Wednesday, August 1, 2012

Security Testing Of Web Applications


1) Verify that all Usernames and Passwords are encrypted and they transferred over secured connection like https:// (Secured transaction).


Security testing is the process that determines that “The confidential data should be stay confidential”, security testing of web applications is very important. In web application users can perform only those tasks that they are authorized to perform.



Security Testing
While doing security testing some key points should be considered-
2) Verify information stored in COOKIES. It should not be in readable format.
3) Verify all HTTP methods.
4) Verify user session ends when user log off. Verify memory leak and buffer overflow.
5) Error messages should be generic. Whereas it should not mention specific error like “Invalid username” or “Invalid password”.
6) Password should be at least 8 characters long containing at least one number and one special character.
7) Username should not be like “administrator” or “admin”.
8) Application login page should be locked upon few unsuccessful login attempts.
9) Custom error messages should be displayed to end user in case of web page is crash.
10) All files must be scanned before uploading to server.
11) Sensitive data should not be passed in urls while communicating with different internal modules of the web application.
12) Verify application for SQL-INJECTION. (This is the process of inserting SQL statements through the web application user interface into some query that is then executed by the server).
13) Verify application for CROSS SITE SCRIPTING. (XSS- When a user inserts HTML/ client-side script in the user interface of a web application and this insertion is visible to other users, it is called XSS).
14) Important input validations should be done at server side instead of JavaScript checks at client side.
15) Verify that all applications and database versions are up to date.
16) Verify memory leakage and buffer overflow.
17) Verify if incoming network traffic is scanned to find Trojan attacks.
18) Firewall – Make sure entire network or computers are protected with Firewall. Firewall can be a software or hardware to block unauthorized access to system. 
19) Verify if reset password functionality is secure.

The purpose of the security test is to discover the vulnerabilities of the web application so that the developers can then remove these vulnerabilities from the application and make the web application and data safe from unauthorized actions.


2 comments:

  1. Would you please explain something more on SQL-INJECTION and CROSS SITE SCRIPTING.

    ReplyDelete
    Replies
    1. Ya Sure,
      In my next post I will explain it briefly..!

      Delete

Thanks for your comment..! Keep commenting for more and more updates. To get post updates subscribe Blog or become a follower of this blog. Thanks Again..!