SECURITY TESTING

Oct 14th, 2014

SECURITY TESTING

Introduction

As continues we are using web applications the size of useful data on the web increases, proper security testing of web applications is becoming very important. Security testing is the very much important process of testing life cycle, It is the process to confirm that confidential data stays confidential and users have access to perform only those tasks which are authorized to access.
The purpose of the security test is to discover the vulnerabilities of the web application so that the developers can then remove these vulnerabilities from the application and make the web application and data safe from unauthorized actions.

Key Terms Used in Security Testing

Vulnerability

It is like any type of weakness in the web application. The cause of it can be bugs in the application, an injection (SQL/ script code) or the presence of viruses.
Vulnerability can be as simple as weak passwords or as complex SQL injection vulnerabilities.
Example

http://www.testattack.com/index.php?page=http://www.vulnerabilityattack.com/attack.txt (This attack is for executing attack code on remote server)

URL Manipulation

Also known as URL rewriting, is the process of modifying parameters. Websites communicate with servers for sharing information to client (browser). Changing some information in the URL may sometimes lead to abnormal behaviour by the server.
The tester must check url if the application passes important information in the query string. This happens when the application uses the HTTP methods to pass information between the client and the server. The tester can modify a parameter value in the query string to check if the server accepts it.
Example

http://www.testattack.com/savepage.php?nr=147&status=del (Changed status code from add to del to delete)

http://www.testattack.com/customerdetails.php?cid=149 (Changed customer Id to view the details of customer id = 149)

SQL Injection

This is code injection technique through the web application. In this technique site parameters are passed to database in form of SQL query in order to access database or modify it. Special characters from user inputs should be handled/escaped properly.
Entering a single quote (‘) in any textbox should be rejected by the application. If the tester succeeds to generate a database error, it means that the user details inserted in some query which is then executed by the application. In such a case, the application is vulnerable to SQL injection.
Example

Write below query in input fields and submit page rather than write in url and post page on server.

“SELECT * FROM users WHERE username = ‘martin'”; 

“SELECT * FROM users WHERE username = ” or ‘1=1′”;

XSS (Cross Site Scripting)

It is a type of injection which is typically found in web applications. Attacker can use this method to execute malicious script or URL on victim’s browser. Using cross-site scripting, attacker can use scripts like JavaScript to catch user cookies and information stored in the cookies.
The tester should additionally check the web application for XSS (Cross site scripting). Any HTML e.g. <HTML> or any script e.g. <SCRIPT> should not be accepted by the application.
Example

http://www. testattack.com/index.php?userid=123&query=xyz

<form action=”view.php” method=”GET” /> Welcome <p>Enter your name: <input type=”text” name=”myname” /><br /> <input type=”submit” value=”Find” /></p><br> </form> <?php echo “<p>Your Name <br />”; echo ($_GET[myname]); ?>

Password Cracking

In security testing of a web application Password cracking methods can be used to identify weak passwords. It can be start using guessing the common username and password or use of password cracking tool.
If username or password is stored in cookies without encrypting, attacker can use different methods to steal username and password.
Example

Try to get username and password details from cookie in browser.

Modify variables using view source and resubmit page.

Penetration

It is a type of security testing process to find out insecure areas in projects. The main purpose of this testing is to protect the secure/important data from unknown user who is not valid user of the system like hackers.
There are two types of penetration testing, White box testing & Black box testing. In White box testing tester is having all information of system like IP Address, Code & flow diagram & based on available information tester will perform the testing.
In Black box testing, tester will perform testing without having any information of system. This will be more accurate testing method as testing done like real hackers.
Example 

Try to get password using reset feature.

Input validations must be validated server side also.

Conclusion

In this blog we’ve explained common terms which are used in web application vulnerabilities. Also we need to take care while security testing, the tester must be very careful and not to modify any of the following:
  • Configuration of the application or the server.
  • Services running on the server.
  • Existing user or customer data hosted by the application.
Additionally, a security test should be avoided on a production system.

Comments are closed.

Let's Discuss Your Project

Get free consultation and let us know your project idea to turn
it into an amazing digital product.

Let’s talk

NEWS & BLOG

Related Blogs

How Rpa Service is Reshaping the Workforce Across Industries

Technology Mar 22nd, 2024

How Rpa Service is Reshaping the Workforce Across Indus...

Read more
How to Comply My Business With The Saudi Arabia’s Personal Data Protection Law (PDPL)

Technology Mar 14th, 2024

How to Comply My Business With The Saudi Arabia’s Per...

Read more
How to Sell an App Idea To A Company in 2024?

Technology Jan 29th, 2024

How to Sell an App Idea To A Company in 2024?...

Read more

INQUIRY

Let's get in touch

UNITED STATES

31236 Meadowview Square,
Delmar, DE 19940, USA

Sales: +1 667 771 6758

UNITED KINGDOM

13 Layton Road, Hounslow,
London, TW3 1YJ

Sales: +44 7404 607567

INDIA

2nd Floor, Sun Avenue One, Bhudarpura, Ayojan Nagar, Nr. Shyamal Cross Road, Ahmedabad, Gujarat-380006

Sales: +91 635-261-6164

For Project Inquiries

biolah

hariantulis

depo 25 bonus 25

depo 25 bonus 25

mndrmndr.com

bonusdeposit.net

https://www.greentourstanzania.com/wp-includes/customize/

https://temp1.novotest.biz/id/

depo 25 bonus 25

https://sumberjo-blitar.desa.id/images

https://sumberjo-blitar.desa.id/data

depo 25 bonus 25 to 5x

depo 25 bonus 25

https://www.greentourstanzania.com/wp-includes/js/product/

https://smpabbs.sch.id/gacor/100/

https://smpabbs.sch.id/gacor/bonus/

deposit 25 bonus 25

depo 25 bonus 25

bonus new member 100

https://ppdb.smk-kosgoro.sch.id/data/depo 25 bonus 25https://jesus.nouvellevie.com/wp-includes/images/Getoko.iddepo 25 bonus 25https://bonus-baru.s3.ap-southeast-1.amazonaws.com/link-daftar-slot-gacor.htmlhttps://bonus-baru.s3.ap-southeast-1.amazonaws.com/scatter-pink-paling-gacor.htmlhttps://worldlisteningproject.org/wp-includes/depo25bonus25/bonus new member 100depo 25 bonus 25