An approach for Security Testing of Web Applications

This is guest article by “Inder P Singh”

Introduction

As more and more vital data is stored in web applications and the number of transactions on the web increases, proper security testing of web applications is becoming very important. Security testing is the process that determines that confidential data stays confidential (i.e. it is not exposed to individuals/ entities for which it is not meant) and users can perform only those tasks that they are authorized to perform (e.g. a user should not be able to deny the functionality of the web site to other users, a user should not be able to change the functionality of the web application in an unintended way etc.).

Some key terms used in security testing

Before we go further, it will be useful to be aware of a few terms that are frequently used in web application security testing:

What is “Vulnerability”?
This is a weakness in the web application. The cause of such a “weakness” can be bugs in the application, an injection (SQL/ script code) or the presence of viruses.

What is “URL manipulation”?
Some web applications communicate additional information between the client (browser) and the server in the URL. Changing some information in the URL may sometimes lead to unintended behavior by the server.

What is “SQL injection”?
This is the process of inserting SQL statements through the web application user interface into some query that is then executed by the server.

What is “XSS (Cross Site Scripting)”?
When a user inserts HTML/ client-side script in the user interface of a web application and this insertion is visible to other users, it is called XSS.

What is “Spoofing”?
The creation of hoax look-alike websites or emails is called spoofing.
Security testing approach:

In order to perform a useful security test of a web application, the security tester should have good knowledge of the HTTP protocol. It is important to have an understanding of how the client (browser) and the server communicate using HTTP. Additionally, the tester should at least know the basics of SQL injection and XSS. Hopefully, the number of security defects present in the web application will not be high. However, being able to accurately describe the security defects with all the required details to all concerned will definitely help.

1. Password cracking:

The security testing on a web application can be kicked off by “password cracking”. In order to log in to the private areas of the application, one can either guess a username/ password or use some password cracker tool for the same. Lists of common usernames and passwords are available along with open source password crackers. If the web application does not enforce a complex password (e.g. with alphabets, number and special characters, with at least a required number of characters), it may not take very long to crack the username and password.

If username or password is stored in cookies without encrypting, attacker can use different methods to steal the cookies and then information stored in the cookies like username and password.

For more details see article on “Website cookie testing”.

2. URL manipulation through HTTP GET methods:

The tester should check if the application passes important information in the querystring. This happens when the application uses the HTTP GET method to pass information between the client and the server. The information is passed in parameters in the querystring. The tester can modify a parameter value in the querystring to check if the server accepts it.

Via HTTP GET request user information is passed to server for authentication or fetching data. Attacker can manipulate every input variable passed from this GET request to server in order to get the required information or to corrupt the data. In such conditions any unusual behavior by application or web server is the doorway for the attacker to get into the application.

3. SQL Injection:

------------

The next thing that should be checked is SQL injection. Entering a single quote (‘) in any textbox should be rejected by the application. Instead, if the tester encounters a database error, it means that the user input is inserted in some query which is then executed by the application. In such a case, the application is vulnerable to SQL injection.

SQL injection attacks are very critical as attacker can get vital information from server database. To check SQL injection entry points into your web application, find out code from your code base where direct MySQL queries are executed on database by accepting some user inputs.

If user input data is crafted in SQL queries to query the database, attacker can inject SQL statements or part of SQL statements as user inputs to extract vital information from database. Even if attacker is successful to crash the application, from the SQL query error shown on browser, attacker can get the information they are looking for. Special characters from user inputs should be handled/escaped properly in such cases.

4. Cross Site Scripting (XSS):

The tester should additionally check the web application for XSS (Cross site scripting). Any HTML e.g. <HTML> or any script e.g. <SCRIPT> should not be accepted by the application. If it is, the application can be prone to an attack by Cross Site Scripting.

Attacker can use this method to execute malicious script or URL on victim’s browser. Using cross-site scripting, attacker can use scripts like JavaScript to steal user cookies and information stored in the cookies.

Many web applications get some user information and pass this information in some variables from different pages.

E.g.: http://www.examplesite.com/index.php?userid=123&query=xyz

Attacker can easily pass some malicious input or <script> as a ‘&query’ parameter which can explore important user/server data on browser.

