Explain the concepts of Directory traversal attacks?

Another name for directory traversal attack is path traversal attack and there is quite unfamiliarity among people regarding this security threat. We have dedicated this entire article to make you aware of this security threat.

What is meant by Directory Traversal Attacks?

- Directory traversal attacks involve the exploitation of the insufficient sanitization or validation of the security regarding the input data supplied by the end user.
- This results in the passing of the characters representing the traverse to parent directory to the API files.
- The directory traversal attacks are aimed at accessing a computer file that is not intended to be accessible by ordering an application to do so.
- The application acts to the commands of the attacker.
- Here, in such situations there is no fault in the program code and it works perfectly fine but, it lacks in security and that is what that is taken advantage of by the attackers.
- He/ she takes an advantage of the lack of the security of the software system or application.
- This is completely opposite to the exploitation of the bugs of a code.
- Some times directory traversal attacks are also denoted as the “_ _ / attack” (pronounced as dot dot slash attack).
- One common form of such attacks is the canonicalization attacks.
- Some other rare forms are back tracking and directory climbing etc.
- In every operating system there exists a common file that is often used by the hackers to crack the passwords.
- In some operating systems like UNIX, no such password file exists.
- Rather the passwords are stored in some shadow file which is not accessible to the users that are recognized as the unprivileged by the machine. - Password  files are useful in another way also i.e., for enumeration of the accounts on that particular machine and displays whatever are the user accounts present on the system.
- Many variations are observed in the directory traversal attacks based on the directory traversal attack strings used in different operating systems.
- Directory traversal attacks create quite a menace these days which becomes quite difficult to manage.

How to prevent directory traversal attacks?

Software engineers have formulated an algorithm for the prevention of directory traversal attacks which is like this:
- Process URI requests such that they do not invoke any file request. For example, execution of a hook in to the code.
-  Always specify the full path to the directory or file if any exists while normalizing all the characters whenever you have to process a URI request. For example, normalize %20 to spaces.
-  Assume the length of the string to be N and a normalized path exists for a document root that is fully qualified and that no files outside this are accessible.
-  Ensure that the first n characters of the string match exactly with the document root of the requested file.
-  If the above condition proves to be true allow the file to be served.
-  If the above condition is proved false, an error should be returned since the requested file is inaccessible.

An efficient control over the accessing of the web content is highly required for the effective running of the web server in a secure mode. Mostly the web servers employ either of the two security mechanisms listed below: 

1. Root directory:
This directory keeps the users bounded to the specific limits outside which nothing can be accessed. It is created in order to avoid the unauthorized access of the files containing sensitive data by unprivileged users.
2. Access control lists (ACLs): 
These lists find their use in the process of authorization.  The lists contain the information of the users who can legally access the files.

How does a definition clear path play a role in data flow testing?

Definition clear path is a quite less heard term! This article is focussed up on the concept of definition clear path and what role do it plays in the data flow testing. First let us define what is a definition clear path in actual. 

"A definition clear path as it can made out from the term itself that it is a path through which other variables cannot be defined or through which other variable definitions cannot be made."

To make the meaning of definition clear path clearer we shall look up to an example:

- Suppose X be a variable declared or appearing in a software program or procedure. 

- Suppose there is a path $which\; do\; not\; contain\; any\; nodes\; with\; definition\; of\; the\; variable\; X.$

- Such a path not containing any variable definitions has been termed as a definition clear path. 

We can now define this definition clear path as a path between the two nodes namely A and B, with X being defined in A and an use in node B and there exists no other definition of variable X between the two nodes present in the path. 

Let us see another example to explore another type of definition clear path that can exist. 

- Suppose the above same variable X be defined at a node A along with an use defined at the another node B.

- Suppose the path formed by these two nodes A and B does not appears in the sub path, then such a path is also defined as a definition clear path for the X variable defined by the nodes A and B if the variable X is not defined in the sub path. 

- There is another common name for the definition clear path which is “def- clear path”. 

Now let us talk about the role that the definition clear path plays in the data flow testing. Actually in the data flow testing, there are three types of coverage that have to be provided namely:

1. Statement coverage
2. Branch coverage and lastly
3. Path coverage

Basically problems are faced with the path selection process. A definition of the variable X reaches a use if and only if there exists a sub path such that the sub path is a definition clear path with respect to the variable X. The path selection in the data flow testing is based up on the two criteria:

1. Rapps and Weyuker criteria: Under these criteria the definition clear sub paths from definitions to uses are listed.
2. Laski and Korel criteria: Under these criteria the various combinations that reach uses at a node via some sub path are listed.

How does Definition Clear Path play a role in Data Flow Testing?

