Owing to the huge amount of data stored in web applications and an increase in the number of transactions on the web, proper Security Testing of Web Applications is becoming very important day-by-day.
In this tutorial, we will do a detailed study about the meaning, tools and key terms used in Website Security Testing along with its testing approach.
Let’s move ahead!!
What You Will Learn:
What is Security Testing?
Security Testing is a process that checks whether the confidential data stays confidential or not (i.e., it is not exposed to individuals/entities for which it is not meant) and the users can perform only those tasks that they are authorized to perform.
For Example, a user should not be able to deny the functionality of the website to other users or a user should not be able to change the functionality of the web application in an unintended way, etc.
Some Key Terms Used in Security Testing
Before we proceed further, it would be useful to familiarize ourselves with a few terms that are frequently used in web application Security Testing.
What is “Vulnerability”?
This is a weakness in the web application. The cause of such “weakness” can be due to the bugs in the application, an injection (SQL/ script code), or the presence of viruses.
What is “URL Manipulation”?
Some web applications communicate additional information between the client (browser) and the server in the URL. Changing some information in the URL may sometimes lead to unintended behavior by the server and this is termed URL Manipulation.
What is “SQL injection”?
This is the process of inserting SQL statements through the web application user interface into some query that is then executed by the server.
What is “XSS (Cross-Site Scripting)”?
When a user inserts HTML/ client-side script in the user interface of a web application, this insertion is visible to other users and it is termed XSS.
What is “Spoofing”?
Spoofing is the creation of hoax look-alike websites and emails.
Recommended Security Testing Tools
#1) Acunetix
Acunetix is an end-to-end web application security scanner. This will give you a 360-degree view of the security of your organization. It is capable of detecting 6500 types of vulnerabilities like SQL injections, XSS, Weak Passwords, etc. It makes use of advanced macro recording technology for scanning complex multi-level forms.
The platform is intuitive and easy to use. You can schedule and prioritize full scans as well as incremental scans. It contains a built-in vulnerability management functionality. With the help of CI tools like Jenkins, new builds can be scanned automatically.
#2) Invicti (formerly Netsparker)
Invicti (formerly Netsparker) is a platform for all web application security testing requirements. This web vulnerability scanning solution has capabilities of vulnerability scanning, vulnerability assessment, and vulnerability management.
Invicti is best for scanning precision and unique asset discovery technology. It can be integrated with popular issue management and CI/CD applications.
Invicti provides proof of exploit on the identification of vulnerability to confirm that it is not a false positive. It has an advanced scanning engine, advanced crawling authentication features, and WAF integration functionality, etc. With this tool, you will get detailed scanned results with insights on vulnerability.
Security Testing Approach
In order to perform a useful security test of a web application, the security tester should have good knowledge of the HTTP protocol. It is important to have an understanding of how the client (browser) and the server communicate using HTTP.
Additionally, the tester should at least know the basics of SQL injection and XSS.
Hopefully, the number of security defects present in the web application will not be high. However, being capable of describing all the security defects accurately with all the required details will definitely help.
Methods For Web Security Testing
#1) Password Cracking
The security testing on a Web Application can be kicked off by “Password Cracking”. In order to log in to the private areas of the application, one can either guess a username/ password or use some password cracker tool for the same. A list of common usernames and passwords is available along with open-source password crackers.
If the web application does not enforce a complex password (For Example, with alphabets, numbers, and special characters or with at least a required number of characters), it may not take very long to crack the username and password.
If a username or password is stored in cookies without being encrypted, then an attacker can use different methods to steal the cookies and the information stored in the cookies like username and password.
For more details, see an article on “Website Cookie Testing”.
#2) URL Manipulation Through HTTP GET Methods
A tester should check whether the application passes important information in the query string or not. This happens when the application uses the HTTP GET method to pass information between the client and the server.
The information is passed through the parameters in the query string. The tester can modify a parameter value in the query string to check if the server accepts it.
Via HTTP GET request user information is passed to the server for authentication or fetching data. The attacker can manipulate every input variable passed from this GET request to a server in order to get the required information or to corrupt the data. In such conditions, any unusual behavior by the application or web server is the doorway for the attacker to get into an application.
#3) SQL Injection
The next factor that should be checked is SQL Injection. Entering a single quote (‘) in any textbox should be rejected by the application. Instead, if the tester encounters a database error, it means that the user input is inserted in some query which is then executed by an application. In such a case, the application is vulnerable to SQL injection.
SQL injection attacks are very critical as an attacker can get vital information from the server database. To check SQL injection entry points into your web application, find out the code from your codebase where direct MySQL queries are executed on the database by accepting some user inputs.
If the user input data is crafted in SQL queries to query the database, an attacker can inject SQL statements or part of the SQL statements as user inputs to extract vital information from a database.
Even if an attacker is successful in crashing the application, from the SQL query error shown on a browser, the attacker can get the information they are looking for. Special characters from the user inputs should be handled/escaped properly in such cases.
#4) Cross-Site Scripting (XSS)
A tester should additionally check the web application for XSS (Cross-site scripting). Any HTML For Example, <HTML> or any script For Example, <SCRIPT> should not be accepted by the application. If it is, then the application can be prone to an attack by Cross-Site Scripting.
