How to make security testing for web applications | DeviQA
DeviQA Logo

7 minutes to read

How to make security testing for web applications

How to make security testing for web applications
May 20, 2019


Online transactions have increased rapidly making security testing one of the most critical areas of web applications testing. Security testing of any system is about finding all potential loopholes, unprovided activities, and weaknesses of the system that might result in a loss of sensible information.

Unprovided activities can be either purposeful or unintentional. The aim of web security testing is to identify the danger in the system and determine its possible vulnerabilities. Apart from detecting all possible security risks in the system, it also helps developers to fix these issues through coding.

There are seven types of security testing. These are:

Vulnerability Scanning

This one scans a system against known vulnerability signatures through automated software.

Security Scanning: It identifies network and system drawbacks, and later provides settlements for reducing these risks. This scanning might be performed either for manual or for automated scanning.

Penetration testing

It simulates an attack from a malicious hacker and analyzes a peculiar system to check it for potential vulnerabilities to an outer hacking attempt.

Risk Assessment

This testing involves the analysis of security risks that are observed in the organization. Risks are ranked as low, medium, and high. Risk assessment recommends controls and measures to eliminate the risk.

Security Auditing

This is an internal review of applications and operating systems for security errors.

Posture Assessment

It unites Security scanning, Ethical Hacking, and Risk Assessments to display an overall security posture of an organization.

Ethical hacking

It suggests hacking the software systems of an organization. Its aim is to reveal security errors in the system.

Also, there are several threats to web app security:

Cross-site Scripting (XSS) Attack

It refers to a client-side code injection attack. An attacker can perform malicious scripts (also commonly referred to as a malicious payload) into a website or web app. It happens when a web application uses unvalidated or uncoded user input. A victim is not the direct target. A vulnerability within a website (web application) that the victim will use is the main target. The victim's browser will deliver malicious scripts. VBScript, ActiveX, and Flash are exposed to it but JavaScript is the most vulnerable in these terms.

As you see, there are three essential components of an XSS attack — a website, a victim, and an attacker.

XSRF / CSRF (Request Forgery)

To carry out an XSRF attack, an identity of a user is stolen to be used for hacking into a web server. Sensitive data can be submitted to the intruder by sending Hypertext Transfer Protocol (HTTP) requests. In contrast to the XSS Attack, in this case, a hacker inserts malicious coding into a link of a website that seems to be a trustworthy resource. When an end-user clicks on the link, the embedded programming is submitted as part of the client's web request and can execute on the user's computer. A hacker gets access to cookies and other authentication data using a client-side script.

SQL Injection (SQLi)

This threat to web app security suggests code injection. This means that a hacker can execute malicious SQL statements that control a web database of an application server (also commonly referred to as a Relational Database Management System - RDBMS). The attacker is able to bypass the web app with the help of SQL Injection that also can be used to add, modify and delete records in the database, affecting data integrity. SQL Injection can provide the attacker with unauthorized access to sensitive data including, customer data, personally identifiable information (PII), trade secrets, intellectual property, etc.

Server-Side Includes (SSI) Injection

It is a server-side exploit technique that makes it possible to send code into a web application, which will be executed locally by the webserver. Data is sanitized before inserting into a server-side interpreted HTML file. If attackers submit a Server-Side Include validation, they may have an opportunity to execute arbitrary operating system commands or insert restricted contents of files when pages are served. This is performed at the permission level of the webserver user.

Authorization Bypass

Negligence, ignorance, or simple understatement of security threats can be bypassed by skipping the login page and calling an internal page directly (it should be accessed only after authentication has been performed). It is possible to bypass authentication measures by manipulating requests and tricking the app into thinking that a user has been already authenticated. This can be accomplished either by modifying a given URL parameter or by manipulating the forms of counterfeiting sessions.

How to perform a website security test?

Security testing is a process that is performed with the intention to reveal errors in security mechanisms and find the vulnerabilities or weaknesses of software applications. Generally, security testing must focus on such features as authentication, authorization, confidentiality, availability, integrity, non-repudiation.

Performing web application security testing pay attention to these four areas:

Network security

This means seeking out vulnerabilities in the network infrastructure (resources and policies).

System software security

This one holds allotting weaknesses in the various software (operating system, database system) the application depends on.

Client-side application security

This implies ensuring that a client (browser or any other tool) cannot be manipulated.

Server-side application security

This means making sure that the server code and its technologies are robust enough to avert any intrusion.

Let us consider some web application security testing tools


This vulnerability scanning and testing tool is used for detecting web application vulnerabilities like SQL injection, header injection, cross-site scripting, etc. It is written in Java and can work with OS X, Linux and Windows platforms. This one is indeed good at finding and validating SQL Injection, Cross-Site Scripting (XSS), inadvertently disclosed sensitive information and other vulnerabilities. Vega also probes for TLS / SSL security settings and identifies opportunities for improving the security of your TLS servers.

ZED Attack Proxy (ZAP)

This security testing tool for web application works with Windows, Unix/Linux, and Macintosh platforms. It is used as a scanner or for snapping a proxy to test a web page manually.


This tool for web application security testing performs black box scanning and injects payloads to check if a script is attackable. It holds up both GET and POST HTTP attack methods. It detects such vulnerabilities as file Disclosure, file inclusion, Cross-Site Scripting (XSS), etc.


The tool supports a direct connection to the database without passing via a SQL injection. It is performed by providing DBMS credentials, IP address, port and database name. It also provides automatic recognition of password hash formats and can crack them using a dictionary-based attack.

Google Nogotofail

This tool helps to spot and fix weak TLS/SSL connections and sensitive cleartext traffic on devices and apps in a flexible, scalable, powerful way. It holds testing for common SSL certificate verification issues, HTTPS and TLS/SSL library bugs, SSL and STARTTLS stripping issues, cleartext issues, etc. Nogotofail depends only on Python 2.7 and pyOpenSSL>=0.13. It is designed to work on Linux machines, and its transparent traffic capture modes are Linux-specific and require iptables as well. It can be set up as a router, VPN server, or proxy server.

Keep in mind that security testing of web applications is maximally effective in identifying potential vulnerabilities when it is performed regularly. All in all, in the IT sphere it is essential to protect data, by all means, therefore security testing cannot be neglected.