Practical approaches to improving your testing by maximizing code coverage [White paper for download]

Software Testing Advice for Novice Testers

An approach for Security Testing of Web Applications

Posted In | Security testing, Web Testing

This is guest article by “Inder P Singh”

Introduction

As more and more vital data is stored in web applications and the number of transactions on the web increases, proper security testing of web applications is becoming very important. Security testing is the process that determines that confidential data stays confidential (i.e. it is not exposed to individuals/ entities for which it is not meant) and users can perform only those tasks that they are authorized to perform (e.g. a user should not be able to deny the functionality of the web site to other users, a user should not be able to change the functionality of the web application in an unintended way etc.).

Some key terms used in security testing

Before we go further, it will be useful to be aware of a few terms that are frequently used in web application security testing:

What is “Vulnerability”?
This is a weakness in the web application. The cause of such a “weakness” can be bugs in the application, an injection (SQL/ script code) or the presence of viruses.

What is “URL manipulation”?
Some web applications communicate additional information between the client (browser) and the server in the URL. Changing some information in the URL may sometimes lead to unintended behavior by the server.

What is “SQL injection”?
This is the process of inserting SQL statements through the web application user interface into some query that is then executed by the server.

What is “XSS (Cross Site Scripting)”?
When a user inserts HTML/ client-side script in the user interface of a web application and this insertion is visible to other users, it is called XSS.

What is “Spoofing”?
The creation of hoax look-alike websites or emails is called spoofing.
Security testing approach:

In order to perform a useful security test of a web application, the security tester should have good knowledge of the HTTP protocol. It is important to have an understanding of how the client (browser) and the server communicate using HTTP. Additionally, the tester should at least know the basics of SQL injection and XSS. Hopefully, the number of security defects present in the web application will not be high. However, being able to accurately describe the security defects with all the required details to all concerned will definitely help.

1. Password cracking:

The security testing on a web application can be kicked off by “password cracking”. In order to log in to the private areas of the application, one can either guess a username/ password or use some password cracker tool for the same. Lists of common usernames and passwords are available along with open source password crackers. If the web application does not enforce a complex password (e.g. with alphabets, number and special characters, with at least a required number of characters), it may not take very long to crack the username and password.

If username or password is stored in cookies without encrypting, attacker can use different methods to steal the cookies and then information stored in the cookies like username and password.

For more details see article on “Website cookie testing”.

2. URL manipulation through HTTP GET methods:

The tester should check if the application passes important information in the querystring. This happens when the application uses the HTTP GET method to pass information between the client and the server. The information is passed in parameters in the querystring. The tester can modify a parameter value in the querystring to check if the server accepts it.

Via HTTP GET request user information is passed to server for authentication or fetching data. Attacker can manipulate every input variable passed from this GET request to server in order to get the required information or to corrupt the data. In such conditions any unusual behavior by application or web server is the doorway for the attacker to get into the application.

3. SQL Injection:

The next thing that should be checked is SQL injection. Entering a single quote (‘) in any textbox should be rejected by the application. Instead, if the tester encounters a database error, it means that the user input is inserted in some query which is then executed by the application. In such a case, the application is vulnerable to SQL injection.

SQL injection attacks are very critical as attacker can get vital information from server database. To check SQL injection entry points into your web application, find out code from your code base where direct MySQL queries are executed on database by accepting some user inputs.

If user input data is crafted in SQL queries to query the database, attacker can inject SQL statements or part of SQL statements as user inputs to extract vital information from database. Even if attacker is successful to crash the application, from the SQL query error shown on browser, attacker can get the information they are looking for. Special characters from user inputs should be handled/escaped properly in such cases.

4. Cross Site Scripting (XSS):

The tester should additionally check the web application for XSS (Cross site scripting). Any HTML e.g. <HTML> or any script e.g. <SCRIPT> should not be accepted by the application. If it is, the application can be prone to an attack by Cross Site Scripting.

Attacker can use this method to execute malicious script or URL on victim’s browser. Using cross-site scripting, attacker can use scripts like JavaScript to steal user cookies and information stored in the cookies.

Many web applications get some user information and pass this information in some variables from different pages.

E.g.: http://www.examplesite.com/index.php?userid=123&query=xyz

Attacker can easily pass some malicious input or <script> as a ‘&query’ parameter which can explore important user/server data on browser.

Important: During security testing, the tester should be very careful not to modify any of the following:

  •  Configuration of the application or the server
  •  Services running on the server
  •  Existing user or customer data hosted by the application

Additionally, a security test should be avoided on a production system.

The purpose of the security test is to discover the vulnerabilities of the web application so that the developers can then remove these vulnerabilities from the application and make the web application and data safe from unauthorized actions.




