Web Application Security Testing Guide (2019 Update)

Web Application Security Testing Guide (2019 Update)

If you’ve ever wondered what web application testing is all about, but didn’t know whom to ask or where to look, then don’t worry any more.

You’ve come to the right place!

Let’s discuss all that you need to know about web application security testing, and more.

The security testing of web applications has taken on more and more importance with every passing day. This is due to the large amount of data that is stored in web apps, and also because of the increase in the number of transactions on the internet.

Therefore, it’s important to understand what security testing is all about, while also understanding what web application security testing tools are.

How to secure your web application easily with automation? Get your Free Demo

So what is web application security testing?

Security testing can be described as the process that is used to check if the data that is meant to stay confidential, stays confidential.

Therefore this confidential data should be protected from persons or entities who are not supposed to have access to it. Furthermore, in an ideal scenario, persons or users should only be allowed to conduct activities and tasks which they are authorized to perform.

The purpose of security testing:

Security testing is carried out to locate and find out if any vulnerabilities exist in the web app. When the vulnerabilities are discovered, the developers can then proceed to remove them, and thereby ensuring that the app is not open to threats.

How to enhance web application security with a few clicks? Get your Free Demo

Important security testing terms:

It’s important to understand some security testing terms as we proceed with this piece.

So let’s get to it right away.

Vulnerabilities:

This can be termed to be a weakness or ‘chink’ in the web app. This weakness can arise on account of an injection (SQL or script code), bugs in the app, or even because of viruses.

URL manipulation:

URL manipulation can be understood to be changes made to the URL in a way that can lead to inadvertent behaviour by the server.

SQL injection:

SQL injection can be termed to be the insertion of SQL statements via the web app user interface into a query or queries that is executed by the server.

XSS or Cross Site Scripting:

This can be termed to be the scenario in which a user inserts HTML or client-side script into the UI of a web app, called as XSS. This insertion is visible to other users.

Spoofing:

When hoax look-alike websites or emails are created, this is referred to as ‘spoofing’.

The approach to security testing:

At the outset, in order to carry out a successful and useful security test of a web app, the tester should have an in depth understanding knowledge about the HTTP protocol.

Further, the tester should also have a deep understanding as to how the client and the server communicate via HTTP.

In addition, the person carrying out the security test should also possess the knowledge concerning the basics of XSS and SQL injection.

Besides this, the tester should also be in a position to correctly describe the security defects in an accurate manner, and provide all the necessary details as well – this will be a very useful quality.

Security testing techniques for web applications:

Now, let’s take a look at some web application security testing methodology and techniques in the following section

#1 Password Cracking:

Security testing on a web app can begin by what is referred in the industry to as password cracking. For this, a trial and error method using guesswork can be employed to find out usernames and/or passwords.

Besides this, a password cracker tool can also be used for this purpose – password crackers routinely provide lists of common passwords and usernames.

These cracker tools combine alphanumeric characters with special characters, as well as the specified number of characters to accurately determine usernames and passwords.

Now, if a password or username is stored in cookies with minimal or no encryption, this info can easily be accessed or stolen by attackers who use various methods to steal the cookies and the information contained in them (such as passwords and usernames).

#2 URL Manipulation via HTTP GET:

When undertaking web application security testing, the tester should take the time to see if the app passes confidential information in the query string. This usually occurs when the app employs the HTTP GET method to convey info between the client and the server.

Now, as the data is passed via parameters in the query string, the tester can duly modify the parameter value in the string, so as to verify if the server accepts it or not.

User info requests through the HTTP GET method are passed to the server so as to fetch the necessary data, or simply for authentication purposes.

In this scenario, an attacker can manipulate the input variable/s conveyed from the GET request to a server so as to capture the necessary data or even to corrupt it.

Therefore, any unusual behaviour performed by the app or the web server must be treated with the utmost importance, as it opens up the gateway for attackers to get into applications.

#3 SQL Injection:

A single quote, ie., (‘ ’) should be rejected by the application when it is entered into a textbox. On the other hand, if the tester comes across a database error, this can be taken to understand that the user input is inserted in a query which is now executed by an app – in this case, it’s clear that the app is vulnerable to SQL injection threats.

An SQL injection attack should not be taken lightly as an attacker can capture critical data from a server database. In order to check the SQL injection entry points in a web app, the tester must locate the code from the codebase (where the direct MySQL queries are executed on the database) by accepting user inputs.

An attacker can inject SQL statements or portions of SQL statements as user inputs so as to derive important data from a database – this can occur if the user input data is crafted in SQL queries to query the database.

What’s more, if the attacker is able to crash the application in question, her or she may still be able to get the info they need from the SQL query error displayed on the browser. In such scenarios, special characters from user inputs need to handled or escaped in a proper manner.

#4 Cross Site Scripting (XSS):

In addition to the three tests performed as described above, comprehensive web application security testing should also check the app being tested for XSS. This can be done by checking if any HTML is being accepted by the application – in an ideal scenario it should not.

On the other hand, if the application does accept any HTML or script, then the app is deemed to be open to an attack via Cross Site Scripting (XSS).

Now, an attacker can employ this technique to execute harmful or malicious URLs or scripts on the target’s browser. Besides this, the attacker can also easily use scripts (such as JavaScript) to access and rob data stored in cookies (such as user info and other data)

Also since a number of web apps gather info which they then pass on in some variables from a number of pages, the attacker can therefore also pass on some malicious inputs or scripts as ‘&query’ parameters, which can then be utilised to steal confidential server or user data on browsers.

What to avoid during web application security testing:

When testing is being carried out, the tester must take care so as not to modify the services running on the server, the existing user or customer data hosted by the application, as well as the configuration of the application or the server.

Besides this, the tester must also avoid tests in a production system.

Conclusion:

We do hope you found this article useful, and we do hope you employ the methods explained here when carrying out tests on your own applications.

How to secure your web application against cyber attacks? – Get started with a Free Demo

Leave a Comment