preload

Exploratory Security Testing Tool – GroundSpeed

Posted by Albert Gareev on Nov 07, 2011 | Categories: ToolsWTAmericas

Modern applications have a few layers of ‘defense’ that are supposed to protect against unauthorized access. The very first layer is at the front-end, merged with the UI. The UI part, client-side part, is at user’s computer and therefore users have the most capacities to manipulate it. Penetration testing is a purely exploratory testing activity. By using trial-and-error approach we can learn about particular weaknesses in the application, and then use that knowledge to gain some advantage. Of course, as testers, we use that knowledge to evaluate the risks and to help improving the application’s security. Although complete security testing requires specific knowledge and skills, there’s no reason why Black-Box testers can not expand their arsenal with some quick, simple, yet powerful penetration testing techniques.

Groundspeed is a free tool that allows to learn about application and to manipulate it in the ways users normally can not, thus helping to expand the testing scope.

Area of use Security (Penetration) Testing of Web Applications
Platform (OS) Windows
Vendor Open Source
Author Felipe Moreno
Twitter @fmsnewyork
Price Free
Usability (1-5, 5 – Best) 4
Link https://addons.mozilla.org/en-US/firefox/addon/groundspeed/

Recently, I conducted Weekend Testing session #21 where we worked through a few exercises, and then discussed new testing techniques enabled by the Groundspeed.

1. Bypass front-end validation of values.

2. Input values that you are normally not able to input – via hidden fields.

3. Trigger function calls in the application that are normally disabled or not accessible.

An unexpected outcome was a shorthand mnemonic crafted by Michael Larsen: “Remember the BIT”.

 


Creative Commons Attribution-NonCommercial-NoDerivs 3.0 Unported
This work by Albert Gareev is licensed under a Creative Commons Attribution-NonCommercial-NoDerivs 3.0 Unported.