Testing Web Application Security
At first glance it may seem that testing web application security is about funny pop-up XSS windows, multi-colored fonts, a stack trace emerging here and there, or magically working SQL queries when entered in common input fields and added into URL parameters.
All this looks like a game, but many of such gaps in the security of a web application can lead to serious consequences: hacking, gaining access at the system administrator level, unauthorized access, data leakage, financial losses, and reputation losses.
Steps to Test Security
It should be understood that a web application is a complex system consisting of many components and the angles of attack can be different: tapping / changing unprotected traffic channels, hacking server OS, DDoS attacks, spam, social engineering, password sniffing, sending phishing emails, usage of vulnerabilities in the code of a web application / web services / API.
It is crucial to set clear priorities: which security threats are the most realistic and critical. For example, if a web application is deployed on a local network and does not involve any external access, the most likely attacks are the usage of vulnerabilities in the application code and phishing. If the web application provides access to banking, financial, commercial, or state information with classified access, the level of protection should be the highest for all its components.
Here is a sample list of steps for security testing:
- Determine and justify the need for this type of testing
- Estimate the cost of performing initial analysis
- Determine the strategy and priorities for security testing
- Draw up and agree on a test plan and timeframe for testing with the management and product owner
- Prepare and configure the web application for security auditing, as well as create or generate necessary test data
- Conduct security testing using special scanners (Detectify, Nessus, Acunetix, Qualys, and others)
- Perform manual security testing, since scanners are prone to false positives, have limitations, and do not guarantee detection of all existing problems. Here are some special tools that can be used: Fiddler, WireShark, Postman, SOAP UI, SQL Profiler, built-in browser tools (DevTools)
- Analyze reports and results, adjust the strategy and priorities
- Include security testing in the release testing plans
What should a test engineer know about Testing Web Application Security?
It is obvious that, to test web application security successfully, you must have a wide scope of knowledge and skills, so the following is just a certain basic set:
- Know basic principles of operation and differences of HTTP / HTTPS protocols. If the web application you are developing supports other protocols, such as NET.TCP, named pipes, and others, you should be aware of them too
- Get familiarized with the list of Top 10 Most Critical Web Application Security Risks published by the international Open Web Application Security Project
- Take the Google's XSS training course: https://xss-game.appspot.com/
Web Application Security Testing: Conclusion
Web application security is an important aspect that should not be ignored, as the consequences of such ignoring can be very negative both for business and for software providers.
Creating secure software requires close cooperation between developers, test engineers, management, and customers, as well as introduction of a culture of writing and delivering secure code. The use of special scanners helps in identifying security risks, but does not eliminate the need for manual validation.