- Definition clear paths have been known to make remarkable improvements in the control flow techniques for data flow testing.

- A rational is obtained for which there is a need to take in to consideration all the combinations of the sub paths. 

- The “all uses” is the most commonly preferred criteria.

- There are some paths in a program that are infeasible and it is these paths that pose a big problem in the data flow testing. 

- The path testing strategies are based up on the data flow anomalies. 

- Enough paths are required to be tested so that it is ensured that every object in the program has been initialized before use and have been used at least once during the program execution. 

- For a complete data flow testing it is required that definition clear paths are executed by the test cases from each node that contains a defined variable.

What is a Test Harness?

Test harness is a rarely heard concept in the field of software testing. 

What is a Test Harness?

- A test harness is known by other name “automated test framework”. 

- A test harness can be defined simply as a collection of test data and softwares that have been configured in order to test a unit of a software program.

- The program is run under various conditions. 

- Under each condition the behavior as well as working of the program is observed and the outcomes are reported. 

Phases of Test Harness Process

The whole process of test harness is completed in two individual phases:

1.        Test execution engine and

2.        Test script repository

How is Test Harness carried out?

- Test harness process cannot be carried out without the automation of the tests. 

- The automated tests than can themselves call the concerned functions with the required parameters and execute them.

- The actual results are then compared to the expected results. 

- The process of test harness acts as a hook for the already developed code which is highly testable and can be checked out using an automation framework or test harness.  

What should a Test Harness do?

The below mentioned are the things that a test harness must do:

1. Run specific tests in order to allow optimization.

2. Orchestrate an environment during the run time.

3. Analyze the results

Certain objectives have been defined for a test harness:

1. Automation of the whole testing process.

2. Execution of the specified test cases.

3. Report the outcomes.

Advantages of a Test Harness

Test harness is quite an advantageous process and some of its advantages have been stated below:

1.  It increases productivity by automating the whole test process.

2.  It increases the probability of the occurrence of the regression testing.

3.  It increases the quality of the components of the software system and application.

4.  It helps ensure the similarity of the subsequent as well as the previous test cases.

5.  It helps in running the tests at any time whenever the testing staff is not available.

6. It effectively executes the test scripts including the conditions that are otherwise unexecutable since they are difficult to be simulated.

How Test Harness facilitate testing at Integration level?

- Test harness has also been developed to facilitate the testing at the integration level i.e., the integration testing. 

- The test stubs tested by a test harness are components of an application that is currently under development and during testing they are replaced by the working components of the developed application in the top down design. 

- Test harness serves as an external aid to the software system or application under testing by simulating functionalities and features which are not present in the immediate test environment.

- In other words, the test harness helps in providing substitutes in case any functionality is found to be missing during the test. 

- The same test harness when kept outside from the source code of the software system or application, it can be used for multiple projects again and again. 

- It forms a deliverable part of the project. 

- The test harness is not provided with any knowledge of test cases, test suites and test reports since it has the capability of simulating the functionality.

- The information on these aspects is fed to the test harness via associated automated testing tools and a testing framework. 

- A test harness can also have a graphical user interface for the ease of operation, logging and scripting of the test cases.

- A new test harness is written for each run time and language since it becomes very much difficult to write a test harness which will work across all the languages and run times.  

- Test harness generates the application which is required to run the tests by providing the required code, files, and test cases and so on.

What are different data flow testing strategies?

Data flow testing is quite important since you do not want any unreasonable things happen to your data objects which in turn can deviate the whole control flow of your program from the right track. To make a sensible data flow testing you need to use sensible and reliable data flow testing strategies.

This article is all about such data flow testing strategies. 

There are two types of machines that are used by the data flow as mentioned below:

1. Von Neumann machine architecture
2. Multi- instruction, multi- data machines architecture (MIMD)

- Before carrying out the data flow testing, it is good to assume a bug which causes problem in the control flow of the program. 

- It is not compulsory to use the typical data flow graphs, annotated ordinary control graphs can also be used for guiding the data flow testing process. 

- Data flow graph depicts all the directed links and nodes involved in the data flow.

- All the strategies for data flow testing that we are going to discuss are structural in nature and also focus up on the actions taking place on the data objects rather then just focussing on the connectivity of the software program.

Requirements of Data flow testing Strategy

- Data flow link weights are the first requirement of any data flow testing strategy. 

- All these strategies are based up on the selection of the path segments that very well satisfy at least few of the data flow characteristics common to all the data objects. 

- A data flow testing strategy is weaker than another strategy Y if all the test cases present in Y are not included in the X. Then Y is said to be a stronger strategy. 