The attacker can use this method to execute a malicious script or URL on the victim’s browser. Using cross-site scripting, an attacker can use scripts like JavaScript to steal user cookies and information stored in the cookies.
Many web applications get some useful information and pass this information on to some variables from different pages.
For Example, http://www.examplesite.com/index.php?userid=123&query=xyz
The attacker can easily pass on some malicious input or <script> as a ‘&query’ parameter which can explore important user/server data on the browser.
Important: During security testing, the tester should be very careful and should not modify any of the following:
- Configuration of the application or the server.
- Services running on the server.
- Existing user or customer data hosted by the application.
Additionally, a security test should be avoided in a production system.
Conclusion
The purpose of a security test is to discover the vulnerabilities of the web application so that the developers can remove these vulnerabilities from the application and make the web application as well as its data safe from any unauthorized action.
Recommended Reading =>Difference between SAST/DAST/IAST/RASP
Feel free to share your comments/suggestions about this tutorial.
This article is very useful.. I exept detailed description on security testing with example in further articles.
Thanks
Very helpful ! .. keep it up dude !
Hi Vijay Kindly do not send any updates on my email ID..
My Email ID is anillnaik@gmail.com
Thanks,
Anil
I was expecting the detailed description of whole Security Testing…
Information is good for intermediates but for lyman like me freshers i think little bit detailed description must be given…
I am working as a manual tester.Interest to know about SQL Injection. Can you please send me in the easiest way.
This is the realy usefull for me and also for those who want to learn more about the SQL injection and software testing, but i was expecting more can anyone send me detailed description???
HI,
pllease give details information on Cross Site Scripting & SQL Injection WITH EXAMPLES TO MY MAILD
HI,
pllease give details information on Cross Site Scripting & SQL Injection WITH EXAMPLES TO MY MAILD My Mailid is vijaykumar.jalanila25@gmail.com .
Very Good Article but needs more details
thank u so much…and waiting for the detailed one .. !
Its realy good article…..
It is very good info.
Thanks a lot!!!
Hi,
SQL Injection and Security testing articles are very useful for all web tester..
hi,
Its very useful for all web testers..
hi,
There are lots of good works to do in your website.I prefer oracle for testing skills.I wish you a happy new year 2011.
Thanks to all. I came to know valuable info from this site.
bad article
Hi,
I am new to security testing.
Can any one send me a sample test plan for secuty testing of web application.
Thanks
Good article
As i m a new to testing field and need lot knowledge.can any one plz elaborate tis article like how fresher ll be expecting.Thinking tat no one knows abt security and how to implement sql injection in real scenario.
You must watch this w w w. filimography. blogspot. com
Thanks a lot singh ji….SINGH IS KING
Really very good article. We vll get to know many concepts after reading this article.
Thanks a lot for good article……….
Hi,
Can any body elaborate me,
that same username with different mail id and password can be used for login or registration.
very helpful article
Please suggest an institute for web application security testing in hyderabad
Very Nice Article By Inder P Singh. Thank u Vry Much.
very precious and Awesome article….
alot of thanks to give a such a nice article..:-)
All contents are really very useful for understanding the concept of Security Testing.
Thankyou so much……..
It is very use ful …….Plz send the any information about the Security testing. My mail ID is pvsureshkumar2005@yahoo.com
good, nice article
Hi,
Thanx for sharing Security and SQL injection topic,it’s very helpful to me.
ja oye chad pare
Very good article.. :)
Can anyone pls shed a light on web application security scanners in terms of desktop assessment services
df
Indeed a nice article. Good to see youngsters being curious about website security issues and testing techniques.
could you tell me the leading security testing tool in the market
hi..i don’t have that much experience in security testing can u please guide me i’m interested to learn some basics regarding how to hack the application by using script injections………..i’m waiting for your informative reply dear:)
Thank you ..These are very helpful. I’m looking for WAP testing, what all things should be taken into consideration whil WAP testing and specially security testing.
For those who want to start with security testing, they can look into this and also write to me if you need any guidance to start.
http://tuppad.com/blog/2012/05/14/how-do-i-start-security-testing/
You can find me on Twitter @santhoshst | LinkedIn – http://www.linkedin.com/profile/view?id=44693468&goback=%2Enmp_*1_*1_*1_*1_*1_*1_*1_*1_*1&trk=spm_pic
Thanks!
thanks man for passing such valuable information.
There is a very good online free course for for those who want to learn ethical hacking – http://hackvidhi.com/courses.php .
This course covers basic of web programming and ethical hacking, both. It will be starting in this summer. Seats limited, please enroll now!
One of the finest articles I’ve came across. I’m willing to use it for the internal training of my QA Team.
Thank you… the article really helped me….
Dear Vijay,
Really very helpful article.
Thanks
Thanks. This is very useful information about Security testing.Please notify me whenever you got something new.
I think this is the best article I have come across on the internet on Security Testing, Thanks Inder
Information given was very useful, simple and easy to understand
Thanks!!!
Hi ,
Really Really Helpful…
Hello Vijay,
I would like to learn How test the WEBSITE security, to avoid from Hacking. Are there any effective tools which are easy to use ?
Or are there any skills I can learn to Test this very effectively ?
Please advice, waiting for your reply desperately.