Security Testing of WebSite

Replies to This Discussion

Permalink Reply by ѕαи∂єєρ on October 5, 2010 at 3:10pm

Hi Khushbu,

The six basic security concepts that need to be covered by security testing are:
confidentiality,
integrity,
authentication,
authorisation,
availability and non-repudiation.


Confidentiality

* A security measure which protects against the disclosure of information to parties other than the intended recipient(s).
* Often ensured by means of encoding the information using a defined algorithm and some secret information known only to the originator of the information and the intended recipient(s) (a process known as cryptography) but that is by no means the only way of ensuring confidentiality.

Integrity

* A measure intended to allow the receiver to determine that the information which it receives has not been altered in transit or by other than the originator of the information.
* Integrity schemes often use some of the same underlying technologies as confidentiality schemes, but they usually involve adding additional information to a communication to form the basis of an algorithmic check rather than the encoding all of the communication.

Authentication

* A measure designed to establish the validity of a transmission, message, or originator.
* Allows a receiver to have confidence that information it receives originated from a specific known source.

Authorization

* The process of determining that a requester is allowed to receive a service or perform an operation.
* Access control is an example of authorization.

Availability

* Assuring information and communications services will be ready for use when expected.
* Information must be kept available to authorized persons when they need it.

Non-repudiation

* A measure intended to prevent the later denial that an action happened, or a communication that took place etc.
* In communication terms this often involves the interchange of authentication information combined with some form of provable time stamp.

Following are some test cases for web security testing:

* Test by pasting internal url directly into browser address bar without login. Internal pages should not open.
* If you are logged in using username and password and browsing internal pages then try changing url options directly.

I.e. If you are checking some publisher site statistics with publisher site ID= 123. Try directly changing the url site ID

parameter to different site ID which is not related to logged in user. Access should denied for this user to view others

stats.
* Try some invalid inputs in input fields like login username, password, input text boxes. Check the system reaction on

all invalid inputs.
* Web directories or files should not be accessible directly unless given download option.
* Test the CAPTCHA for automates scripts logins.
* Test if SSL is used for security measures. If used proper message should get displayed when user switch from non-secure

http:// pages to secure https:// pages and vice versa.
* All transactions, error messages, security breach attempts should get logged in log files somewhere on web server.

I think I have addressed all major web testing methods. I have worked for around 2 years out of my testing career on web

testing. There are some experts who have spent their whole career life on web testing. If I missed out addressing some

important web testing aspect then let me know in comments below. I will keep on updating the article for latest testing

information.

Thanx and Regards,

Sandeep

• ▶ Reply

Permalink Reply by Tejas N. Jagtap on October 5, 2010 at 3:18pm

Hi Khushbu,
It seems you are working on security Testing of a website. Well Security testing is a vast field and requires expertise and good knowledge about the domain.

The criticality of website may vary according to its functionality. In Security Testing we try to break the application, thinking maliciously.

In order to break the website, you need to think like a hacker. Concentrate on the key areas which you think the hacker would take advantage of, the most.

Get an idea about various types of vulnerabilities that exist in Web applications.

1) Session Hijacking
2) XSS Attacks
3) Cross Site Request Forgery
4) SQL Injection

are just some of the vulnerabilities to name a few. You can get a complete idea about all such threats from the OWASP project.

OWASP is a community that works for securing Web Applications. You can get ample of material at "www.owasp.org" regarding security testing of a web application.

Regarding Test Cases, first you need to identify the most critical Business flows in your application.

for e.g, An online payment website will include important critical details such as Credit/Debit Card Number, CVV number, PIN etc which all are highly sensitive data. So a number of test cases can be written over such Use case.

Before beginning to Security Test your web site, i advise you to follow the guidelines laid by OWASP.

Regards,
Tejas

• ▶ Reply

Permalink Reply by Sandip Wagh on October 5, 2010 at 4:12pm

Hi Khushbu ,

Perfect Ans.to Security Testing of Website by Sandeep and Tejas.
Please Find Attach "Web_Security" PDF . for advance security.

--Sandip Wagh

Attachments:

• Web_Security.pdf, 818 KB

• ▶ Reply

Permalink Reply by ѕαи∂єєρ on October 5, 2010 at 4:46pm

Hi Sandip,

Gr8 Job you upload the nice Docs. it is really helpful for Web Security Testing.

Regards,

Sandeep

• ▶ Reply

Permalink Reply by Khushbu M Trivedi on October 5, 2010 at 4:37pm

Thanks to All for sharing good information .

• ▶ Reply

Permalink Reply by Ankit Mehta on October 8, 2010 at 2:09pm

Hey,

You can use OWASP testing project. This project's goal is to create a "best practices" web application penetration testing framework which users can implement in their own organizations and a "low level" web application penetration testing guide that describes how to find certain issues.

Thanks,
Ankit Mehta
Sr. QA Engineer
Infostretch Solutions Pvt. Ltd.

Attachments:

• OWASP_Testing_Guide_v3.pdf, 4.8 MB

• ▶ Reply