Due to the huge amount of data stored in web applications and the increase in the number of transactions on the web, proper security testing of web applications is becoming more and more important.
Alibaba Cloud Simple Application Server: Anti COVID-19 SME Enablement Program
$300 coupon package for all new SMEs and a $500 coupon for paying customers.
In this article, we will learn more about the key terms used in
website security testing and their testing methods.
What is a security test?
Security testing is the process of checking whether confidential data is kept confidential (ie, it will not be exposed to persons/entities not directed against it) and that users can only perform those tasks that they are authorized to perform.
For example, the user should not refuse the function of the website to other users, or the user should not change the function of the web application in an unexpected way.
Some key terms used in security testing
Before proceeding, it will be useful to be familiar with some of the terms frequently used in web application security testing:
What is a "vulnerability"?
This is a weakness in web applications. The reason for this "weakness" may be due to errors in the application, injection (SQL/script code) or the presence of viruses.
What is "URL operation"?
Some web applications pass other information between the client (browser) and the server through the URL. Changing certain information in the URL can sometimes cause unexpected behavior of the server, which is called URL manipulation.
What is "SQL injection"?
This is the process of inserting SQL statements into certain queries through the web application user interface, and then the server executes the query.
What is "XSS (Cross Site Scripting)"?
When a user inserts HTML/client script in the user interface of a web application, this insertion is visible to other users and is called XSS.
What is "deception"?
The creation of fake websites or emails is called deception.
Recommended security testing tool: Acunetix
Safety test method
In order to perform useful security testing on web applications, security testers should have a thorough understanding of the HTTP protocol.
It is important to understand how the client (browser) and server communicate using HTTP.
In addition, testers should at least understand the basics of SQL injection and XSS.
Hopefully, the number of security flaws in web applications will not be high. However, it would definitely help to be able to accurately describe all security flaws and all the required details.
Web security testing method
#1) Password cracking
Security testing of web applications can be started by "password cracking". In order to log in to the private area of the application, you can guess the username/password, or you can use some password cracking tools. A list of common usernames and passwords and open source password cracking programs are available.
If the web application does not enforce the use of complex passwords (for example, using letters, numbers and special characters, or at least a certain number of characters), the time to crack the username and password may not be very long.
If the user name or password is stored in a cookie without encryption, the attacker can use other methods to steal the cookie and the information stored in the cookie (such as the user name and password).
For more details, please refer to the article in "Website Cookie Testing".
#2) URL operation via HTTP GET method
Testers should check whether the application passes important information in the query string. This happens when the application uses the HTTP GET method to pass information between the client and the server.
Information is passed through parameters in the query string. The tester can modify the parameter value in the query string to check whether the server accepts it.
Through HTTP GET requests, user information is passed to the server for authentication or data acquisition. The attacker can manipulate each input variable passed to the server from this GET request to obtain the required information or destroy the data. In this case, any abnormal behavior of the application or the web server is a portal for the attacker to enter the application.
#3) SQL injection
The next factor that should be checked is SQL injection. The application should refuse to enter single quotes (') in any text box. Conversely, if the tester encounters a database error, it means inserting user input into a query, and then the application executes the query. In this case, the application is vulnerable to SQL injection attacks.
SQL injection attacks are critical, because the attacker can obtain important information from the server database. To check the SQL injection entry point in the web application, find the code from the code base, in the code base, by accepting some user input, perform a direct MySQL query on the database.
If the user input data is carefully designed in the SQL query to query the database, the attacker can inject SQL statements or part of the SQL statements as user input to extract important information from the database. Even if the attacker successfully crashes the application, he can obtain the information the attacker needs through the SQL query error displayed on the browser.
In this case, special characters from user input should be handled/escaped correctly.
#4) Cross-site scripting (XSS)
Testers should also check the XSS (cross-site scripting) of the web application. The application should not accept any HTML such as <HTML> or any script such as <SCRIPT>. If so, the application may be subject to cross-site scripting attacks.
Attackers can use this method to execute malicious scripts or URLs on the victim's browser. Using cross-site scripting, attackers can use scripts such as JavaScript to steal user cookies and information stored in cookies.
Many web applications will get some useful information and pass this information to certain variables on different pages.
For example, http://www.examplesite.com/index.php? userid =123&query = xyz
An attacker can easily pass some malicious input or <script> as the "&query" parameter, so that important user/server data can be browsed on the browser.
Important note: During security testing, testers should be very careful not to modify any of the following:
Application or server configuration
Services running on the server
Existing user or customer data hosted by the application
In addition, safety testing in production systems should be avoided.
in conclusion
The purpose of security testing is to find vulnerabilities in web applications so that developers can remove these vulnerabilities from the application and protect the web applications and data from any unauthorized operations.
