Personal opinions on website Security Testing

I have been engaged in website testing for three years. I personally think that a complete Web security system test can be conducted from deployment and infrastructure, input verification, identity verification, authorization, configuration management, and sensitive data, session management, encryption, parameter operations, exception management, review, and logging
Data Encryption: Some data must be encrypted and filtered before data can be transmitted, such as the user's credit card information and user login password information. In this case, you need to perform other operations, such as storing the data in the database, decrypting and sending the data to your email address or your browser. At present, there are more and more encryption algorithms that are becoming more and more complex, but the data encryption process is generally reversible. That is to say, encryption can be performed and decryption is required at the same time!
Logon: Generally, application sites use logon or post-registration methods. Therefore, you must verify the user name and password to prevent unauthorized users from logging on. During the login test, you need to consider whether the entered password is case sensitive, whether there are length and condition restrictions, and how many logins can be attempted at most, which pages or files need to be logged on before they can be accessed/downloaded.

Timeout limit: the WEB application system must have a timeout limit. If you do not perform any operation for a long time, you must log on again to use the function.

SSL: more and more sites use the SSL security protocol for transmission. SSL is the abbreviation of Security Socket Lauer (Secure Socket protocol layer). It is the first secure network data transmission protocol published by Netscape. SSL is an encryption technology that uses public/private keys. (RSA), establishes encrypted communication between the user and the server between the HTTP and TCP layers to ensure the security of the transmitted information. SSL is based on a public key and a private key. Any user can obtain a public key to encrypt the data. However, to decrypt the data, the corresponding private key must be used. After entering an SSL site, you can see a warning message in the browser, and then the http in the address bar is changed to https. During the SSL test, you need to confirm these features, and whether there are time link restrictions and other related security protection.

Server scripting language: scripting language is a common security risk. The details of each language are different. Some scripts allow access to the root directory. Others only allow access to the email server, but experienced hackers can send their server usernames and passwords to themselves. Identify the scripting languages used by the site and study the defects of the language. You also need to test whether the script cannot be placed or edited on the server without authorization. The best way is to subscribe to a newsgroup that discusses the scripting language security used by the site.

Note: hackers use scripts to allow access to the root directory. This website contains script code (with the features that allow access to the root directory) and may have this security risk.

Log File: on the server, verify whether the server's logs are working properly, such as whether the CPU usage is high, whether there are abnormal processes occupying, and whether all transaction processing is recorded.

Directory: WEB directory security is a factor that cannot be ignored. If the processing of WEB programs or WEB servers is inappropriate, the entire WEB directory will be completely exposed to users through simple URL replacement and speculation, which will cause great risks and security risks. We can use a specific solution, such as index.htm in each directory, or strictly set the directory access permissions of the WEB server, to minimize this risk.