I have been involved in test based development on ASP.NET MVC and ASP.NET WebAPI using NMock unit test, however most of the unit tests that I write revolve around testing functionality.
From the point of view of Unit Testing :
Are there any frameworks to test vulnerability of access points Actions on Controllers (or any other components)
From the point of view automated/manual QA testing
Are there any (prefer open source) tools for testing vulnerability of a website built on ASP.NET MVC , manual or automatic , which can be used for Quality Assurance ?
A vulnerability assessment is a systematic review of security weaknesses in an information system. It evaluates if the system is susceptible to any known vulnerabilities, assigns severity levels to those vulnerabilities, and recommends remediation or mitigation, if and whenever needed.
MVC provides a lot of infrastructure support for Forms Authentication. Forms authentication is highly customizable, you can customize everything from the sign in form, to where the credentials are stored and how those credentials are validated. Forms Authentication in ASP.NET relies on cookies by default.
I would go about testing your ASP.NET MVC application in the same manner as I would test any other web application built on any other platform.
Essentially your attack vectors are the web pages and server(s) hosting the application. Think about it from an attackers point of view. They have no way to see the code in your controllers and models but they can do the following.
You can use any number of applications to test your site for xss, csrf, sql injection, etc. A good place to start is OWASP https://www.owasp.org/index.php/Main_Page Get familiar with top 10 https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
Also check out this SO post regarding open source web vulnerabilities scanners https://stackoverflow.com/questions/2995143/open-source-web-site-vulnerability-scanners
Remember that the two main attack vectors will be user input and server configuration.
I would also recommend taking a look at NMap and MetaSploit. Nmap can be used for finding open ports on a server and MetaSploit is a framework for exploiting vulnerabilities.
Well one the biggest areas that you should look at is the ModelBinding, since that usually creates massive vulnerabilities.
For example take a look at this question and see if you can spot the vulnerability:
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With