Vyoms
Bookmark and Share Rss Feeds
Click here to register on Shine.com - India's Fastest growing Job site!
Web Application Security Testing - Part 2 | Articles | Recent Articles | News Article | Interesting Articles | Technology Articles | Articles On Education | Articles On Corporate | Company Articles | College Articles | Articles on Recession
Hot Jobs
leftMenu Bullet Freshers Jobs
leftMenu Bullet Experienced Jobs
leftMenu Bullet Government Jobs
leftMenu Bullet Walkin Jobs
Placement Section
leftMenu Bullet Company Profiles
leftMenu Bullet Interview Questions
leftMenu Bullet Placement Papers
Interview Ebook
Get 9,000+ Interview Questions & Answers in an eBook.
Interview Questions & Answers Kit
  • 9,000+ Interview Questions
  • All Questions Answered
  • 5 FREE Bonuses
  • Free Upgrades
Resources @ VYOMS
leftMenu Bullet Companies In India
leftMenu Bullet Consultants In India
leftMenu Bullet Colleges In India
leftMenu Bullet Exams In India
leftMenu Bullet Latest Results
leftMenu Bullet Notifications In India
leftMenu Bullet Call Centers In India
leftMenu Bullet Training Institutes In India
leftMenu Bullet Job Communities In India
leftMenu Bullet Courses In India
leftMenu Bullet Jobs by Keyskills
leftMenu Bullet Jobs by Functional Areas
Learn @ VYOMS
leftMenu Bullet GATE Preparation
leftMenu Bullet GRE Preparation
leftMenu Bullet GMAT Preparation
IAS Preparation
leftMenu Bullet SAP Preparation
leftMenu Bullet Testing Preparation
leftMenu Bullet MBA Preparation
News @ VYOMS
leftMenu Bullet Freshers News
leftMenu Bullet Job Articles
leftMenu Bullet Latest News

VYOMS TOP EMPLOYERS

Wipro Technologies
Tata Consultancy Services
Accenture
IBM
Satyam
Genpact
Cognizant Technologies

Home » Articles » Web Application Security Testing - Part 2

Web Application Security Testing - Part 2



Search Jobs:
(For ex: Software Testing Jobs, Java Jobs, .Net Jobs)
 


Article Posted On Date : Friday, February 05, 2010


Web Application Security Testing - Part 2
Advertisements

hope that you have already read first part of this article and familiar with the concept of how web applications are different from traditional client-server applications. If you have not, you might find it useful to read Part-1 as well.

In this part we will explore what kind of information is available to the client? What kind of information can be gathered from the pages which client can access? How validation is important to ensure proper security for the web application? What are cookies and how web applications use them?

 It is very important in web application security testing to gather as much information about your application as you can. You need to find out how people outside your organization will access your web application and what kind of information they can access. Typical information that will be available to any person outside your organization could be categorized as

    * Comments & Sensitive information embedded in the HTML source code
    * Error messages generated at the server and HTTP response returned.
    * Application error message  

During web application development, it is very important to think about these aspects. Comments or sensitive information can be very useful for you while developing and maintaining the code, but if it is accessed by malicious user it can be dangerous. Similarly, detailed error messages given to improve usability can results in the security loophole.

HTML source present on the client side can be an excellent source of information for the attacker. It is very easy for everyone to view HTML source code and since it is not compiled, there is no way to hide HTML comments. For testing web applications for security, you should look for the sensitive information like passwords, usernames, database names, connection strings etc. As a person responsible for security testing you need to make sure that sensitive information is not present in the HTML source code.

In order to start attack on any web application, it is important to know how its pages can be accessed, what kind of data and parameters are passed from one page to another. You can keep an eye on the URL for this purpose and look for key-value pairs.  You should always consider creating page map of your site containing this information. You can use tool or can create it manually by navigating to all the pages and making appropriate maps. After you have created this page map, you can search HTML source for specific strings containing information related to HTML comments, Application Comments, IP Address, E-Mail Address, SQL Queries, Database Connection Strings, Hidden input fields etc.

If you try to change parameters selected during this process and resubmit the request, you can find interesting information in error messages. Sometimes server or application throws overly helpful error messages which can give subtle hints to the attackers.  For example on supplying invalid password during login process if system throws error like 'invalid password' , it essentially means that username is proper.

Page map created earlier can also help you in guessing file names and directory structure present on the web server. Using this technique you can access files for which there is no link present on the pages, or which is not intended to be visible to the user. You must always check for the presence of any pattern in file names and location. Files which should not be viewed by clients should be located in places not accessible to the clients. Using this technique of educated guessing, malicious users can even access admin or control panel of the website, which usually runs as a separate sub-site or run on a different port. These type of loopholes can be identified easily by tools like port scanners and other brute-force tools.

Vulnerability of the web application can also be exposed by manipulating UI controls. For example, you might have used websites containing list boxes to take user input. Reason for providing list box is to make sure that client do not choose any other option apart from whatever is supplied in the list. It is very easy for development team to make this assumption and not do any other form of validation. What they fail to realize is that, these values can be changed by making changes in the page source even request can be tampered on transit using appropriate tools. Also if validations are present at the client-side, it is still possible to bypass those validations. This could be achieved either by disabling the java scripts or saving a local copy of the file and removing those validations. To safeguard from these vulnerabilities, it is essential to make sure that validations are present on the server side as well.

