeys offer a seamless and secure login experience, but browser support may be limited. Recommendations include detecting Passkey support and offering fallbacks to passwords and two-factor authentication.
5 Ways You Could Have Hacked Node.js
JSNation 2023JSNation 2023
22 min
5 Ways You Could Have Hacked Node.js
Top Content
The Node.js security team is responsible for addressing vulnerabilities and receives reports through HackerOne. The Talk discusses various hacking techniques, including DLL injections and DNS rebinding attacks. It also highlights Node.js security vulnerabilities such as HTTP request smuggling and certification validation. The importance of using HTTP proxy tunneling and the experimental permission model in Node.js 20 is emphasized. NearForm, a company specializing in Node.js, offers services for scaling and improving security.
Content Security Policy with Next.js: Leveling Up your Website's Security
React Summit US 2023React Summit US 2023
9 min
Content Security Policy with Next.js: Leveling Up your Website's Security
Top Content
Watch video: Content Security Policy with Next.js: Leveling Up your Website's Security
Lucas Estevão, a Principal UI Engineer and Technical Manager at Avenue Code, discusses how to implement Content Security Policy (CSP) with Next.js to enhance website security. He explains that CSP is a security layer that protects against cross-site scripting and data injection attacks by restricting browser functionality. The talk covers adding CSP to an XJS application using meta tags or headers, and demonstrates the use of the 'nonce' attribute for allowing inline scripts securely. Estevão also highlights the importance of using content security reports to identify and improve application security.
Let Me Show You How React Applications Get Hacked in the Real-World
React Advanced 2021React Advanced 2021
22 min
Let Me Show You How React Applications Get Hacked in the Real-World
Top Content
React's default security against XSS vulnerabilities, exploring and fixing XSS vulnerabilities in React, exploring control characters and security issues, exploring an alternative solution for JSON parsing, and exploring JSON input and third-party dependencies.
How React Applications Get Hacked in the Real-World
React Summit 2022React Summit 2022
7 min
How React Applications Get Hacked in the Real-World
How to hack a RealWorld live React application in seven minutes. Tips, best practices, and pitfalls when writing React code. XSS and cross-site scripting in React. React's secure by default, but not always. The first thing to discover: adding a link to a React application. React code vulnerability: cross-site scripting with Twitter link. React doesn't sanitize or output H ref attributes. Fix attempts: detect JavaScript, use dummy hashtag, transition to lowercase. Control corrector exploit. Best practices: avoid denialist approach, sanitize user inputs. React's lack of sanitization and output encoding for user inputs. Exploring XSS vulnerabilities and the need to pretty print JSON. The React JSON pretty package and its potential XSS risks. The importance of context encoding and secure coding practices.

Workshops on related topic

API Testing with Postman Workshop
TestJS Summit 2023TestJS Summit 2023
48 min
API Testing with Postman Workshop
Top Content
WorkshopFree
Pooja Mistry
Pooja Mistry
In the ever-evolving landscape of software development, ensuring the reliability and functionality of APIs has become paramount. "API Testing with Postman" is a comprehensive workshop designed to equip participants with the knowledge and skills needed to excel in API testing using Postman, a powerful tool widely adopted by professionals in the field. This workshop delves into the fundamentals of API testing, progresses to advanced testing techniques, and explores automation, performance testing, and multi-protocol support, providing attendees with a holistic understanding of API testing with Postman.
1. Welcome to Postman- Explaining the Postman User Interface (UI)2. Workspace and Collections Collaboration- Understanding Workspaces and their role in collaboration- Exploring the concept of Collections for organizing and executing API requests3. Introduction to API Testing- Covering the basics of API testing and its significance4. Variable Management- Managing environment, global, and collection variables- Utilizing scripting snippets for dynamic data5. Building Testing Workflows- Creating effective testing workflows for comprehensive testing- Utilizing the Collection Runner for test execution- Introduction to Postbot for automated testing6. Advanced Testing- Contract Testing for ensuring API contracts- Using Mock Servers for effective testing- Maximizing productivity with Collection/Workspace templates- Integration Testing and Regression Testing strategies7. Automation with Postman- Leveraging the Postman CLI for automation- Scheduled Runs for regular testing- Integrating Postman into CI/CD pipelines8. Performance Testing- Demonstrating performance testing capabilities (showing the desktop client)- Synchronizing tests with VS Code for streamlined development9. Exploring Advanced Features - Working with Multiple Protocols: GraphQL, gRPC, and more
Join us for this workshop to unlock the full potential of Postman for API testing, streamline your testing processes, and enhance the quality and reliability of your software. Whether you're a beginner or an experienced tester, this workshop will equip you with the skills needed to excel in API testing with Postman.
