Vyoms
Bookmark and Share Rss Feeds
Click here to register on Shine.com - India's Fastest growing Job site!
Web Application Security Testing - Part 2 | Articles | Recent Articles | News Article | Interesting Articles | Technology Articles | Articles On Education | Articles On Corporate | Company Articles | College Articles | Articles on Recession
Hot Jobs
leftMenu Bullet Freshers Jobs
leftMenu Bullet Experienced Jobs
leftMenu Bullet Government Jobs
leftMenu Bullet Walkin Jobs
Placement Section
leftMenu Bullet Company Profiles
leftMenu Bullet Interview Questions
leftMenu Bullet Placement Papers
Interview Ebook
Get 9,000+ Interview Questions & Answers in an eBook.
Interview Questions & Answers Kit
  • 9,000+ Interview Questions
  • All Questions Answered
  • 5 FREE Bonuses
  • Free Upgrades
Resources @ VYOMS
leftMenu Bullet Companies In India
leftMenu Bullet Consultants In India
leftMenu Bullet Colleges In India
leftMenu Bullet Exams In India
leftMenu Bullet Latest Results
leftMenu Bullet Notifications In India
leftMenu Bullet Call Centers In India
leftMenu Bullet Training Institutes In India
leftMenu Bullet Job Communities In India
leftMenu Bullet Courses In India
leftMenu Bullet Jobs by Keyskills
leftMenu Bullet Jobs by Functional Areas
Learn @ VYOMS
leftMenu Bullet GATE Preparation
leftMenu Bullet GRE Preparation
leftMenu Bullet GMAT Preparation
IAS Preparation
leftMenu Bullet SAP Preparation
leftMenu Bullet Testing Preparation
leftMenu Bullet MBA Preparation
News @ VYOMS
leftMenu Bullet Freshers News
leftMenu Bullet Job Articles
leftMenu Bullet Latest News

VYOMS TOP EMPLOYERS

Wipro Technologies
Tata Consultancy Services
Accenture
IBM
Satyam
Genpact
Cognizant Technologies

Home » Articles » Web Application Security Testing - Part 2

Web Application Security Testing - Part 2



Search Jobs:
(For ex: Software Testing Jobs, Java Jobs, .Net Jobs)
 


Article Posted On Date : Friday, February 05, 2010


Web Application Security Testing - Part 2
Advertisements

hope that you have already read first part of this article and familiar with the concept of how web applications are different from traditional client-server applications. If you have not, you might find it useful to read Part-1 as well.

In this part we will explore what kind of information is available to the client? What kind of information can be gathered from the pages which client can access? How validation is important to ensure proper security for the web application? What are cookies and how web applications use them?

 It is very important in web application security testing to gather as much information about your application as you can. You need to find out how people outside your organization will access your web application and what kind of information they can access. Typical information that will be available to any person outside your organization could be categorized as

    * Comments & Sensitive information embedded in the HTML source code
    * Error messages generated at the server and HTTP response returned.
    * Application error message  

During web application development, it is very important to think about these aspects. Comments or sensitive information can be very useful for you while developing and maintaining the code, but if it is accessed by malicious user it can be dangerous. Similarly, detailed error messages given to improve usability can results in the security loophole.

HTML source present on the client side can be an excellent source of information for the attacker. It is very easy for everyone to view HTML source code and since it is not compiled, there is no way to hide HTML comments. For testing web applications for security, you should look for the sensitive information like passwords, usernames, database names, connection strings etc. As a person responsible for security testing you need to make sure that sensitive information is not present in the HTML source code.

In order to start attack on any web application, it is important to know how its pages can be accessed, what kind of data and parameters are passed from one page to another. You can keep an eye on the URL for this purpose and look for key-value pairs.  You should always consider creating page map of your site containing this information. You can use tool or can create it manually by navigating to all the pages and making appropriate maps. After you have created this page map, you can search HTML source for specific strings containing information related to HTML comments, Application Comments, IP Address, E-Mail Address, SQL Queries, Database Connection Strings, Hidden input fields etc.

If you try to change parameters selected during this process and resubmit the request, you can find interesting information in error messages. Sometimes server or application throws overly helpful error messages which can give subtle hints to the attackers.  For example on supplying invalid password during login process if system throws error like 'invalid password' , it essentially means that username is proper.

Page map created earlier can also help you in guessing file names and directory structure present on the web server. Using this technique you can access files for which there is no link present on the pages, or which is not intended to be visible to the user. You must always check for the presence of any pattern in file names and location. Files which should not be viewed by clients should be located in places not accessible to the clients. Using this technique of educated guessing, malicious users can even access admin or control panel of the website, which usually runs as a separate sub-site or run on a different port. These type of loopholes can be identified easily by tools like port scanners and other brute-force tools.

Vulnerability of the web application can also be exposed by manipulating UI controls. For example, you might have used websites containing list boxes to take user input. Reason for providing list box is to make sure that client do not choose any other option apart from whatever is supplied in the list. It is very easy for development team to make this assumption and not do any other form of validation. What they fail to realize is that, these values can be changed by making changes in the page source even request can be tampered on transit using appropriate tools. Also if validations are present at the client-side, it is still possible to bypass those validations. This could be achieved either by disabling the java scripts or saving a local copy of the file and removing those validations. To safeguard from these vulnerabilities, it is essential to make sure that validations are present on the server side as well.