Important: During security testing, the tester should be very careful not to modify any of the following:

  •  Configuration of the application or the server
  •  Services running on the server
  •  Existing user or customer data hosted by the application

Additionally, a security test should be avoided on a production system.

The purpose of the security test is to discover the vulnerabilities of the web application so that the developers can then remove these vulnerabilities from the application and make the web application and data safe from unauthorized actions.




The Best Software Testing Training You'll Ever Get!

software testing course QA training

163 comments ↓

#1 Sudhir Ujagare

Awesome!!!!!!!!!!!!!!!!!!!

Thanks….

#2 shekhar rai

very precious and Awesome articale

alot of thanks to give a such a nice article

#3 kasuvu

Nice description and very much useful.

#4 Prashant Jadhav

Nice Article and it is useful for us, Could u please give detail information(article) on SQL Injection. No one can famaliries it.

Thanks…….

#5 Beena

Very Nice Article By Inder P Singh. Thank u Vry Much.

#6 Pankaj Sharma

Very nice article but it will be very helhul if you provide some example with every Security Testing Approch.

Thanks…….

#7 Ambarish Karnik

Thanks for a great article! :)

#8 its shantha

hi,
This is shantha from chennai.plz tel me when the security testing has to do?

#9 prasan

boldrps1479@gmail.com

hi shantha

security testing is done for particular products

mail me
will send details

#10 Fatema

Great article, these days I am very much keen to go into depth and to look for work as penetration tester and this article covers the depth overview of it.Thanks for it.

b/w does any one knows good institute in UK/India for web security testing training?

Thanks and Regards

#11 prasan

boldrps1479@gmail.com

hi fatema whats ur id

#12 Sushil

Nice information!
Can you please send detailed infromation on ‘SQL Injection’ at sushil344@yahoo.com ?

#13 suyash

Its realy worthy information for all testers. I think in india there are very few peoples who are realy in the Security Testing i want to be one of them. thanks for such a great information.
thanks

#14 Shilpa

I think web applications should be througly tested for security testing. Any penetration in web application or server can lead to loss of important data as well company revenue.

In our company we are not concentrating more on securtiy testing, i have pointed this out to my lead and he is convienced now.

You can set aside some fix test plan time for security testing of web application.

I would also love to see detailed article on SQL injection..

#15 Sureshkumar

very useful article and it helps me in some way.Thanks for it…and can any one please explain me about SQL Injection…

#16 shanti

Great article, these days I am very much keen to go into depth and to look for work as penetration tester and this article covers the depth overview of it.Thanks for it.

#17 Fatema

Hi Prasan, my id is fatemadawoodi786@gmail.com

Also would like to share with you all a very useful and detail information on SQL Injection.

http://www.sitepoint.com/article/sql-injection-attacks-safe/

Hope it will give you all a start up.
Thanks n Rgds
F.

#18 kashan

Thanks alot its very very very helpful

#19 Ngoc Vu

Thanks alot. That’s great article. It’s very useful.

#20 anil

hi ,
i was working as a manual testing engineer could u plz cooperate to get job in pune this my cell no 9325767762.

#21 kishor

hi,

nice and very easy to understand.

#22 Priyaa Arora

Thanks alot for such a useful information,it helps me in building up my basics for web testing.

Thanks for Sharing.

#23 purabi

Hi,

I want to know about client side and server side Security. As a tester how can I test it ??

Regard,
Purabi

#24 PKDuong

Dear all,

Long time to visit this site. I love this one, it’s just basic thing of security testing as the article mention, just the term. We have lot of things to talk about this topic. Hope to see another one deeper :)

For moment, I just thought one question:

To be a security tester, should we try to study hacking technique and practice to hack some sites?

Thanks for reading my comment :),
Duong

#25 arun kurle

articals are realy good and helpfull thanks for that
i wan to the difference between sanity and smoke testing plz let me know

#26 Kotesh

Very Nice Article
very helpful to understand security types.

#27 Kotesh

Very Nice Article
very helpful to understand security types.
thx

#28 hitesh shah

nice its very useful but should be in more details with example.

#29 Inder P Singh

Dear Prashant and others,

I will definitely write an article on the SQL injection and share it with you.