Related Posts:

  • What is client-server and web based testing and how to test these applications
  • Security Test engineers requirement in chennai
  • Required Test Engineers for Network Product MNC
  • Test engineer openings in Comodo Security Solutions
  • QA Engineer requirement at McAfee Software

    • 56 comments ↓

    #1 Sudhir Ujagare on 11.17.08 at 8:09 pm

    Awesome!!!!!!!!!!!!!!!!!!!

    Thanks….

    #2 shekhar rai on 11.18.08 at 5:08 am

    very precious and Awesome articale

    alot of thanks to give a such a nice article

    #3 kasuvu on 11.18.08 at 5:49 am

    Nice description and very much useful.

    #4 Prashant Jadhav on 11.18.08 at 5:52 am

    Nice Article and it is useful for us, Could u please give detail information(article) on SQL Injection. No one can famaliries it.

    Thanks…….

    #5 Beena on 11.18.08 at 6:23 am

    Very Nice Article By Inder P Singh. Thank u Vry Much.

    #6 Pankaj Sharma on 11.18.08 at 6:29 am

    Very nice article but it will be very helhul if you provide some example with every Security Testing Approch.

    Thanks…….

    #7 Ambarish Karnik on 11.18.08 at 7:32 am

    Thanks for a great article! :)

    #8 its shantha on 11.18.08 at 8:44 am

    hi,
    This is shantha from chennai.plz tel me when the security testing has to do?

    #9 prasan on 11.18.08 at 8:46 am

    boldrps1479@gmail.com

    hi shantha

    security testing is done for particular products

    mail me
    will send details

    #10 Fatema on 11.18.08 at 9:27 am

    Great article, these days I am very much keen to go into depth and to look for work as penetration tester and this article covers the depth overview of it.Thanks for it.

    b/w does any one knows good institute in UK/India for web security testing training?

    Thanks and Regards

    #11 prasan on 11.18.08 at 9:58 am

    boldrps1479@gmail.com

    hi fatema whats ur id

    #12 Sushil on 11.18.08 at 10:05 am

    Nice information!
    Can you please send detailed infromation on ‘SQL Injection’ at sushil344@yahoo.com ?

    #13 suyash on 11.18.08 at 10:30 am

    Its realy worthy information for all testers. I think in india there are very few peoples who are realy in the Security Testing i want to be one of them. thanks for such a great information.
    thanks

    #14 Shilpa on 11.18.08 at 10:58 am

    I think web applications should be througly tested for security testing. Any penetration in web application or server can lead to loss of important data as well company revenue.

    In our company we are not concentrating more on securtiy testing, i have pointed this out to my lead and he is convienced now.

    You can set aside some fix test plan time for security testing of web application.

    I would also love to see detailed article on SQL injection..

    #15 Sureshkumar on 11.18.08 at 11:16 am

    very useful article and it helps me in some way.Thanks for it…and can any one please explain me about SQL Injection…

    #16 shanti on 11.18.08 at 12:07 pm

    Great article, these days I am very much keen to go into depth and to look for work as penetration tester and this article covers the depth overview of it.Thanks for it.

    #17 Fatema on 11.18.08 at 2:08 pm

    Hi Prasan, my id is fatemadawoodi786@gmail.com

    Also would like to share with you all a very useful and detail information on SQL Injection.

    http://www.sitepoint.com/artic.....acks-safe/

    Hope it will give you all a start up.
    Thanks n Rgds
    F.

    #18 kashan on 11.18.08 at 2:35 pm

    Thanks alot its very very very helpful

    #19 Ngoc Vu on 11.18.08 at 2:58 pm

    Thanks alot. That’s great article. It’s very useful.

    #20 anil on 11.18.08 at 4:36 pm

    hi ,
    i was working as a manual testing engineer could u plz cooperate to get job in pune this my cell no 9325767762.

    #21 kishor on 11.19.08 at 4:39 am

    hi,

    nice and very easy to understand.

    #22 Priyaa Arora on 11.19.08 at 5:40 am

    Thanks alot for such a useful information,it helps me in building up my basics for web testing.

    Thanks for Sharing.

    #23 purabi on 11.19.08 at 7:57 am

    Hi,

    I want to know about client side and server side Security. As a tester how can I test it ??

    Regard,
    Purabi

    #24 PKDuong on 11.19.08 at 10:06 am

    Dear all,

    Long time to visit this site. I love this one, it’s just basic thing of security testing as the article mention, just the term. We have lot of things to talk about this topic. Hope to see another one deeper :)

    For moment, I just thought one question:

    To be a security tester, should we try to study hacking technique and practice to hack some sites?

    Thanks for reading my comment :),
    Duong

    #25 arun kurle on 11.21.08 at 5:01 am

    articals are realy good and helpfull thanks for that
    i wan to the difference between sanity and smoke testing plz let me know

    #26 Kotesh on 11.21.08 at 6:47 am

    Very Nice Article
    very helpful to understand security types.

