Security testing is a a large subject. Every technology that you use, whether it’s a programming language like PHP or .NET or a feature like authentication and input validation, introduces a new set of security vulnerabilities. Today, we are interested in giving you a basic idea of what security testing is and how it is performed.
What actually should come in mind while concerned about security?
- Authentication: The origin of the application and its data is genuine.
- Authorization: Specific users should only get access to authorized functions.
- Confidentiality: Data/information is secure from theft.
- Integrity: The application and its data is not altered in course of time during transmission.
- Non repudiation: Guarantee that sender and receiver of information cannot deny having sent or received the data.
In the end, security testing makes applications reliable and minimizes the risk of theft or misuse of confidential data.
Hackers vs. Crackers
There are two types of people who probe websites for security holes.
The word hacker is commonly used to refer to someone who maliciously tests website security, but that is due to the sloppy use of the term. Originally a hacker is anyone who tries to probe an object to see how it works.
Crackers meanwhile are people who try to beat security measures.
There are plenty of legitimate hackers and crackers. Many of them happen to be security testers and we hate it when people automatically assume that hacking and cracking is malicious.
There are also plenty of malicious crackers who try to break/crack the application and exploit its weaknesses for personal gain.
Now let’s go through the most common types of attacks that a malicious cracker can use to penetrate or exploit an application’s security which in turn help in security testing:
- SQL Injection: Any application that passes SQL queries through URL or text fields is potentially vulnerable to manual editing of these fields. SQL injection can result in the returning some confidential data or the granting unauthorized access.
- Url Manipulation: By changing certain parts of a URL, a malicious cracker may get access to unauthorized pages.
For example, changing a URL from /login to /play on a gaming site shouldn’t allow direct access to the games.
- Brute Force Attack: This type of attack requires automated software. The idea is to try a large combinations of username/passwords to match with a valid combination and get unauthorized access.
Using Jmeter, a number of username/password combinations can be combined and tested on an application. The application, if properly secured, should not allow repeated login attempts after a limited number of invalid attempts. An unsecured site will allow repeated and frequent login attempts and may give access after some time to a combination/input.
- Session Hijacking: Here the malicious cracker keeps sniffs on user login/transaction activities. As soon a successful session is created between user and web server, The cracker hijacks or simply steals the session activities, or session ID. These session IDs contains confidential information which the cracker can then use to gain unauthorized access to that account and possibly the web server.Using a sniffer like Fiddler, the cracker watches activity that passes between an application and a web browsers looking for login requests. Once a session id/key is spotted, the cracker copies and pastes it in to a browser. If the session, and app, is secured, the cracker will be sent to a login or similar page. Otherwise, the cracker has all of the access privileges of the account.
Secure Development Best Practices
Above are the most common attacks, but at a basic level following the below guidelines will go a long way towards ensuring that an application is secure.
- Passwords are always in encrypted form.
- Browser back-forward buttons does not break secure login.
- Unauthorized user is not able to access pages he is not intended to.
- Sessions should time out after a specific time if a user is not active.
- Invalid content should not get uploaded nor is allowed.
Use of Automated Security Scanner Tools
Using the above attacks and checking that security application development best practices have been followed is a big part of testing whether an application is secure or not. But one should not entirely depend on manually testing them. It’s a fast paced world with a lot of time constraint. There are various tools in the market that can easily check for all the security vulnerabilities in a go.
The one that I prefer is the Netsparker web application security scanner tool which checks for SQL injection, URL manipulation, cross-site scripting, brute force attacks and many more vulnerabilities. A Netsparker community edition demo can be downloaded for free.
Also there are online testing tools, but I haven’t tried any that were better than Netsparker.
Automated tools show the probability of a vulnerability using high-level tests. They give us a good place to start looking for actual vulnerabilities and make us more efficient. But testers need to take the results of these tools, speak with developers and dig deeper to find vulnerabilities.