Another thing that should be checked at the client side is cookies. For people not familiar with cookies, cookies are small files of textual data that a web application writes on a client's hard drive. Web application can reuse this data on subsequent visits. Cookies can be delivered by web application using either persistent/non-persistent and secure/non-secure mode.  Cookies can be used for personalization or making sure that information is not accessed after it is expired. There are many ways in which cookies can be used. Cookies are normally stored at predefined location with predefined formats. If your application relies on cookies for any functionality, it is essential for you to make sure that tempered cookies can not be used with your application.

Hope after understanding the different ways in which security can be compromised, you will appreciate  the importance of security testing of web applications. In the next article, we will explore how data supplied by client can be tempered and servers can be attacked.

You can read more articles on software testing in our article section. You can suggest topics of your interest here , we will try to provide information on those topics as well.

These articles are influenced by the book ( "How to Break Web Software" from Mike Andrews and James A. Whittaker ) I have recently read and should be a good read for you if you need information on web application security testing. 



Latest News Alerts
Syndicate Bank Recruitment 2010 – Syndicate Bank wants 426 Specialist Officers
Recruitment of Specialist Officers 2010-11. SyndicateBank (A GOVERNMENT OF INDIA UNDERTAKING) HEAD OFFICE : MANIPAL-576 104 Advt. No.PD/HRDD/REC/01/2010 Syndicate Bank, a Premier Nationalised Bank, invites applications from Indian citizens for recruitment of 426 specialist officers. Opening date for Online Registration 10.03.2010 Last Date for making on-line application (All posts) and On line submission of Application form [...]
Man accused of killing toddler faces court
A 23-year-old man has made a brief appearance in the Melbourne Magistrates Court charged over the death of three-year-old Gurshan Singh. Taxi driver Gursewak Dhillon, a housemate of Gurshan Singh’s parents, is charged with manslaughter by criminal negligence. Police allege he placed the unconscious boy in the boot of his car then drove around [...]
Christian Medical College, Vellore
Admission Notification 2010 MBBS/ BDS/ BPT/ B.Sc. (Nursing) and BOT, BPT, BSc MLT Programmes ENTRANCE EXAMINATION – 2010 Group A: MBBS, BSc Nursing, BOT, BPT, BSc MLT, Eligibility: +2 with English, Physics, Chemistry, Biology or Botany & Zoology, Age: Born on or before 31.12.1993 A candidate for admission to medical course “must have 60%@ [...]
Kathryn Bigelow enters Oscar history
It is surprising that no woman has won the Oscar award for Best Director in the history of the Academy Awards until yesterday. Kathryn Bigelow entered the history by becoming the first woman to bag the award at the 82nd Annual Academy Awards. Bigelow’s film The Hurt Locker swept this year’s Academy Awards [...]
MHT-CET-2010 Notification Maharashtra
MHT-CET-2010 Will be held on Thursday 6th May 2010 Government of Maharashtra shall conduct a single combined “Common Entrance Test” MHT-CET-2010 for all Health Sciences, Engineering and Pharmacy degree courses for the academic year 2010-2011. The said CET will be held on Thursday, 6th May 2010. Government of Maharashtra Directorate of Medical [...]
MCI allots 611 PG Medical Seats to A.P. , Maharashtra gets 476 & Gujarat 290
The Medical Council of India has allocated 290 more seats for post-graduate medical courses in Gujarat .Across the country, the actual seat increment is 3,791. The modification is effective through the academic season 2010-11. This particular leap in seats can be attributed to the latest list of guidelines announced by MCI just [...]
COMEDK UGET 2010 NOTIFICATION & DATES
COMEDK Under Graduate Entrance Examination – COMEDK UGET 2010 for the Academic year 2010 – 2011 will be held on Sunday the 9th May 2010. The Online Application and other details will be made available on the COMEDK website Consortium of Medical, Engineering and Dental Colleges of Karnataka” (COMEDK). Admissions to Under Graduate [...]
Rahul-Dimpy relation to last forever?
Rahul Mahajan and Mrs.Dimpy Mahajan might be happily packing their bags for their honeymoon to Maldives. But it isn’t the same with traditionalist. Few sections of people have raised their eyebrows for Rahul getting married even before his uncle Pravin Mahajan’s 12th day funeral functions. Astrologers say that any ’shubha karya’ must not [...]


SPONSORS

FREE JOBS NEWSLETTER
3,11,757 [96,218 + 2,15,539] MEMBERS!
Contact Us | Feedback | Link to Us
Copyright © 2001-2009 VYOMS.com. All Rights Reserved. Home | About Us | Jobs | Contact Us | Privacy Policy | Terms & Conditions.
Disclaimer: VYOMS.com has taken all reasonable steps to ensure that information on this site is authentic. Applicants are advised to research bonafides of advertisers independently. VYOMS.com shall not have any responsibility in this regard.
Placement Papers | FREE SMS | C++ Interview Questions | C Interview Questions | Report a Bug | Romantic Shayari | CAT 2009