Thanks

#30 jagadeeshan

Hi Inder P Singh,
Nice article. Could u explain SQL injection topic in a simplest way. Then it would be helpful for us.

#31 Girish chander raju

hi sir,

Security testing is always demanding.right now iam working as manual testing professional.iam very ambitious to become as security testing professional.

thank you

#32 Girish chander raju

sir inder p singh,

i need your help to reach my goal as LEGEND IN SECURITY TESTING.

Thank you sir

#33 hitesh shah

Hi, How to test Server security? explain with example.
thanks

#34 Siddharth

Hi,
I found this site very useful for getting answer to my queries.

#35 CH.GIRISH

Hi QA/TEST ENGINEERS,

IAM A 1+EXP AS MANUAL TESTER IN MNC,IAM GOOD AT COMPLETE STLC(SOFTWARE TESTING LIFE CYCLE).PLEASE GUIDE ME WHAT I NEED TO LEARN TO MAKE A PERFECT BASEMENT IN SOFTWARE TESTING.
THANKS A LOT IN ADVANCE.
MY MAIL ID:girish_bio4u@yahoo.com
MOBILE : 9391395989

#36 Faraz

thanks
i was seeking for SQL injection concept from a long time

#37 Piyush Agn

Good article, I got enought information regarding the tesing, but some points are provided in very brief, more discription is required. kindly suggest me some good book for web based application testing.
Thanks in advance

#38 hiqbal

very useful to think and research web security testing, thnx v. much

#39 Nisha arun

Nice article

#40 varun

very good

it helped me a lot

thanks a lot

#41 GIRISH

dear pkduong,

sure as a security we need to study hacking and anti hacking too.i need explanation regarding hacking and antic hacking.
thank you

#42 Hemant

Hi All,

Its nice artical ,I am thank full to Inder P Singh but could you please elobarate the security testing with steps by steps,

#43 monalisa

Thanks for the ebook

#44 monalisa

thanks

#45 Madhu

very nice, it’s very useful 4 all

#46 Yoginder

Hello Inder P,

You article on Security testing is very informative one. I am hoping to see an article on SQL Injection as well..

Thanks again for sharing this great information with us.

Regards,
Yoginder

#47 neelamohan

Thanks for a great article!

#48 Jenish

Thats a very nice article.. Keep going..

#49 Ashish Trivedi

H! I read this Article. this is very good for me for more knowledge.

#50 Chandra

Wavvvv. Its really amazing. The way they explain is really down to earth.Hope it is enough to get a minimum knowledge on security testing.Once again thanks to website.

#51 Vishal

Hi Vijay,

Recently I had been to an interview and encounted to a new term hard error and soft error.

They have asked me the difference between Hard and soft error.

If u have the ans. pls reply for the thread.

Regards
Vis

#52 Subhadip

Previously I was involved in security testing, but didn’t know the impact of “security test defects”. This material helped me a lot to understand the same.

#53 hitseh shah

Its normal artical but could you please elobarate the security testing with steps by steps . how to test any Server with example.

#54 saravanan

hi dude
i selected a topic security testing as my company presentation for 25 min time could u send some tips to make this one effective

#55 Priya

Its very nice.

#56 Nanjil Tiger

Also look in to data encryption which is very important for security testing.

#57 Sandip Wagh

Hello,

I am QA Engg.
Nice Article and it is useful for us, Could u please give detail information(article) on SQL Injection. No one can famaliries it.some example pls.

Thanks…….

#58 Sandip Wagh

Hi,

pllease give details information on Cross Site Scripting & SQL Injection.

#59 Mallikarjun.

Hello Inder P Singh
wat a nice article,its beautiful, am xpecting more and more from u.really gr8.

#60 SQL Injection – How to Test Application for SQL Injection Attacks

[…] Couple of months back Inder wrote an interesting article on “Security testing of web application“  Have a look at it for more details on different web vulnerabilities. […]

#61 sushil

Nice article!!!!

#62 PETER

This is a good and expository article. This is timely and helpful. Thank you.

#63 Arjun

Hello Famtema,
Thanx 2 u, bcoz u hv given nice site for sql injection.
It has useful info.
bye bye

#64 Arjun

Hello Fatema,
Thanx 2 u, bcoz u hv given nice site for sql injection.
It has useful info.
bye bye

#65 rajiv

I need more information on security testing. Please send the details to my email address.