    #27 Kotesh on 11.21.08 at 6:47 am

    Very Nice Article
    very helpful to understand security types.
    thx

    #28 hitesh shah on 11.21.08 at 8:29 am

    nice its very useful but should be in more details with example.

    #29 Inder P Singh on 11.23.08 at 4:04 am

    Dear Prashant and others,

    I will definitely write an article on the SQL injection and share it with you.

    Thanks

    #30 jagadeeshan on 11.24.08 at 11:04 am

    Hi Inder P Singh,
    Nice article. Could u explain SQL injection topic in a simplest way. Then it would be helpful for us.

    #31 Girish chander raju on 11.25.08 at 2:43 pm

    hi sir,

    Security testing is always demanding.right now iam working as manual testing professional.iam very ambitious to become as security testing professional.

    thank you

    #32 Girish chander raju on 11.25.08 at 2:48 pm

    sir inder p singh,

    i need your help to reach my goal as LEGEND IN SECURITY TESTING.

    Thank you sir

    #33 hitesh shah on 11.28.08 at 6:46 am

    Hi, How to test Server security? explain with example.
    thanks

    #34 Siddharth on 11.28.08 at 8:26 am

    Hi,
    I found this site very useful for getting answer to my queries.

    #35 CH.GIRISH on 11.28.08 at 10:51 am

    Hi QA/TEST ENGINEERS,

    IAM A 1+EXP AS MANUAL TESTER IN MNC,IAM GOOD AT COMPLETE STLC(SOFTWARE TESTING LIFE CYCLE).PLEASE GUIDE ME WHAT I NEED TO LEARN TO MAKE A PERFECT BASEMENT IN SOFTWARE TESTING.
    THANKS A LOT IN ADVANCE.
    MY MAIL ID:girish_bio4u@yahoo.com
    MOBILE : 9391395989

    #36 Faraz on 11.29.08 at 5:27 am

    thanks
    i was seeking for SQL injection concept from a long time

    #37 Piyush Agn on 11.30.08 at 2:13 pm

    Good article, I got enought information regarding the tesing, but some points are provided in very brief, more discription is required. kindly suggest me some good book for web based application testing.
    Thanks in advance

    #38 hiqbal on 12.01.08 at 11:18 am

    very useful to think and research web security testing, thnx v. much

    #39 Nisha arun on 12.02.08 at 10:16 am

    Nice article

    #40 varun on 12.03.08 at 6:37 am

    very good

    it helped me a lot

    thanks a lot

    #41 GIRISH on 12.03.08 at 2:08 pm

    dear pkduong,

    sure as a security we need to study hacking and anti hacking too.i need explanation regarding hacking and antic hacking.
    thank you

    #42 Hemant on 12.04.08 at 10:23 am

    Hi All,

    Its nice artical ,I am thank full to Inder P Singh but could you please elobarate the security testing with steps by steps,

    #43 monalisa on 12.04.08 at 11:49 am

    Thanks for the ebook

    #44 monalisa on 12.04.08 at 11:49 am

    thanks

    #45 Madhu on 12.05.08 at 6:58 pm

    very nice, it’s very useful 4 all

    #46 Yoginder on 12.10.08 at 3:55 am

    Hello Inder P,

    You article on Security testing is very informative one. I am hoping to see an article on SQL Injection as well..

    Thanks again for sharing this great information with us.

    Regards,
    Yoginder

    #47 neelamohan on 12.10.08 at 10:37 am

    Thanks for a great article!

    #48 Jenish on 12.15.08 at 4:12 am

    Thats a very nice article.. Keep going..

    #49 Ashish Trivedi on 12.20.08 at 8:46 am

    H! I read this Article. this is very good for me for more knowledge.

    #50 Chandra on 12.23.08 at 9:43 am

    Wavvvv. Its really amazing. The way they explain is really down to earth.Hope it is enough to get a minimum knowledge on security testing.Once again thanks to website.

    #51 Vishal on 12.24.08 at 1:31 pm

    Hi Vijay,

    Recently I had been to an interview and encounted to a new term hard error and soft error.

    They have asked me the difference between Hard and soft error.

    If u have the ans. pls reply for the thread.

    Regards
    Vis

    #52 Subhadip on 12.26.08 at 10:40 am

    Previously I was involved in security testing, but didn’t know the impact of “security test defects”. This material helped me a lot to understand the same.

    #53 hitseh shah on 01.02.09 at 11:06 am

    Its normal artical but could you please elobarate the security testing with steps by steps . how to test any Server with example.

    #54 saravanan on 01.03.09 at 6:04 am

    hi dude
    i selected a topic security testing as my company presentation for 25 min time could u send some tips to make this one effective

    #55 Priya on 01.03.09 at 8:49 am

    Its very nice.

    #56 Nanjil Tiger on 01.05.09 at 9:37 am

    Also look in to data encryption which is very important for security testing.

    Leave a Comment