Security Testing of WebSite

Replies to This Discussion

Permalink Reply by ѕαи∂єєρ on October 5, 2010 at 3:10pm

Hi Khushbu,

The six basic security concepts that need to be covered by security testing are:
confidentiality,
integrity,
authentication,
authorisation,
availability and non-repudiation.


Confidentiality

* A security measure which protects against the disclosure of information to parties other than the intended recipient(s).
* Often ensured by means of encoding the information using a defined algorithm and some secret information known only to the originator of the information and the intended recipient(s) (a process known as cryptography) but that is by no means the only way of ensuring confidentiality.

Integrity

* A measure intended to allow the receiver to determine that the information which it receives has not been altered in transit or by other than the originator of the information.
* Integrity schemes often use some of the same underlying technologies as confidentiality schemes, but they usually involve adding additional information to a communication to form the basis of an algorithmic check rather than the encoding all of the communication.

Authentication

* A measure designed to establish the validity of a transmission, message, or originator.
* Allows a receiver to have confidence that information it receives originated from a specific known source.

Authorization

* The process of determining that a requester is allowed to receive a service or perform an operation.
* Access control is an example of authorization.

Availability

* Assuring information and communications services will be ready for use when expected.
* Information must be kept available to authorized persons when they need it.

Non-repudiation

* A measure intended to prevent the later denial that an action happened, or a communication that took place etc.
* In communication terms this often involves the interchange of authentication information combined with some form of provable time stamp.

Following are some test cases for web security testing:

* Test by pasting internal url directly into browser address bar without login. Internal pages should not open.
* If you are logged in using username and password and browsing internal pages then try changing url options directly.

I.e. If you are checking some publisher site statistics with publisher site ID= 123. Try directly changing the url site ID

parameter to different site ID which is not related to logged in user. Access should denied for this user to view others

stats.
* Try some invalid inputs in input fields like login username, password, input text boxes. Check the system reaction on

all invalid inputs.
* Web directories or files should not be accessible directly unless given download option.
* Test the CAPTCHA for automates scripts logins.
* Test if SSL is used for security measures. If used proper message should get displayed when user switch from non-secure

http:// pages to secure https:// pages and vice versa.
* All transactions, error messages, security breach attempts should get logged in log files somewhere on web server.

I think I have addressed all major web testing methods. I have worked for around 2 years out of my testing career on web

testing. There are some experts who have spent their whole career life on web testing. If I missed out addressing some

important web testing aspect then let me know in comments below. I will keep on updating the article for latest testing

information.

Thanx and Regards,

Sandeep

• ▶ Reply

Permalink Reply by Attraction on September 30, 2019 at 11:59am

Good information. Thanks for sharing.

• ▶ Reply

Permalink Reply by Tejas N. Jagtap on October 5, 2010 at 3:18pm

Hi Khushbu,
It seems you are working on security Testing of a website. Well Security testing is a vast field and requires expertise and good knowledge about the domain.

The criticality of website may vary according to its functionality. In Security Testing we try to break the application, thinking maliciously.

In order to break the website, you need to think like a hacker. Concentrate on the key areas which you think the hacker would take advantage of, the most.

Get an idea about various types of vulnerabilities that exist in Web applications.

1) Session Hijacking
2) XSS Attacks
3) Cross Site Request Forgery
4) SQL Injection

are just some of the vulnerabilities to name a few. You can get a complete idea about all such threats from the OWASP project.

OWASP is a community that works for securing Web Applications. You can get ample of material at "www.owasp.org" regarding security testing of a web application.

Regarding Test Cases, first you need to identify the most critical Business flows in your application.

for e.g, An online payment website will include important critical details such as Credit/Debit Card Number, CVV number, PIN etc which all are highly sensitive data. So a number of test cases can be written over such Use case.

Before beginning to Security Test your web site, i advise you to follow the guidelines laid by OWASP.

Regards,
Tejas

• ▶ Reply

Permalink Reply by Sandip Wagh on October 5, 2010 at 4:12pm

Hi Khushbu ,

Perfect Ans.to Security Testing of Website by Sandeep and Tejas.
Please Find Attach "Web_Security" PDF . for advance security.

--Sandip Wagh

Attachments:

• Web_Security.pdf, 818 KB

• ▶ Reply

Permalink Reply by ѕαи∂єєρ on October 5, 2010 at 4:46pm

Hi Sandip,

Gr8 Job you upload the nice Docs. it is really helpful for Web Security Testing.

