The human lifestyle is greatly impacted by the advances in internet technologies. Every day we become more and more dependent on it.? It provides effective means for virtual communication, online banking, shopping, e-learning and many more. But to enjoy the benefits of web technologies, we first need to make sure that these means are secure.
Security testing services plays a vital role in software industry. It is an approach to determine whether our confidential data on web is secure from unauthorized access or not.? Basically, it is a process to identify the vulnerabilities of web application caused due to improper coding & designing of an application. Vulnerabilities allow hackers to retrieve confidential information from network. Security testing services identifies holes in the software, and thus, improves the system stability.?
Before releasing a web application, the main purpose of security testing is to discover all vulnerabilities.
But it is not possible to check each and every line of code to detect weaknesses in an application. The strategy should be such that testing saves time, effort and should start in the earlier phase of designing. Also consider all possible events that can occur and the risk associated with these events.
Some common vulnerability attacks are authentication, session management, SQL injection and error handling. Authentication attacks occur on a website if users are allowed to login with a weak password which is easily guessed by an attacker. Therefore, password should be a combination of uppercase, lowercase and special characters of required length.
Nowadays, most websites lock the user id if multiple passwords are hit from the same IP, but then hackers have found alternative ways to breach this. Multiple passwords can be used for the same user id by changing the IP every time the password has been hit. This can be done by using proxies. There are many tools available online which provide working proxies. Once a list of multiple proxies is available, hackers just need a script which will hit the list of possible passwords for the same id by generating different proxies.
Another orthodox method commonly used for breaking authentication is by creating a fake page. A fake page is a replica of the original login page of the website. These types of pages can be sent through emails to the victim. Once the victim opens the page and enters his/her credentials, they become available to the hacker who has created this page.
Session management is maintaining the user identity across multiple requests. Insufficient session expiration allows the attacker to retrieve old session ids, so he can reuse it.? For example, test scenario for application page ? make sure that application session is expired or application logs off after a specific time, multiple sessions by same user are not allowed, and also ensure that confidential data is transferred using HTTPS protocols. Attackers can access resources by adding SQL (Structured Query Language) codes into input box of a web form and generate SQL query dynamically to retrieve data. The risk of SQL injection attack rises due to use of automated tools on websites. The test needs to be executed to verify inputs without allowing special characters and check that no dynamic SQL queries are used. Information can be disclosed due to improper error handling; hence the test needs to be carried out on server to validate the access control mechanism; and also check the input URL and to verify that an error message does not retrieve too much information.
To secure web application from various attacks, a tester needs to think from an attacker?s point of view, understand what an attacker is looking for in web application and how to address these vulnerability attacks. Black box security testing can be performed more effectively by using various tools which are available in market, like Paros, Tamper IE and web scrap. A tester needs to work with his developer to identify and analyze threats specific to their product and then start working on a plan to test for them.
Web Security Testing ?
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.