Feedback on the WoT Security testing

Hi, 

Below is pretty much what I sent to Michael earlier after reading the "Security testing" part of wot/testing/plan.md.

 I have read through the wot/testing/plan.md and I think it is a great start!
 Some comments/thoughts:

 1. I think in addition to testing for known vulnerabilities, we should suggest negative
 testing in general.
While I do agree that it still does not guarantee the end security, it does improve the robustness of the implementation greatly.
The usual way is to do fuzz testing and there are many test suits available for example for HTTP.
Here are some recommendations I got:
For HTTP, MQTT & COAP: https://scapy.net/ 

I also found a nice small writeup here that explains the main differences in fuzzing approaches and gives a good example: https://wildfire.blazeinfosec.com/fuzzing-proprietary-protocols-with-scapy-radamsa-and-a-handful-of-pcaps/
(can be useful if people want a quick intro).
They also mention https://gitlab.com/akihe/radamsa  as the tool of great service.

Another recommendation and a popular tool is Burp Suite: https://en.wikipedia.org/wiki/Burp_suite 
But it is for HTTP only.

However, I am wondering how to efficiently use these fuzzers to test WoT APIs.
Normally the biggest problem of fuzzing is to make sure the fuzzing input doesn't get rejected by earlier layers.
We do want the fuzzing input to reach the protocol bindings and WoT thing instance and not get discarded underneath.
We can discuss this at the next week call in more details.
 
 2. Getting back to the positive security testing, how do we recommend people to
test that their WoT APIs are indeed protected with whatever security scheme they
specified in TD?
 Again, normally, if it would be our own project, it would be just huge set of test
cases where client attempts to invoke a WoT API without proper credentials
 (without any, expired, wrong token, wrong certificate chain, etc.).
 

 3. Also, should we also name protocols also with their security counterpart: HTTP(S), COAP(S) etc.
Otherwise indeed we cannot test much with plain HTTP.

4. I think it would be worth to specify a tiny example for testing. Like how would you
 approach to test your small WoT setup.
 Otherwise people might be left wondering that "ok, there is a lot of tools there that
do this and that, but how do I APPLY in a sane way all of that to my WoT system?"

Best Regards,
Elena.

Received on Tuesday, 7 August 2018 06:04:13 UTC