Regards,

Sandeep

• ▶ Reply

Permalink Reply by Khushbu M Trivedi on October 5, 2010 at 4:37pm

Thanks to All for sharing good information .

• ▶ Reply

Permalink Reply by Ankit Mehta on October 8, 2010 at 2:09pm

Hey,

You can use OWASP testing project. This project's goal is to create a "best practices" web application penetration testing framework which users can implement in their own organizations and a "low level" web application penetration testing guide that describes how to find certain issues.

Thanks,
Ankit Mehta
Sr. QA Engineer
Infostretch Solutions Pvt. Ltd.

Attachments:

• OWASP_Testing_Guide_v3.pdf, 4.8 MB

• ▶ Reply

Permalink Reply by Vikaram Sharma on August 19, 2015 at 2:28pm

SECURITY TESTING TECHNIQUES

To prevent all of the above security testing threats/flaws and perform security testing on a web application, it is required to have good knowledge of the HTTP protocol and an understanding of client (browser) – server communication through HTTP. Also, basic knowledge of SQL injection and XSS is required. The following techniques will help in performing quality security testing:

Cross Site Scripting (XSS):

The tester should additionally check the web application for XSS (Cross site scripting). Any HTML e.g. <HTML> or any script e.g. <SCRIPT> should not be accepted by the application. If it is, the application can be prone to an attack by Cross Site Scripting.

Attackers can use this method to execute malicious scripts or URLs on a victim’s browser. Using cross-site scripting attackers can use scripts like JavaScript to steal user cookies and information stored in the cookies.

Cross Site Scripting Testing can be done for:

1. Apostrophe
2. Greater-Than Sign
3. Less-Than Sign

Ethical Hacking

Ethical hacking means hacking performed by a company or individual to help identify potential threats on a computer or network. An ethical hacker attempts to bypass the system security and search for any vulnerability that could be exploited by malicious hackers aka Black hats. White hats may suggest changes to systems that make them less likely to be penetrated by black hats.

Password Cracking

Password cracking is the most critical part while doing system testing. In order to access the private areas of an application, hackers can use a password cracking tool or can guess a common username/password. Common usernames and passwords are easily available online along with open source password cracking applications. Until a web application enforces a complex password (e.g. a long password with a combination of numbers, letters, and special characters), it is easy to crack the username and password. Another way of cracking the password is if username/password is to target cookies if cookies are stored without encryption.

Penetration Testing

A penetration test is an attack on a computer system with the intention of finding security loopholes, potentially gaining access to it, its functionality and data.

Risk Assessment

This is a process of assessing and deciding on the risk involved with the type of loss and the possibility of vulnerability occurrence. This is determined within the organization by various interviews, discussions and analysis.

Security Auditing

A security audit is a systematic evaluation of the security of a company’s information system by measuring how well it conforms to a set of established criteria.

Security Scanning

This is a program which communicates with a web application through the web front-end in order to identify potential security vulnerabilities in the web application, OS and Networks.

SQL Injection:

The next thing that should be checked is SQL injection. Entering a single quote (‘) in any textbox should be rejected by the application. Instead, if the tester encounters a database error, it means that the user input is inserted in some query which is then executed by the application. In such a case, the application is vulnerable to SQL injection.

SQL injection attacks are very critical as attackers can get vital information from the server database. To check SQL injection entry points into your web application, find out code from your code base where direct MySQL queries are executed on the database by accepting some user inputs.

SQL Injection Testing can be done for:

• Apostrophes
• Brackets
• Commas
• Quotation marks

Vulnerability Scanning

The automated computer program to proactively identify security vulnerabilities of computing systems in a network to determine where a system can be exploited and/or threatened.

Posture Assessment

This describes the overall security posture of an organization; it is a combination of Ethical hacking, Security scanning and Risk Assessment.

URL manipulation through HTTP GET methods:

HTTP GET method is used between application client and server to pass on the information. The tester needs to verify if the application is passing vital information in the query string. The information via HTTP is passed in parameters in the query string. To test this, a parameter value can be modified in the query string to check if the server accepts it.

Generally user information is passed through HTTP GET request to the server for either authentication or fetching data. Hackers can manipulate the input of this GET request to the server so that the required information can be gathered or to corrupt the data. Any abrupt behavior of application or web server, in such condition, is the key for a hacker to slip into the application.