Important Terminologies

Let us take a look at some important terminologies before moving on to the strategies:

1. Definition clear path segment: It is a path defined with respect to a variable X that consists of various links such that the X is defined only on the first link.
2. Simple path segment: In such a path one of the two nodes are visited twice.
3. Loop free path segment: This path is contrary to the simple path segment in the way that in this path every node is visited once for the maximum.
4. Du path segment: It is a path that is simple and definition clear since its last link consists of a computational use of variable X.

Different Strategies for Data Flow Testing

Below described are the different strategies for the data flow testing:

1. ADUP or all DU paths: This strategy is considered to be the strongest among all the data flow testing strategies. It takes in to account all the du paths that occur in the definitions of all the variables to their every use. This strategy is a strong data flow testing criteria also. Another advantage of this strategy is that one of its tests can satisfy many definitions at a time.
2. AU or all uses strategy: Under this strategy at least one of the definition clear paths from all the definitions of a variable has to be tested or exercised under a test. The task or burden of testing is actually reduced here i.e., the path coverage is cut down to branch coverage.
3. APU + C or all p uses/ some c uses strategy: This strategy covers up at least one definition free path to every predicate use for every definition of the function. If this is not able to over up all the definitions of the variable, then it is recommended that computational use test cases are exercised.
4. ACU + P or all c uses/ some p uses strategy: This strategy is just the opposite of the above strategy.
5. AD or all definitions strategy: It covers only the definition of the variable. 

How does a loop free path segment play a role in data flow testing?

The loop free path segments form a very important terminology in the path of data flow testing. But many of us are not well familiar with the concept of loop free path segments and the role that they have got to play in the data flow testing or path testing. In this article we have tried to explain in the easiest way possible the concept of the loop free path and the role it plays in the data flow testing. 

Before taking up the topic of the loop free path segment and its role in data flow testing we shall discuss a little about the data flow testing. 

The control flow graph is the best tool that the data flow testing can use in exploring all the weird or unreasonable things that can affect the data objects. These weird and unreasonable things are nothing but the anomalies.

Till now nine types of anomalies have been defined as mentioned below:

1. dd: harmless but suspicious
2. dk: might be a bug
3. du: a normal case
4. kd: a normal situation
5. kk: harmless but might be containing bugs
6. ku: a bug or error
7. ud: not a bug because of re- assignment
8. uk: a normal situation
9. uu: a normal situation

 - If these anomalies are taken in to consideration, one can develop very effective and reliable path selection strategies which can be then used in filling the gaps that are present in between the branch testing and the complete path testing. 

- The strategies that are followed for carrying out a data flow test are based up on the selection of the paths via the flow of control of the software system or application.

- These path selection strategies are quite useful when it comes to exploring the sequences of the events that are in a way related to the status of the data objects. 

- The paths are so selected that they cover up all the objects, i.e. they ensure the initialization of each and every data object before it is used in the program and also that they are used for a minimum of one time. 

Categories of Data Objects

- The data objects have been categorized in to three different categories for making the path selection process easier:

1. Defined, created, initialized (d)
2. Killed, undefined, released (k)
3. Used:

(a)    In calculations (c)

(b)   In predicates (p)

- An object is said to be defined whenever it has an occurrence in a data declaration or is assigned with a new value or is dynamically allocated. 

- On the other hand an object is said to be used whenever it becomes a part of a predicate or a calculation. - The anomaly detection process relies heavily on the following two anomaly detection techniques:

1. Static anomaly detection (responsible for syntax errors) and
2. Dynamic anomaly detection (responsible for logical errors).

What are Loop Free Path Segments

- Now coming to the loop free path segments, this is a terminology that is usually used under the context of the data flow modelling. 

- Loop free path segments are discovered using the control flow graph.

- The loop free path segments are basically a derivative of the simple path segments.

- It depends on the simple path segment that whether or not it is a loop free path segment also. 

- If the simple path segment consisting of two nodes A and B is having loop in both the nodes, then it cannot be called as a loop free path. 

- Loop free paths are the simple paths segments consisting of loop only in one of the either nodes.

How does a simple path segment play a role in data flow testing?

Whenever you have discussed about the data flow testing you must have came across the term simple path segments while discussing about the strategies for data flow testing. Many of us are not quite clear with the concept of the simple path segments and what role have they got to play in the data flow testing. This article is all about the simple path segments and the role that they have got to play in the data flow testing. 

First we shall brief up ourselves with the concepts of the data flow testing before moving on to the topic of the simple path segments and their role. 

What is Data Flow Testing

- Data flow testing includes all those strategies that have been based up on the selection of the paths via the control flow of the program for discovering the sequence in which the events related to the object’s status take place.

