Lab6.docx

Lab 6: Sandboxing and Fuzzing

Introduction

In this lab, you will use two methods used in software testing: sandboxing and fuzzing.

Part-1: Sandboxing

Sandboxing is mainly associated with malware analysis in cybersecurity. Security researchers analyze malicious software and codes in a controlled and isolated environment to prevent harm to their computers and efficiently handle the analysis process. In the context of software development, the concept of sandboxing is similar. It still provides an isolated environment for software testers. In the context of software development, including web development and revision control, a sandbox is a testing environment that isolates untested code changes and outright experimentation from the production environment or repository. Sandboxing protects "live" servers and their data, vetted source code distributions, and other collections of code, data, and content, proprietary or public, from changes that could damage a mission-critical system or which could be difficult to revert. Sandboxes replicate at least the minimal functionality needed to test the programs or other code under development accurately. A sandbox concept is typically built into revision control software such as Git, CVS, and Subversion, in which developers check code out a copy of the source code tree, or a branch, to examine and work on. After the developer has thoroughly tested the code changes in their sandbox, the changes should be checked back into and merged with the repository and made available to other developers or end-users of the software (https://en.wikipedia.org/wiki/Sandbox_(software_development)).

In this lab, you will use two online sandbox environments. The first one is an HTML, CSS, & JavaScript sandbox for frontend web projects. The second one is a Python sandbox. In real-world settings, you see professional environments and systems for sandboxing that are well-aligned with SDLC processes. These online environments will be sufficient for you to understand the idea behind sandboxing.

Optional Video

In addition to sandboxing, you can learn various other testing techniques used in software development projects: https://openclassrooms.com/en/courses/5162996-secure-your-web-application-with-owasp/6122381-beat-the-hackers-at-their-game

Instructions

Case-1: Stopping dangerous code – HTML, CSS, & JS Sandbox

1. Go to the HTML, CSS, & JS sandbox on https://playcode.io. It is an online HTML, CSS, & JS compiler; but can be considered a sandbox because it isolated the codes from your computer.

2. Paste this code to the script.js tab:

for (var i = 5; i > 4; i = i + 1){ console.log(i); }

3. Take a screenshot of the console message.

Case-2: Testing different web redirections/iframe options quickly – HTML, CSS, & JS Sandbox

Assume you are a software developer working at an IT training company. You are developing a website with interactive training material on it. You are placing URLs of some education websites, such as w3schools.com. Your website does not work as intended; you want to quickly find the reason by pasting and playing with the code you wrote.

Now, insert your JavaScript-based URL redirection scripts to the HTML tab. Each script has a different URL. After pasting each code, take a screenshot of the Result View window.

First redirection:

<script>

    window.location.replace("https://playcode.io/online-javascript-editor")

</script>

Second redirection:

<script>

    window.location.replace("http://www.w3schools.com")

</script>

Third redirection:

<script>

    window.location.replace("https://www.w3schools.com")

</script>

Optional:

You can replace the script codes with iframe code below to see similar results. An example:

<iframe src="https://www.w3shools.com"></iframe>

Case-3: Stopping malicious code – Python Sandbox

1. Go to online Python compiler and IDE: https://repl.it/languages/python3

2. Assume that you are developing an arcade game, and you are using the bytearray() method to save game data. This method returns an array of bytes of the given size. 

3. You used this bytearray(51200000000)in your code (knowingly or unknowingly)

4. Run this method in Python sandbox and take a screenshot of the command output.

Questions

1. Submit screenshots.

2. What does the code in Case-1, Step-2 do? What would happen if the sandbox didn’t stop the code?

3. Explain the different Result Views in Case-2. Hint: You can do Google search “same-origin policy” for the third redirection.

4. Provide your insights on running the method on a computer versus running it on a sandbox.

Part-2: Fuzzing

Fuzzing or fuzz testing is an automated software testing technique that involves providing invalid, unexpected, or random data as inputs to a computer program. The program is then monitored for exceptions such as crashes, failing built-in code assertions, or potential memory leaks (Wikipedia). 

Hackers and security researchers use fuzzers to find zero-day vulnerabilities; the next step of fuzzing for hackers would be to use the crash reports to develop exploits. As with the binary analysis, fuzzing can be a critical contribution to the SDLC to provide potential vulnerabilities from the hacker point of view. The crash reports generated by the fuzzer can be delivered to software developers for investigations.

Fuzzing resembles binary analysis in taking the complied program as an input; this is not the case for static code analysis that you will practice in Lab-7. Fuzzing and binary analysis are black-box testing techniques, whereas static code analysis is a white-box testing technique.

This lab aims to answer the "what" question for fuzzing, not the "how" question. In this lab, you will fuzz an open-source, command-line image editor named ImageMagick (https://imagemagick.org).

Lab Environment

Instructions

1. Click on the "Windows 10".

2. Type in “isecstudent” without quotes as the password to log in to Window 10.

3. Open a Command Prompt.

4. Change directory to C:\BFF

The BFF stands for Basic Fuzzing Framework and is maintained by Software Engineering Institute (www.cert.org) at Carnegie Mellon University. Please the product page here:

https://vuls.cert.org/confluence/display/tools/CERT+BFF+-+Basic+Fuzzing+Framework

and acknowledgment page is here:

https://vuls.cert.org/confluence/display/tools/BFF+Acknowledgements

The list of vulnerabilities discovered by the BFF tool:

https://vuls.cert.org/confluence/display/tools/Public+Vulnerabilities+Discovered+Using+BFF

5. Run dir command to see the contents of the BFF folder.

a. bff.py is the code that will do the fuzzing.

b. seedfiles folder contains the input files that the fuzzer script will use.

c. The Imagemagick folder contains the software that will be fuzzed. In this example, the command-line executable of the Imagemagick (convert.exe) will be fuzzed.

i. Convert.exe takes graphics files as input and performs the requested image editing operation on the graphics based on the command-line options.

d. Fuzzer script does the same thing; it feeds the convert.exe with the files under the seedfiles folder. What the fuzzer script does differently: It tries to find the crash instances and then narrows down the seed file to find exactly which part of the seed file causes the crash.

e. Config directory contains a file named bff.yaml. This file stores the fuzzing configuration where you can change things like fuzzing target, fuzzing type, among other stuff.

6. Make sure that you are in the C:\BFF folder.

7. Run bff.py in the CMD window by directly typing it and pressing enter.

8. Fuzzing will start immediately. Let the fuzzing script run for at least 10 minutes.

9. After waiting for 10 minutes, open another CMD window.

10. Change directory to this: C:\BFF\results\convert_v5.5.7\crashers

11. Get a directory listing by using the dir command.

12. See four different categories of a crash report.

13. Take a screenshot of this window.

14. You can stop fuzzing by closing the Command Prompt in which the script runs.

Questions

1) Submit the screenshot.

2) Summarize what you’ve done in this lab as if you are explaining it to a non-technical person.

3) What benefits/advantages will you have once you add fuzzing to the SDLC?