Security Testing of Web Applications (I/III)
Nowadays more and more important data is stored in web applications. These applications expose customer information, financial data and other sensitive and confidential data over the internet. The number of transactions on the web has also increased tremendously. So proper Security Testing of web applications has become a necessity. Over the next few posts, I will be talking about the various types of attacks seen today, and ways to prevent them.
Security testing, in simple terms, is the process which ensures that confidential data remains confidential. That is, users can perform only those tasks which he/she is authorized to perform. For example, a user should not be able to deny the functionality of the web site to other users or a user should not be able to change the functionality of the web application in an unintended way. If the user can alter it in any way, when he/she is not allowed to, then we can say that there is vulnerability in the web application. Causes of such vulnerabilities include bugs in the application, injection of various malicious SQL or Script codes or the presence of viruses. Security issues in web applications are the most commonly reported vulnerabilities on the internet.
Traditionally, vulnerability analysis and its management has been focused only at the network or operating system level. In recent years, almost every business organization possess a computer system for day to day transactions through the web. So it becomes necessary to ensure the safe usage of web applications.
As part of the process of creating a website, it is very important to guarantee that the website is free from vulnerabilities. There are different types of security testing. Some testing techniques are manual, requiring an individual to initiate and conduct the test. Other tests are highly automated and require less human involvement. Secure software will not contain faults or weaknesses that can be exploited either by human attackers or by malicious code. Software should be able to resist most of the attacks and tolerate the majority of those attacks it cannot resist. If neither resistance nor tolerance is possible and the software is compromised, it should be able to isolate itself from the attack source and degrade gracefully. After the compromise, the software should recover as quickly as possible to an acceptable level of operational capability.
Web applications provide server functionality to end users with client access, through a set of web pages. These web pages often contain script code to be executed dynamically within the client web browser. Most web applications aim to enforce simple security policies. For example, for web-based email, disallowing any scripts in untrusted email messages. But, web applications are currently subject to an excessive amount of successful attacks, that are beyond the scope of simple security policies.
There are different types of security attacks that can happen to any web application.The common attacks include cross-site scripting, cookie theft, session riding, browser hijacking, self-propagating worms in web-based email and social networking sites etc. By considering the security attacks, web application users, mainly developers and testers can take preventive actions against it. Here is the list of some common security attacks, I will be talking about each in detail:
- Session Handling
- Administrative Interface Access via:
- SQL Injection
- Parameter Tampering
- Cross-Site Scripting
- Buffer Overflow
A session refers to all the request that a single client makes to a server. Session hijacking is capturing the URL of a particular application and pasting that URL to another new window of the same or different browser to get the session of that application. Protection of a session needs to focus on the unique session identifier because it is the only thing that distinguishes users. We need to do the following to avoid session hijacking:
- Ensure that the sequence of identification numbers issued by the session management system is unpredictable. Otherwise, it is very easy to hijack another user’s session.
- Ensure that each user gets a clean session identifier number with each visit and revisits to the same site.
- Ensure that session identifier number is cleared from cookies after each logout and time out.
- Test by pasting internal url directly into browser address bar without login. Internal pages should not open.
- Ensure server side validation for validates forms, headers, cookie fields, hidden fields, parameters etc.
Browser cookies are used for storing session values since they are very difficult to modify. We can protect them by using mechanisms like setting the secure flag. It is possible to restrict cookies to a particular site or even a section of a site or set them to expire automatically.
Authentication is the process of obtaining identification credentials from a user and validating those credentials against some authority. If the credentials are valid, the entity that submitted the credentials is considered as an authenticated entity. In order to establish a secure client – server communication, the following conditions must be satisfied.
- Enable Security option in browser to establish client – server authentication.
- Use Security Protocol for secure communication over internet. There are mainly two types of security protocols- SSL and TLS. SSL is the most commonly used security protocol.
- Use Security Certificate to authenticate server. The client may use the Certificate Authority’s public key to validate the Certificate Authority’s digital signature of the server certificate before any real data has been sent or received. If the digital signature can be verified, the client accepts the server certificate as a valid certificate issued by a trusted Certificate Authority. Also, the client checks the server’s certificate validity period. The authentication process stops if the current date and time fall outside of the validity period.
Next week I will talk about the various attacks that are used to try and gain access to the Administrative Interface on an application server.
About the Author :
Dhanya P.B. joined Bobcares in October 2006. Initially working in the Technical Support department, she later moved to our Software Development department where her talents truly shined. She has been working as a dedicated software tester for the past two and a half years and is passionate about learning the rhythms of various Software Testing Techniques. In her free time she listens to soft music and enjoys cooking.