Showing posts with label how to do security testing. Show all posts
Showing posts with label how to do security testing. Show all posts

Wednesday, August 1, 2012

Security Testing Of Web Applications


1) Verify that all Usernames and Passwords are encrypted and they transferred over secured connection like https:// (Secured transaction).


Security testing is the process that determines that “The confidential data should be stay confidential”, security testing of web applications is very important. In web application users can perform only those tasks that they are authorized to perform.



Security Testing
While doing security testing some key points should be considered-
2) Verify information stored in COOKIES. It should not be in readable format.
3) Verify all HTTP methods.
4) Verify user session ends when user log off. Verify memory leak and buffer overflow.
5) Error messages should be generic. Whereas it should not mention specific error like “Invalid username” or “Invalid password”.
6) Password should be at least 8 characters long containing at least one number and one special character.
7) Username should not be like “administrator” or “admin”.
8) Application login page should be locked upon few unsuccessful login attempts.
9) Custom error messages should be displayed to end user in case of web page is crash.
10) All files must be scanned before uploading to server.
11) Sensitive data should not be passed in urls while communicating with different internal modules of the web application.
12) Verify application for SQL-INJECTION. (This is the process of inserting SQL statements through the web application user interface into some query that is then executed by the server).
13) Verify application for CROSS SITE SCRIPTING. (XSS- When a user inserts HTML/ client-side script in the user interface of a web application and this insertion is visible to other users, it is called XSS).
14) Important input validations should be done at server side instead of JavaScript checks at client side.
15) Verify that all applications and database versions are up to date.
16) Verify memory leakage and buffer overflow.
17) Verify if incoming network traffic is scanned to find Trojan attacks.
18) Firewall – Make sure entire network or computers are protected with Firewall. Firewall can be a software or hardware to block unauthorized access to system. 
19) Verify if reset password functionality is secure.

The purpose of the security test is to discover the vulnerabilities of the web application so that the developers can then remove these vulnerabilities from the application and make the web application and data safe from unauthorized actions.