Proper Security testing of structure applications is getting very important as more and more critical data is subsistence stored in web applications and the call over of web transactions is increasing.
Security testing is the projection that determines that the data what one. is confidential is secured or not and the users be possible to perform only those tasks that they are authorized to support a character.
The major areas covered under Web Application Security Testing are:-
- Configuration areas
- Testing as far as concerns known vulnerabilities
- Loopholes in server codes or scripts
- Advice steady fixes and future security plans
In adjust to perform a useful security testing with a view to web application, it is necessary that the ease tester have a good knowledge of HTTP Protocol. He should take a good sound knowledge of in what condition the client that is browser and the server communicates using HTTP. In adding to this, he should also know basics of SQL injection and XSS. The things to be checked while performing security testing are listed and discussed in hell:-
1] Password Cracking: The security testing put ~ a web application can be abortive by "Password Cracking". In order to begin private areas of the application, anyone have power to easily guess the username and countersign or he/she can use the countersign cracking tool easily for the same purpose. List of common usernames and passwords are beneficial along with open source password crackers. So it is true necessary for any web application to have executed to create a complex password during the time that it doesn't take very tedious to crack the username and password. Also if username or password is stored in cookies outside of its encryption, then the attacker be able to use different methods easily to pilfer cookies.
2] SQL Injection: The next important thing to be checked is SQL Injection. SQL injecting attacks are very critical comparatively in the manner that the attacker gets vital information from server database. In prescription to check SQL injection entry points into your textile fabric application, it is important to attain to out the code from your collection of laws base where direct MySQL queries are executed without ceasing database by just accepting some user inputs. If user input facts is crafted in SQL queries to make inquiry the database, attacker can inject SQL statements of the same kind with user inputs to extract important information from the database very easily. Even granting that at least attacker is able to crash successfully the application, they can win the information which they are looking during.
3] Cross Site Scripting [XSS]: The tester should in addition check the web application for XSS. Any HTML or some script should not be accepted by the application and if it is in like manner, then the application can be hearty to an attack by Cross Site Scripting. Attacker have power to easily use this method to effect malicious script or URL on sacrifice's browser. Using this, attacker have power to use scripts like JavaScript to embezzle user cookies and information which are stored in the cookies. Many texture applications get some user information and road this information in some variables from diverse pages.
There also some other material issues which are discovered in an application test like:-
- Command Injection
- Cookie Poisoning
- Insecure practice of cryptography
- Buffer overflows
- Back doors and debug options
- Weak session management
- Forceful Browsing
- Well-known platform vulnerabilities
A eventual written report provides an analysis of some security problems discovered with the proposed solutions. So it is requisite to provide a final written repute when the service of security testing is subsistence provided.
No comments:
Post a Comment