Need of Security Testing for Website Application
Posted By : Sonali Gupta | 24-May-2018
What is the Need to do Security Testing
Security testing is a process which follows some security mechanisms to protect data and maintain functionality as per requirement. Also used to check whether the website fetching the confidential data or not. Therefore users be able to perfom only those task which they had authorized.
Security Testing Approach
To perform security testing on the web application, the test engineer should have detailed knowledge about the HTTP and HTTPS protocol.
Should have knowledge related to the communication between the Multiple browser and server.
Additionally, the tester is able to solve the queries of SQL injection and XSS.
Hence, somehow the web application will get protected.
Some Key Used in Security Testing
* What is “Vulnerability”?
This is the weakest part of the website, it will happen due to the bugs in the product, maybe the presence of an injection (SQL/ script code) or the presence of viruses.
* What is “URL Manipulation”?
Some web applications having interaction with other additional information between the multiple browsers and the server in the URL. When few changes or build updated by the developer, then it will perform an unintended behavior from the server URL side and this termed as URL Manipulation.
* What is “SQL injection”?
In this process, some SQL statements are inserted by the web application user, which will get interface into the query which will be executed by the server itself.
* What is “XSS (Cross Site Scripting)”?
Developer apply HTML/ client-side script(CSS) in the user interface of a web application, this insertion will get visible on other multiple browsers, which may get breaks, to avoid such issues maintain the responsiveness of respective screens and it is termed as XSS.
1. Password Cracking
“Password Cracking” technique is used for security testing. Firstly login to the private areas of the website, If the user entered an easy username/ password than a cracker tool are used for fetching the data. As many times the list of common usernames and passwords are available in the open source crackers tools. Hence many of the web application does not enforce a complex password (i.e with alphabets, number, and special characters or with at least a required number of characters), which become easier for other users to crack the username and password.
If the web application which consists of username or password will be stored in cookies with encrypted methods, then an attacker use different methods to steal the cookies, will not get success in his task
2. URL Manipulation through HTTP GET methods
A test engineer needs to check whether the web application passes the information in the query string or not. This mainly happens when the web application using the HTTP GET method to access the information between the client and the server. The details will pass through the parameters which are present in the query string. The test engineer can enhance the parameter value in the query string to check whether the server accepts it or not.
Via HTTP GET request user details will be passed on the server for authentication. The attacker can manipulate every input variables which is passed from this GET request to a server in order to get the required details or to corrupt the data from the web application. Such conditions will create an unusual behavior of web server. Hence the attacker will get into the application easily.
3. SQL Injection
The next related factor to check the SQL injection. If the tester gets a database error, it means that the user input will be inserted with some query which is then executed by the web application. In such a case, the web application will be vulnerable with SQL injection.
SQL injection attacks are the very critical task as an attacker which get a vital information from the server database. To check SQL injection points in your web application, find out the code from your codebase data (swagger) which will direct execute the MySQL queries on the database by accepting some user inputs.
If the user input data is crafted in SQL queries to query into the database, an attacker can easily inject SQL statements or part of the SQL statements as user inputs, will easily extract vital information from a database. If an attacker is successful will be able to crash the web application, from the SQL query which displays an error on the browser, the attacker can the information which they are looking for.
Special characters from user inputs should be handled properly in such cases.
Cookies are important to the proper functioning of a site. To improve your experience, we use cookies to remember log-in details and provide secure log-in, collect statistics to optimize site functionality, and deliver content tailored to your interests. Click Agree and Proceed to accept cookies and go directly to the site or click on View Cookie Settings to see detailed descriptions of the types of cookies and choose whether to accept certain cookies while on the site.
About Author
Sonali Gupta
Sonali is certified in manual testing and selenium web driver. She is a B.Tech through Electronics and Communication.