#66 Top 25 common programming bugs every tester should know

[…] to avoid some common but serious coding mistakes. For software testers list will be useful as a security testing checklist for Internet as well as for testing desktop […]

#67 Sandip Wagh

very precious and Awesome articale

alot of thanks to give a such a nice article

#68 vaibhav Maheshwari

It’s really such a great article to get started to know the security testing concepts. However that would really helpful if you could also provide some examples or websites Url WHERE readers can get such adequate information about all the concepts for security testing.

#69 Anil

Hi Vijay,
Pl. give a link at the bottom to reach at the top of page.
Thanks!

#70 saran

Hi could any one say more about the security testing or mail at saran_loyola05@yahoo.co.in

#71 Meghana

very Informative article

#72 Pritish

Can Some One help me with the testing related to Pay Pal and credit card transaction. What points should be take care while testing it.

#73 Alphonsa

Came across this website/blog just randomly. Looks great… lot of information, tips and techniques!
Hope to keep visiting :)

#74 swapnil

Can you please send detailed infromation on ‘SQL Injection’ at swapnil_nishith@yahoo.com

#75 prashant

im working on ASLC(application security life cycle) with 3i-infotech. ihave 2years exp in testing.any job for me in testing

#76 Sudhakar Arige

its a very precious information provided, on web , like this very very few sites existing with required full information

#77 syed

Can anyone just provide the checklist of Security Testing…

Thanks in advance..

#78 HT

Very nice article and written with clarity. proved to be useful.

#79 Vishal Pate

Hi Inder P Singh,

It is a very basic and nice information for Security Testing.
Inder, Could you possible to give example on the above information?

#80 sanjeev

Hi…This is very bad information that i got from this site..I just suggest to every one please don’t visit it.All information are wrong.

#81 Mahesh D

Great article.. thanks a lot..

#82 Sri Balaji

Great explaination provided in this article..
Really easy to understood
Thanks to the author..

#83 Priyam

Anybody would like to know about frameworks, Automation tools (QTP,Selenium,Test Partner, Load runner……) or looking for jobs please mail me qaprofiles81@rediffmail.com

#84 Nacourja

The article was very informative and useful. Thanks for sharing your knowledge.

#85 Sandy

Thanks for the usefull article.
Please cont.. the good work.

#86 Samadhan

Nice Article………!!!!!!!
This one will help me a lot.

#87 Tejas

This is really nice info mentioned here. But as far as Security Testing is concerned, can anyone provide me links from where I can get the collective information on the famous attacks on web applications till date…..
Kindly share your thoughts on this forum or send me email on tejas.gandhe@lionbridge.com

#88 aaaaaaaaa

Gr8 article very informative

#89 moses Gandi

IAM A 1+EXP AS MANUAL TESTER IN MNC,IAM GOOD AT COMPLETE STLC(SOFTWARE TESTING LIFE CYCLE).PLEASE GUIDE ME WHAT I NEED TO LEARN TO MAKE A PERFECT BASEMENT IN SOFTWARE TESTING.
THANKS A LOT IN ADVANCE.
MY MAIL ID: moses.welcome@gmail.com
MOBILE : 9431577453

#90 aaaaaa

gr8 article

#91 Anmol

agree with aaaaaaaaa

#92 ~Anmol

Very nice article and written with clarity
anmol.a.gupta@gmail.com

#93 vvv

useful….

#94 vvv

very useful article and it helps me in some way.Thanks for it…and can any one please explain me about SQL Injection…

#95 Govardhan Reddy M

Dear Mr.Inder P Singh (Article Author),
Great Article.
Thanks for your time.

What I feel is, Its good, If you would have discussed about

HTTPS (HTTP Secured), Thats where
encription,
decription,
public key,
private key,
digital signature,
ciphers,
authentication,
authorization,
SSL/TLS,
128 bit encription,
SSL Hand shake etc., Comes in to picture (for better idea about security).

Its worth reading your article.

Thanks,
Govardhan Reddy M,
Software Test Engineer,
“The best is yet to come”.