Another thing that should be checked at the client side is cookies. For people not familiar with cookies, cookies are small files of textual data that a web application writes on a client's hard drive. Web application can reuse this data on subsequent visits. Cookies can be delivered by web application using either persistent/non-persistent and secure/non-secure mode.  Cookies can be used for personalization or making sure that information is not accessed after it is expired. There are many ways in which cookies can be used. Cookies are normally stored at predefined location with predefined formats. If your application relies on cookies for any functionality, it is essential for you to make sure that tempered cookies can not be used with your application.

Hope after understanding the different ways in which security can be compromised, you will appreciate  the importance of security testing of web applications. In the next article, we will explore how data supplied by client can be tempered and servers can be attacked.

You can read more articles on software testing in our article section. You can suggest topics of your interest here , we will try to provide information on those topics as well.

These articles are influenced by the book ( "How to Break Web Software" from Mike Andrews and James A. Whittaker ) I have recently read and should be a good read for you if you need information on web application security testing. 



Latest News Alerts
A diabetes breakthrough from India
A team of Indian scientists has discovered a novel form of insulin that could drastically reduce the suffering diabetics face in controlling their blood sugar. For the diabetics, daily painful pinpricks to inject doses of insulin is a routine affair, now in a new discovery scientists claim a single shot of insulin [...]
TamilNadu Open University (TNOU) Distance Education B.ED. Admission 2010
Tamil Nadu Open University (TNOU) ADMISSION NOTIFICATION FOR B.Ed 2010-11 Tamil Nadu Open University Dote Campus Chennai 60025 Website: www.tnou.ac.in B.Ed/B.Ed Special Education (Tamil/English medium) TNOU invites application for admission to Bachelor of Education (B.Ed) (recognized by govt of Tamilnadu, NCTE/DEC) Bachelor of Education in Special Education (B.Ed SE) (recognized by govt of Tamilnadu/RCI, New Delhi) For eligibility [...]
Yeddyurappa rejects CBI probe into illegal mining issue
Even after the high-drama helmet protest by Opposition MLAs, Karnataka CM BS Yeddyurappa on Tuesday rejected the demand of CBI probe into the illegal mining issue, according to reports. Earlier on Monday, raising the pitch on the illegal mining scam, opposition Congress and JD(S) MLAs and MLCs spent the entire night [...]
Cash-less hospitalisation scrapped, patients hit
Insurance companies are scrapping cash-less hospitalisation across the country which is going to affect those in need of medical treatment. Five days ago 34-year-old Nandita was admitted to a hospital with severe anemia. Three days later she has shelled out Rs 70,000 rupees for treatment in cash as despite paying for cashless hospitalisation [...]
KVPY 2010 Kishore Vaigyanik Protsahan Yojana
Applications are invited for KVPY Fellowships for school and college students interested in research careers The department of science and technology, govt of India, offers attractive fellowships (Rs 4000 to Rs 7000 p.m.) and contingency grants (equivalent of four months fellowships per annum) to students studying in XI standard to B.Sc/B.S./Integrated M.Sc [...]
Evening storm lashes Delhi, kills 11
The Capital received the heaviest rainfall of the season on Monday evening. But the respite from three days of heat and sweat was also mired by reports of 11 deaths from across the Capital after the downpour. Six people — two at Dariba Kalan in Chandni Chowk and one at Mori Gate [...]
MS Dhoni signs Rs 200-cr endorsement deal
Team India captain MS Dhoni has signed a 200 crore rupees endorsement deal with a talent management company, taking him past Sachin Tendulkar who earlier held the contract crown. The current deal with a joint venture company, Rhiti Sports Management and Mindscapes One, is for three years. They will manage the Indian skipper’s endorsements [...]
Infosys Profit Unexpectedly Falls After Cut in Prices, Increase in Taxes
Infosys Technologies Ltd., India’s second-largest software exporter, reported profit fell during the first quarter after it cut prices to retain contracts and paid higher taxes. Net income fell 2.6 percent to 14.9 billion rupees ($318 million) in the quarter ended June 30, from 15.3 billion rupees a year earlier, after income taxes [...]


SPONSORS

FREE JOBS NEWSLETTER
3,11,757 [96,218 + 2,15,539] MEMBERS!
Contact Us | Feedback | Link to Us
Copyright © 2001-2009 VYOMS.com. All Rights Reserved. Home | About Us | Jobs | Contact Us | Privacy Policy | Terms & Conditions.
Disclaimer: VYOMS.com has taken all reasonable steps to ensure that information on this site is authentic. Applicants are advised to research bonafides of advertisers independently. VYOMS.com shall not have any responsibility in this regard.
Placement Papers | FREE SMS | C++ Interview Questions | C Interview Questions | Report a Bug | Romantic Shayari | CAT 2009