As a front end developer, I’ve scoured countless pages of documentation and StackOverflow replies seeking the answer to a problem I’m trying to solve. When the issue stems from a network request or other type of data transfer, these resources have suggested using curl to execute your request. When fixing security vulnerabilities, executing a request via curl allows you to more quickly find the part of the codebase that needs to be fixed. At StackHawk, our new Validate Finding feature allows you to find and fix your security bugs faster.
Overview of curl
curl allows for the transfer data using HTTP protocol from the command line. Passing along flags give you the ability to specify your request verb (GET, POST, DELETE, etc), data output format and headers. Data can be passed along in various ways, with JSON being a common choice. This should sound familiar if you’ve used the JavaScript client Axios, Fetch web API or the GUI platform Postman for interacting with an API – curl acts similarly as a ubiquitous command line interface.
Nearly everyone with access to a command line interface can use curl, regardless of operating system (if you’re a Windows developer, many workflow tools, like Git for Windows, will have curl built in). This makes it an excellent broadly applicable tool to help developers regardless of language, framework, or type of application they are supporting.
Finding Security Bugs with StackHawk
Given the widespread use and power of curl commands, we can use the data provided from StackHawk to recreate a potential attack on our application. StackHawk is an application security testing tool, scanning your application to find security bugs. One of the easiest ways attackers will exploit your application is through a client-side input – cross site scripting (the injection of JavaScript into an input field to gain control of your app) and SQL injection (the execution malicious queries on your database) are two of the most common ways attackers will exploit unsafe input fields. StackHawk can find these security bugs and more.
Fixing Security Bugs with curl + StackHawk
After a StackHawk scan is complete, you can jump into the web application to take a look at the list of findings. The UI gives details of the request and response payloads for a particular finding. When you have a security bug, the newly released Validate button helps you fix the problem faster.
Clicking on the Validate button will generate the curl command used to identify the bug. This curl command will have the correct HTTP verb, headers and data fields to recreate the potential attack. By running this curl command in debug mode in your IDE, you can step through the requests to identify where the bug lives in code. With this, you can quickly fix the vulnerability and get back to building software.
At StackHawk, we aim to empower developers to own their application security through knowledge and tooling, like the ability to recreate a curl attack from within our platform. Using this knowledge, you can protect your input fields, write tests against malicious data requests and have the peace of mind knowing how your web application can be attacked.