#96 Root0x

this information sucks!10 years old information dude need some thing new like yuor ==@@

#97 Archana

Hello,
I found this article interesting and came across it while trying to find out more info on security testing. I have good manual testing experience and I am keen on learning the security testing. Can anyone let me know of any online training for web application security testing. What are the pre-requisities required before taking up this training.

#98 Archana

Hello,
I found this article interesting and came across it while trying to find out more info on security testing. I have good manual testing experience and I am keen on learning the security testing. Can anyone let me know of any online training for web application security testing. What are the pre-requisities required before taking up this training.
Please mail me on archtj@gmail.com
Thanks

#99 Sudha Ranjan Das

Inder’s topic on Web Security testing and SQL Injection are excellent

#100 Navneet

Hi Friends,

I’m new in testing field Manual testing. can any one tell me about security testing.
How do we done or check security testing in manually.

plz gave me som examples.

and also send example in SQL injection attack

on my mail id
mail2navneetgupta@gmail.com

#101 Meer

Hi,
This is Meer Sr Test Engineer, I was hard to me to understand SQL Injection,After reading this article. Its so easy to to understand, even a layman(LLR in testing) can come to know, thanks to all that shares their real time knowledge.
Plz can anyone mail the information on XSS and SQL injection more detail as when n how to start the testing.

Thnx in adv,
My mail ID:meer.saif@gmail.com

regards,
Meer

#102 Nikhil Sharma

WOW!!!!!!! Nice article.Thank you all for such useful information……..

#103 sumit bhatnagar

fantastic article ……

#104 nitin

hi my self nitin i have 1 yer exprience in software development. before one month i got a job in software testing company as QA now i want to do career in software testing. so plz help me……..
Thanks in advance

#105 Rajaselvan

This article is very nice

#106 Komala

This article is very useful.. I exept detailed description on security testing with example in further articles.
Thanks

#107 Vaibhav

Very helpful ! .. keep it up dude !

#108 Anil

Hi Vijay Kindly do not send any updates on my email ID..
My Email ID is anillnaik@gmail.com

Thanks,
Anil

#109 maya shah

I was expecting the detailed description of whole Security Testing…
Information is good for intermediates but for lyman like me freshers i think little bit detailed description must be given…

#110 Sradhanjali

I am working as a manual tester.Interest to know about SQL Injection. Can you please send me in the easiest way.

#111 Vivek joshi

This is the realy usefull for me and also for those who want to learn more about the SQL injection and software testing, but i was expecting more can anyone send me detailed description???

#112 VIJAY

HI,
pllease give details information on Cross Site Scripting & SQL Injection WITH EXAMPLES TO MY MAILD

#113 VIJAY

HI,
pllease give details information on Cross Site Scripting & SQL Injection WITH EXAMPLES TO MY MAILD My Mailid is vijaykumar.jalanila25@gmail.com .

#114 Amira Soliman

Very Good Article but needs more details
thank u so much…and waiting for the detailed one .. !

#115 Gul

Its realy good article…..

#116 Naresh

It is very good info.

Thanks a lot!!!

#117 Mugil k

Hi,
SQL Injection and Security testing articles are very useful for all web tester..

#118 Mugil k

hi,
Its very useful for all web testers..

#119 sabari raj r

hi,

There are lots of good works to do in your website.I prefer oracle for testing skills.I wish you a happy new year 2011.

#120 Prashanthi

Thanks to all. I came to know valuable info from this site.

#121 Arun

bad article

#122 Sapan

Hi,
I am new to security testing.
Can any one send me a sample test plan for secuty testing of web application.
Thanks

#123 peeyush

Good article

#124 peeyush

As i m a new to testing field and need lot knowledge.can any one plz elaborate tis article like how fresher ll be expecting.Thinking tat no one knows abt security and how to implement sql injection in real scenario.

#125 Narendran

You must watch this w w w. filimography. blogspot. com

#126 ram

Thanks a lot singh ji….SINGH IS KING

#127 Laxman

Really very good article. We vll get to know many concepts after reading this article.

Thanks a lot for good article……….

#128 sharad

Hi,

Can any body elaborate me,
that same username with different mail id and password can be used for login or registration.