0 to Auth in an hour with ReactJS
React Summit 2023React Summit 2023
56 min
0 to Auth in an hour with ReactJS
WorkshopFree
Kevin Gao
Kevin Gao
Passwordless authentication may seem complex, but it is simple to add it to any app using the right tool. There are multiple alternatives that are much better than passwords to identify and authenticate your users - including SSO, SAML, OAuth, Magic Links, One-Time Passwords, and Authenticator Apps.
While addressing security aspects and avoiding common pitfalls, we will enhance a full-stack JS application (Node.js backend + React frontend) to authenticate users with OAuth (social login) and One Time Passwords (email), including:- User authentication - Managing user interactions, returning session / refresh JWTs- Session management and validation - Storing the session securely for subsequent client requests, validating / refreshing sessions- Basic Authorization - extracting and validating claims from the session token JWT and handling authorization in backend flows
At the end of the workshop, we will also touch other approaches of authentication implementation with Descope - using frontend or backend SDKs.
Building out a meaningful test suite that's not all E2E
TestJS Summit 2023TestJS Summit 2023
89 min
Building out a meaningful test suite that's not all E2E
Workshop
David Burns
David Burns
We're all taught to follow the Testing Pyramid but the reality is that we build out the Testing Christmas Tree. In this workshop, David will talk you through how to break down projects and put the tests where they need to be. By the end of the workshop you will be able to update your projects so that anyone and everyone can start contributing and truly living up to "Quality is everyone job".
He will walk you through:- Component Testing- API Testing- Visual Regression Testing- A11Y testing
He will also talk you through how to get these all setup in your CI/CD pipeline so that you can get shorter and faster feedback loops.
OWASP Top Ten Security Vulnerabilities in Node.js
JSNation 2024JSNation 2024
97 min
OWASP Top Ten Security Vulnerabilities in Node.js
Workshop
Marco Ippolito
Marco Ippolito
In this workshop, we'll cover the top 10 most common vulnerabilities and critical security risks identified by OWASP, which is a trusted authority in Web Application Security.During the workshop, you will learn how to prevent these vulnerabilities and develop the ability to recognize them in web applications.The workshop includes 10 code challenges that represent each of the OWASP's most common vulnerabilities. There will be given hints to help solve the vulnerabilities and pass the tests.The trainer will also provide detailed explanations, slides, and real-life examples in Node.js to help understand the problems better. Additionally, you'll gain insights from a Node.js Maintainer who will share how they manage security within a large project.It's suitable for Node.js Developers of all skill levels, from beginners to experts, it requires a general knowledge of web application and JavaScript.
Table of contents:- Broken Access Control- Cryptographic Failures- Injection- Insecure Design- Security Misconfiguration- Vulnerable and Outdated Components- Identification and Authentication Failures- Software and Data Integrity Failures- Security Logging and Monitoring Failures- Server-Side Request Forgery
How to Build Front-End Access Control with NFTs
JSNation 2024JSNation 2024
88 min
How to Build Front-End Access Control with NFTs
WorkshopFree
Solange Gueiros
Solange Gueiros
Understand the fundamentals of NFT technology and its application in bolstering web security. Through practical demonstrations and hands-on exercises, attendees will learn how to seamlessly integrate NFT-based access control mechanisms into their front-end development projects.
Finding, Hacking and fixing your NodeJS Vulnerabilities with Snyk
JSNation 2022JSNation 2022
99 min
Finding, Hacking and fixing your NodeJS Vulnerabilities with Snyk
WorkshopFree
Matthew Salmon
Matthew Salmon
npm and security, how much do you know about your dependencies?Hack-along, live hacking of a vulnerable Node app https://github.com/snyk-labs/nodejs-goof, Vulnerabilities from both Open source and written code. Encouraged to download the application and hack along with us.Fixing the issues and an introduction to Snyk with a demo.Open questions.