Application Security Testing for Python Flask using Pytest 3

Application testing is an essential part of developing robust software. Beyond standard functionality, it is critical to perform security testing to identify vulnerabilities, especially in web-based applications. White-box testing, in particular, allows us to inspect the internal logic and data flow of an application to verify that security controls are functioning as intended.

This video demonstrates how I applied security testing to my IoT Pixel Server project to catch potential vulnerabilities before they could be exploited. This work follows a STRIDE threat analysis performed on the same project.

By implementing these tests, we proactively prevent Cross-Site Scripting (XSS) by validating inputs at the class level.

The example project is my Raspberry Pi Pixel Server. Originally designed for a secure network, I adapted it for internet connectivity by implementing the CIA triad and the AAA security framework. To ensure it remained secure, I conducted threat analysis followed by rigorous security vulnerability testing.

Types of Security Tests for Python Flask

The tests in this project are white-box tests, including both unit tests and functional tests implemented with Python pytest-3. This tool was selected due to its superior integration with Python Flask compared to unittest.

Unit Tests: These verify the low-level operation of application classes, employing a "defense in depth" approach to validate inputs and protect against vulnerabilities like cross-site scripting (XSS).
Functional Tests: These utilize the Flask test client to simulate user stories, ensuring security workflows—like administrator authentication—function correctly.

The unit tests are used to test the low level operation of the Python classes used in the application. This takes a defense in depth approach where each of the classes has code to protect against invalid data. This is included to protect against potential cross-site scripting attacks. The functional tests use the Python Flask web application and test client which are available in pytest-3. Through these I have looked at the the agile development user stories and put these into step by step process (using a diagram or written list) which is then turned into an appropriate functional test.

Flow diagram for adminstrator login test

How to create tests

I have utilized several testing methodologies to demonstrate scalability and best practices:

Hard-coded values: A standard starting point for simple test cases.
Variable extraction: Improving maintainability by allowing multiple tests to utilize shared data.
JSON-driven testing: Enabling data scalability by separating test data from logic.
Randomized data generation: Automating the creation of various inputs to test edge cases, such as password validation.

I've also created different tests to show different ways of creating the tests. Some of the tests have the values coded into the test which is usually how people start creating tests. I've then extracted some of the values into variables to show how you can have multiple tests use the same data and then expanded that to use JSON formatted files containing the test data. I've also created some that generate random data allowing testing different passwords which are generated by the code.

View the Tests

You can examine the source code for the Pytest security tests on the Pixel Server GitHub repository.

The tests used are part of the testing of the Raspberry Pi Pixel Server software. These are available in the github page listed below. There will be more tests being added in the future to increase the amount of code coverage. If you would like to see the ones that were in use at the time of this video then look at the auth branch, but in future I'll be adding more tests directly into the main branch.