Security Testing, Web Application, and Web Security Testing Security testing approach Q&A
Security testing
Security testing is a process to determine that an information system protects data and maintains functionality as intended.
Web Application
At the core of every web application is the fact that all of its functionality is communicated using HTTP, and its results are typically formatted in HTML. Inputs are communicated using GET, POST, and similar methods.
Web Security Testing
Web security testing tells us whether Web based applications requirements are met when they are subjected to malicious input data.
OWASP Top 10 Web Application Security Risks for 2010 A1: Injection A2: Cross-Site Scripting (XSS) A3: Broken Authentication and Session Management A4: Insecure Direct Object References A5: Cross-Site Request Forgery (CSRF) A6: Security Misconfiguration A7: Insecure Cryptographic Storage A8: Failure to Restrict URL Access A9: Insufficient Transport Layer Protection A10: Unvalidated Redirects and Forwards
Guessing username and password Commonly using dictionary attack Cookies can also leak authentication information Keyboard recorder
What we can do
Enforce a complex password CAPTCHA (Completely Automated Public Turing test to Tell Computers and Humans Apart) Encrypting cookies Software keyboard
URL Manipulation
Some web applications communicate additional information between the client (browser) and the server in the URL. Changing some information in the URL may sometimes lead to unintended behavior by the server.
What we can do
Change the parameters (or even delete some sub-string of link) in URL and check the web application’s behavior Better to change the link parameter into GUID or encrypt it The parameter should not be predictable (…/user/… and …/admin…)
SQL injection
This is the process of inserting SQL statements through the web application user interface into some query that is then executed by the server.
What we can do
Each input area should be tested Special characters (include characters of different languages) should be handled/escaped properly in such cases ASCII code should also be tested Input string which can let system to divide zero or execute a long time need to be tested
XSS (Cross Site Scripting)
When a user inserts HTML/ client-side script in the user interface of a web application and this insertion is visible to other users, it is called XSS.
What we can do
Html tag and other reserved keywords/strings need to be tested as parameter Script need to be tested as parameter
Vulnerability
This is a weakness in the web application. The cause of such a “weakness” can be bugs in the application, an injection (SQL/ script code) or the presence of viruses.
What we can do
Client/Server cache Session time-out Even the weakness of Operation System Connectivity attack such as DoS (denial-of-service) and DDoS (distributed denial-of-service)
Spoofing
The creation of hoax look-alike websites or emails is called spoofing
What we can do
Authentication, such as e-signature and certification Encrypted data transfer protocols: SSL, SSH, PKI, SET and so on
References
Web Security Testing Cookbook, 1st Editionby Paco Hope; Ben Walther http://www.softwaretestinghelp.com/security-testing-of-webapplications http://www.owasp.org/index.php/OWASP_Top_Ten_Project Wikipedia
Agenda. Security Testing, Web Application, and Web Security Testing ... A3: Broken Authentication and Session Management ... (distributed denial-of-service) ...
File: Web security testing cookbook pdf. Download now. Click here if your download doesn't start automatically. Page 1 of 1. web security testing cookbook pdf.
WebScarab,and a myriad of others got me started quickly. I appreciate the list,but even. more so, the warnings about the tools' adverse effects if I'm not careful.
Mar 2, 2007 - familiar with Javascript and HTML can explain the ... tice where a PHP file is set as required ... the site employed one Javascript include file for ...
Mar 2, 2007 - that handles calls between the client and server. Typically this would be a library of. Javascript functions included on the page. While this is a ...
speed through program by reducing the rpm we are able to ... Programming Arduino. Angle. Giving inuput for known ... Automation. Verification of length. IMU.
This book is the pdf version of the online post in chsakell's Blog and ..... For our application there will be only the Admin role (employees) but we will discuss later the scalability options we have in ...... not only to be authenticated but also b
More and more organizations are choosing to host their web applications in the cloud ... NET Core applications to best take advantage of these capabilities. ..... 10. Chapter 3. Choosing Between Traditional Web Apps and SPAs. Decision table ...
OWL ontologies are used across a wide spectrum of domains, ranging from chemistry to bio-health ..... File name and file size patterns First, a random sample of 100 ontologies was repeatedly drawn from ... to be largely cluster-free. In order to ...
File: Web testing pdf. Download now. Click here if your download doesn't start automatically. Page 1 of 1. web testing pdf. web testing pdf. Open. Extract.
Feb 14, 2006 - tion environment to determine the application type, for example ... intelligence (AI) component that infers an action that a user ...... Files, paths,.
Feb 14, 2006 - web application security frame component can be applied to. Chen et a1' ...... attacker successfully gains access as a legitimate user or host,.
May 5, 2016 - While I used Kelly model next to this research which generated a profit every year. Keywords: .... 11After I completed the odds modelling part. took time more than 10 hours per day and around half year time manually copy ..... I tried t
PDF. ⢠Office: Word, Excel, PowerPoint. ⢠Image: PNG, JPG, GIF, BMP. ⢠Video: MP4, 3GP and etc. 14. 10. Support Files of Different Format ... Limitations of app memory on different OS. ⢠Large images. ⢠Long audios. ⢠Mess videos. 16. 12.