Subscribe by Email


Wednesday, February 8, 2012

What is the approach for Security Testing of Web Applications?

Like our real world, our cyber world also needs security as rate of cyber crime is also increasing day by day. Attackers are misusing the technology to benefit themselves and this has caused the end users to suffer.

The security of the web sites and web applications needs to be very tight so that attackers are not able to break in to the data bases of the sites and applications and use the critical data and information to their heart’s content.

ABOUT SECURITY OF WEB SITES
- Several security measures are being designed these days and many of them have been adopted.
- The security level of the web sites and web applications needs to be tested just like any other aspect of softwares to ensure that it is error proof and meets the standards.
- Security testing of web applications is very necessary as the security of a web site or application is responsible for the safety of our personal information that we use to access the cyber services and other sensitive information.

WHAT APPROACH SHOULD BE USED TO TEST WEBSITES?
Here the question arises that what approach should be followed for security testing of the web sites and applications?
- For security testing of web applications a planned approach should be followed. - The vulnerabilities of the web application should be listed first so that you can draw out your test plan.
- As the number of users is increasing, the need for a proper security system is also increasing.
- The security testing of the web applications needs to very efficient.
- In security testing, the privacy level of the data is tested i.e., whether or not it stays confidential and that it is not leaked to those for whom it is not meant.
- It also makes sure that the end users are able to perform only those tasks which have been authorized for them and that the users are not able to alter the features and functionalities of a web site or application.
- The tester carrying out the security testing should have good knowledge of Hyper Text Transfer Protocols (HTTP).
- It is important to know how exactly the communication takes place between the browser and the server.
- He/ she should also know about the issues mentioned above in the list.

STEPS INCLUDED IN A TEST PLAN

1.Password cracking
- This is done to access the intimate areas of a web application.
- Password cracking can take a very long time if the password is complex.
- Sometimes the user names and passwords are stored in un-encrypted cookies.
- The attacker can very well steal such cookies to get the user name and password.

2. URL manipulation
- In this step, the URL should be tested for any important information in its query.
- Some times information is passed when the HTTP GET method is employed for passing information between the browser and the server by the application.

3. SQL injection
- This is the third issue to be checked.
- Any unauthorized character entered in the text box by the user should be rejected by the application.
- While testing this aspect, if the tester encounters an error or a bug in the data base of the application, then the web application’s security is said to be vulnerable.
- If the application is not checked against the SQL injections, the critical information can be stolen from the application’s data base.

4.XSS cross site scripting
- This is the fourth aspect to be checked.
- The tester should check whether or not the web application accepts any HTML script.
- If the site or application is found to be supporting HTML scripts, then it is prone to the cross site scripting attacks.

During security testing the configurations of the server and the application should not be touched and modified and security test should not be performed on a production system.


No comments:

Facebook activity