• ▶ Reply

Permalink Reply by Alisha Henderson on January 23, 2019 at 6:14pm

Let’s discuss what all steps to prepare while preparing and planning for Security testing:

• The first step is to understand the business requirement, security goals and objective in terms of security compliance of the organization. The test planning should consider all security factors like Organization might have planned to achieve PCI compliance etc.
• Understand and analyze the requirements of the application under test.
• Collect all system setup information used for development of Software and Network like Operating Systems, technology, hardware.
• Make out the list of Vulnerabilities and Security Risks.
• Based on above step prepare Threat profile.
• Based on identified Threat, Vulnerabilities and Security Risks prepare test plan to address these issues.
• For each identified Threat, Vulnerabilities and Security Risks prepare Traceability Matrix.
• All security testing cannot possible to execute manually, so identify the tool to execute the all security test cases faster & more reliable.
• Prepare the Security tests case document.
• Perform the Security Test cases execution and retest the defect fixes.
• Execute the Regression Test cases.
• Prepare detailed report of Security Testing which contains Vulnerabilities and Threats contained, detailing risks, and still open issues etc.

Security testing services

• ▶ Reply

Permalink Reply by Anand Singh on January 29, 2019 at 1:23pm

Software Security testing is a process that is performed with the intention of revealing flaws in security mechanisms and finding the vulnerabilities or weaknesses of software applications. These days, security testing has become a critical part in software testing companies.

Security testing has the following characteristics:

Authentication
Authorization
Confidentiality
Availability
Integrity

Here are various types of threats which can be used to expose security vulnerability.

1. SQL Injection

SQL injection is the most common application layer attack technique, in which malicious SQL statements are inserted into an entry field for execution.It is a type of attack which takes the advantage of loopholes present in the implementation of web applications that allows a hacker to hack the system. To check the SQL injection, we have to take care of input fields like text boxes, comments, etc. To prevent injections, special characters should be either properly handled or skipped from the input.

2. Unauthorized Data Access
One of the more popular types of attacks is gaining unauthorized access to data within an application. It includes:

- Unauthorized access to data via data-fetching operations
- Unauthorized access to reusable client authentication information by monitoring the access of others
- Unauthorized access to data by monitoring the access of others

3. URL Manipulation

URL manipulation is the process of manipulating the website URL query strings & capture of the important information by hackers. This happens when the application uses the HTTP GET method to pass information between the client and the server. The information is passed in parameters in the query string. The tester can modify a parameter value in the query string to check if the server accepts it.

4. Data Manipulation

In data manipulation, a hacker changes data used by a website in order to gain some advantage or to embarrass the website’s owners. Hackers will often gain access to HTML pages and change them to be satirical or offensive.

5. Identity Spoofing
Identity spoofing is a technique where a hacker uses the credentials of a legitimate user or device to launch attacks against network hosts, steal data or bypass access controls. Preventing this attack requires IT-infrastructure and network-level mitigations.

6. Cross-Site Scripting (XSS)
Cross-site scripting is a computer security vulnerability found in web applications. XSS enables attackers to inject client-side script into Web pages viewed by other users and trick a user into clicking on that URL. Once executed by the other user’s browser, this code could then perform actions such as completely changing the behavior of the website, stealing personal data, or performing actions on behalf of the user.

Thanks,
Anand

• ▶ Reply

Permalink Reply by Peter Blacksmith on March 26, 2019 at 4:46pm

Hi

One of the most underrated parts of a web application security test but perhaps one of the most important is scoping. When software testing outsourcing company gets a project to test first they need to do is scoping an application before a security test is designed to provide enough information to all parties to ensure that the test will have the best chance of success.

Scoping is a deep dive into the application prior to testing in order to inform the tester and give them an advantage against other testers and even hackers who know nothing about the application.

Scoping answers so many questions regarding an application security test that I like to think of it as the what, when, where, why, and how of an application security testing. Let’s walk through each of these and discuss how to get the most of a scoping session with your client.

• ▶ Reply

Permalink Reply by Stella on March 26, 2020 at 3:59pm

From web-based email to online shopping and banking, organizations are bringing their businesses directly to customers' web browsers every day, circumventing the need for complex installations or update rollouts. Additionally, organizations are rolling out internal web applications for finance, marketing automation, and even internal communication that are often homegrown, or at least fine-tuned for their particular needs.

While web applications offer convenience to businesses and customers alike, their ubiquity makes them a popular attack target for cybercriminals. As a result, web application security testing, or scanning and testing web applications for risk, is essential.

If you want to learn more about Security testing services

• ▶ Reply