#129 hamsa

very helpful article

#130 How to Test Application Security – Web and Desktop Application Security Testing Techniques — Software Testing Help

[…] Testing’. In order to know further details of security aspects, kindly refer to – Web application security testing […]

#131 Divya

Please suggest an institute for web application security testing in hyderabad

#132 wilson mantri

Very Nice Article By Inder P Singh. Thank u Vry Much.

#133 priyanka singh

very precious and Awesome article….

alot of thanks to give a such a nice article..:-)

#134 neeraj

All contents are really very useful for understanding the concept of Security Testing.

Thankyou so much……..

#135 suresh

It is very use ful …….Plz send the any information about the Security testing. My mail ID is pvsureshkumar2005@yahoo.com

#136 prachi

good, nice article

#137 SQL Injection – How to Test Web Applications against SQL Injection Attacks « Junaid Vanoo's Weblog

[…] of months back Inder wrote an interesting article on “Security testing of web application“  Have a look at it for more details on different web […]

#138 How to Test Application Security – Web and Desktop Application Security Testing Techniques « Junaid Vanoo's Weblog

[…] I hope this foreword is enough and now let me come to the point. Kindly accept my apology if you so far thought that you are reading about the subject of this article. Though I have briefly explained software Security and its major concerns, but my topic is ‘Security Testing’. In order to know further details of security aspects, kindly refer to – Web application security testing article. […]

#139 Pradeep

Hi,
Thanx for sharing Security and SQL injection topic,it’s very helpful to me.

#140 jasmine

ja oye chad pare

#141 Vasudev

Very good article.. :)

#142 Megha

Can anyone pls shed a light on web application security scanners in terms of desktop assessment services

#143 hi

df

#144 sam

Indeed a nice article. Good to see youngsters being curious about website security issues and testing techniques.

#145 sreenu

could you tell me the leading security testing tool in the market

#146 uday

hi..i don’t have that much experience in security testing can u please guide me i’m interested to learn some basics regarding how to hack the application by using script injections………..i’m waiting for your informative reply dear:)

#147 Pallavi

Thank you ..These are very helpful. I’m looking for WAP testing, what all things should be taken into consideration whil WAP testing and specially security testing.

#148 Santhosh Tuppad

For those who want to start with security testing, they can look into this and also write to me if you need any guidance to start.

http://tuppad.com/blog/2012/05/14/how-do-i-start-security-testing/

You can find me on Twitter @santhoshst | LinkedIn – http://www.linkedin.com/profile/view?id=44693468&goback=%2Enmp_*1_*1_*1_*1_*1_*1_*1_*1_*1&trk=spm_pic

Thanks!

#149 Laloo Thadhani

thanks man for passing such valuable information.

#150 Tim Edward

There is a very good online free course for for those who want to learn ethical hacking – http://hackvidhi.com/courses.php .

This course covers basic of web programming and ethical hacking, both. It will be starting in this summer. Seats limited, please enroll now!

#151 Samir

One of the finest articles I’ve came across. I’m willing to use it for the internal training of my QA Team.

#152 Monisha

Thank you… the article really helped me….

#153 Satish

Dear Vijay,

Really very helpful article.

Thanks

#154 Ranjan Kumar

Thanks. This is very useful information about Security testing.Please notify me whenever you got something new.

#155 Mark

I think this is the best article I have come across on the internet on Security Testing, Thanks Inder

#156 Kavitha Gurunathan

Information given was very useful, simple and easy to understand
Thanks!!!

#157 Asnu

Hi ,

Really Really Helpful…

#158 Sandeep

Hello Vijay,

I would like to learn How test the WEBSITE security, to avoid from Hacking. Are there any effective tools which are easy to use ?

Or are there any skills I can learn to Test this very effectively ?

Please advice, waiting for your reply desperately.

#159 Hanis

accurate information,simple and more understanding…kepedup man

#160 Stella

Fantastic article for the beginners, I have no basic knowledge on testing but these page made me to understand

#161 Madhu

can u please provide the step by step of security testing, regarding security testing of the web application with an example. I think theoretical explanation is not enough for security testing.

#162 Pavan

Excellent article.. Simple and informative..

#163 bobo

Hi ,

Great article btw I’m a tester and I want to learn more and more about security testing… can you help me?

Leave a Comment