Applying the SDL Framework to the Real World 285
public Internet, it will be attacked constantly and must prepare itself to
defend against these common variations. However, even if the system will
normally be deployed on a more trusted network, we believe that strong
Web server dynamic testing is important. Sophisticated attackers some-
times manage to breach their way onto these trusted networks. A weak
Web server can be a target in and of itself, or a server can present a hop-off
point to more valuable targets. Therefore, it is good practice to identify all
Web servers in order to benefit from this specialized testing.
Will there be any other inputs to the program?
Beyond Web server inputs, there are myriad other inputs that may be
built into a system: command-line interfaces, configuration files, network
inputs, native forms, scripting engines, and so forth. Each of these is an
attack surface. Each input has the potential for a logic mistake that goes
around access controls such as authentication and authorization. Logic
mistakes may allow the misuse of the program to do unintended things,
such as sell a product for a reduced or nonexistent price. Additionally, in
programming languages where the programmer manipulates computer
memory directly, poor input handling may allow serious abuse of the
program or even the operating system. Memory-related errors often allow
privilege escalation on the system or permit code of the attacker’s choice
to run. Inputs are an important attack point in any program, often the
prime attack surface.
Before the test plan is written, all the inputs to the system should be
enumerated. Each of the enumerated inputs should be tested to deter-
mine that the correct input values are handled properly. Further, tests
must be run to prove that variations of incorrect input do not cause the
system to fail or, worse, act as a vector of attack beyond the boundaries of
the software (as in a buffer overflow allowing privilege escalation and code
of the attacker’s choice). A common tool as of this writing is a fuzz tester.
These tools simulate the many variations that attackers may run against
the software. Once a fuzzer is prepared for a particular input, it will auto-
matically run through a set of variations that attempt improper inputs.
The fuzzer will stop when the program begins to misbehave or crashes.
In this way, unsafe input handling, even improper memory handling, can
be smoked out. We recommend that every input that has been changed
during this development cycle be fuzzed.