paint-brush
How to Fix Security Bugs Faster with curl Validationby@nicktu12
431 reads
431 reads

How to Fix Security Bugs Faster with curl Validation

by nickJune 9th, 2020
Read on Terminal Reader
Read this story w/o Javascript
tldt arrow

Too Long; Didn't Read

StackHawk is an application security testing tool, scanning your application to find security bugs. The newly released Validate Finding feature allows you to find and fix your security bugs faster. Using curl, you can recreate a curl attack from within your application using the tool. The Validate button generates the curl command used to identify the bug. This curl command will have the correct HTTP verb, data fields and data fields to recreate the potential attack. With this you can quickly fix the bug and get back to building software.

Company Mentioned

Mention Thumbnail
featured image - How to Fix Security Bugs Faster with curl Validation
nick HackerNoon profile picture

Learn how to leverage the Validate Finding feature of StackHawk to find and fix security bugs faster.

As a front end developer, I’ve scoured countless pages of documentation and StackOverflow replies seeking the answer to a problem I’m trying to solve. When the issue stems from a network request or other type of data transfer, these resources have suggested using curl to execute your request. When fixing security vulnerabilities, executing a request via curl allows you to more quickly find the part of the codebase that needs to be fixed.

At StackHawk, our new Validate Finding feature allows you to find and fix your security bugs faster.

Overview of curl

curl allows for the transfer data using HTTP protocol from the command line. Passing along flags give you the ability to specify your request verb (GET, POST, DELETE, etc), data output format and headers. Data can be passed along in various ways, with JSON being a common choice. This should sound familiar if you’ve used the JavaScript client Axios, Fetch web API or the GUI platform Postman for interacting with an API – curl acts similarly as a ubiquitous command line interface.  

Nearly everyone with access to a command line interface can use curl, regardless of operating system (if you’re a Windows developer, many
workflow tools, like Git for Windows, will have curl built in). This makes it an excellent broadly applicable tool to help developers regardless of language, framework, or type of application they are supporting.

Finding Security Bugs with StackHawk

Given the widespread use and power of curl commands, we can use the
data provided from StackHawk to recreate a potential attack on our
application. StackHawk is an application security testing tool, scanning
your application to find security bugs.

One of the easiest ways attackers will exploit your application is through a client-side input – cross site scripting (the injection of JavaScript into an input field to gain control of your app) and SQL injection (the execution malicious queries on your database) are two of the most common ways attackers will exploit unsafe input fields. StackHawk can find these security bugs and more.

Fixing Security Bugs with curl + StackHawk

After a StackHawk scan is complete, you can jump into the web application to take a look at the list of findings. The UI gives details of the request and response payloads for a particular finding. When you have a security bug, the newly released Validate button helps you fix the problem faster.

Clicking on the Validate button will generate the curl command used to identify the bug. This curl command will have the correct HTTP verb, иheaders and data fields to recreate the potential attack. By running this curl command in debug mode in your IDE, you can step through the requests to identify where the bug lives in code. With this, you can quickly fix the vulnerability and get back to building software.

At StackHawk, we aim to empower developers to own their application
security through knowledge and tooling, like the ability to recreate a curl attack from within our platform. Using this knowledge, you can protect your input fields, write tests against malicious data requests and have the peace of mind knowing how your web application can be attacked.

Previously published at https://www.stackhawk.com/blog/fix-bugs-curl-validation/