Penetration Test)

Source: Internet
Author: User


Generally, you need to perform a security test before launching a website of a relatively large scale. (Penetration Test)




Security Testing generally includes the following steps:


1. Select a series of security question points and analyze the feasibility of the test. (select several questions to be tested, such as SQL injection)


2. Identify system defects and identify high-risk components. (automated tools are generally used)


3. Identify possible defects that are difficult to be tested by automated testing tools.


4. Evaluate the impact of defects on potential businesses and operations.


5. Test the existing system defense capabilities and the ability to respond to and process attack data.


6. provide suggestions for improving system security




Common problems are as follows: (including but not limited)


1. SQL injection.


2. XSS and CSRF.


3. Cookies, Session hijacking and forgery.


4. Unnecessary permissions and information leakage.


5. Data forgery and authorization issues


6. Environment and code security (server configuration, obfuscation, shelling, etc)




The cause is often:


1. architecture design defects or inadequate security considerations


2. Code BUG


3. Incomplete tests, insufficient code coverage (of course, high code test coverage means a high cost, generally refers to testing logic and data)


4. Did not promptly remove the testing code and release the DEBUG information to the production environment


5. server settings, especially Permissions


6. Malicious modification by some personnel




It is generally divided into two parts: automation and labor.


Automation is generally implemented using a self-developed or third-party tool:


Third-party tool recommendations: IBM AppScan is very expensive but very useful End-to-End testing tools


There are also some free testing tools, such as nikto and skipfish, which are not really good examples ....


These automated tools also include server scanning, chain disconnection, and spelling checks.




Manual testing involves the following policies:


1. CodeReview


In fact, CodeReview is designed to put a lot of pressure on the developer, so that the developer can know that someone will view his code, so that he can provide higher quality products.

CodeReview has many other functions. Removing defects in a program is one of the most important ones.

2. Manual testing


Generally, several key processes and functions are selected for testing.



If you are interested, please refer to this document Technical Guide to Information Security Testing and Assessment.


And this webpage




In addition, we recommend that you set up different environments for the project (not only to ensure security)


1. Local


2. DEV is used for internal testing by the development team. Generally, programmers can only work in the Local and DEV environments.


3. QAT: Only QA has the permission to deploy the environment. QA works in this environment.


4. UAT users will perform tests in this environment. The establishment of this environment and Assembly compilation are often irrelevant to developers.


5. Prod



I heard and read/write

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.