- A primary bug assumed during the data flow testing is that though the control flow is generally correct, there is some fault with the software system or application since the data objects are not available when they are supposed to be or weird things happen to the data objects. 

- Even if some problem is found to preside in the control flow of the program it is initially detected by the data flow analysis. 

- One of the most aiding tool in the data flow testing are the control flow graphs which are the graphs consisting of directed links and nodes. 

- The objective of the data flow testing is to discover the deviations in the data flow. Three types of data objects have been defined namely:

1. Killed or undefined
2. Defined
3. Usage

And some nine kinds of anomalies have been defined:

1. dd: harmless but suspicious
2. dk: might be a bug
3. du: a normal case
4. kd: a normal situation
5. kk: harmless but might be containing bugs
6. ku: a bug or error
7. ud: not a bug because of re- assignment
8. uk: a normal situation
9. uu: a normal situation

These anomalies are detected by the means of two anomaly detection techniques namely:

1. static anomaly detection technique and
2. dynamic anomaly detection technique

All the strategies involved in the process of data flow testing are structural. Data flow testing and path testing strategies have so many things in common. But one of difference between them is made by what one takes in to account for testing. Path and data flow testing both are emphasized up on the raw connectivity of the graph but in addition to this the data flow testing also focuses up on what happens to the data objects. There are so many terminologies associated with the data flow testing and simple path segment is one of them. The others are:

1. definition clear path segment
2. loop free path segment
3. du path segment

What is Simple Path Segment

We shall now define what a simple path segment is! 

- Any path in which the same node is visited twice at the most, such a path is called a simple path segment. 

- One can easily make out why a simple path segment is called so! 

- It is called so because it does not consists of loops in both the nodes.

- Only one node holds the loop. 

- One of the problems that are faced by the testers is of finding the simple paths. 

- This problem can be overcome by following a lower bound max- flow approach. 

- The simple path segments though being, are important in the data flow testing just like all the other path segments. 

What is meant by client-driven iterative planning?

Iterative planning is one of the important planning strategies categorized under the agile software development processes. Iterative and incremental cannot be neglected if we want a cost and time efficient software development plan. Iterative planning is a must! However so far only 3 types of iterative planning have been designed as mentioned below:

Types of Iterative Planning

1          -  Risk driven iterative planning

2          -  Client driven iterative planning and lastly

3                     - Time boxed iterative development planning

This article is focused up on the 2^nd type i.e., the client driven iterative planning. But, before moving on to that we’ll discuss something about the iterative development so that understanding the concept of the client based iterative development becomes easy for you.

What is Iterative Planning?

- An iterative planning is required before starting of any iteration for the production of the plan of the programming tasks. 

- Each iteration may take up from 1 to 3 weeks depending up on the complexity of the program. 

- For every iteration some user stories are chosen that are most valuable to the customer.

- Iterative planning is an extremely important part of the below mentioned processes:

1. Extreme programming
2. Rational unified process and
3. Many other agile software development frame works

- Any iterative planning, be it risk driven, client driven or time boxed iterative planning are based up on one agile principle which is to develop a software system or application through several small iterations or repeated cycles rather than drawing out the whole software system or application in just one development process. 

- Dividing down the development process in to small iterations give a chance to the developers to experience their learning of the development process in the past. 

- Firstly the sub set of the system requirements is implemented in a very simple way and later the evolving versions of the software system or application are enhanced making use of the iterations.

- This process of enhancing through the iterations continues till the whole software system or application has been implemented. 

- Every iteration seeks the modifications in the design and also the addition of new functionality.

- The following steps are 3 main important steps of any iterative planning be it risk driven, client driven or time boxed:

1. The initialization step
2. The iteration step and
3. The project control list

- The first step deals with the creation of the base version of the software system or application so that it can be reviewed by the customers or the clients. 

- This base version acts as a sample for reviewing and feedback purposes. 

- The second step deals with the redesigning and implementation of tasks in order as they are mentioned in the project control list.

- The purpose of this project control list is to serve as a guide to the iteration development process. 

- This project control list is meant to be revised continually as in many of the cases the requirements of the software system or application keep on changing. 

- Certain guidelines have been stated for the implementation process called the implementation guidelines. 

About Client Driven Iterative Planning

- The basic difference between the client driven iterative planning and other types of planning is that the choice of features for the iterations are taken from the customers or more appropriately if we say from clients.

- These set of features is often decided by the clients based on how much valuable is that feature to them when it comes to business. 

- This development methodology allows the client to steer or drive the whole development as they want iteration by iteration requesting the features that are of the utmost importance to them. 

- The features for the next iteration are planned by the client “adaptively”.