An approach for Security Testing of Web Applications Software Testing Help. Introduction. Owing to the huge amount of data stored in web applications and increase in the number of transactions on the web, proper Security Testing of Web Applications is becoming too important day by day. In this article, we will learn in detail about the key terms used in Security Testing and its approach. Security Testing is the process which checks whether the confidential data stays confidential or not i. E. g. a user should not be able to deny the functionality of the website to other users or a user should not be able to change the functionality of the web application in an unintended way etc. Some Key Terms Used in Security Testing. Before we proceed further, it will be useful to familiarize ourselves with few terms that are frequently used in web application Security Testing What is Vulnerability This is the weakness in the web application. The cause of such weakness can be due to the bugs in the application, an injection SQL script code or the presence of viruses. What is URL Manipulation Some web applications communicate additional information between the client browser and the server in the URL. Changing some information in the URL may sometimes lead to unintended behavior by the server and this termed as URL Manipulation. What is SQL injection This is the process of inserting SQL statements through the web application user interface into some query that is then executed by the server. What is XSS Cross Site Scripting When a user inserts HTML client side script in the user interface of a web application, this insertion is visible to other users and it is termed as XSS. What is Spoofing The creation of hoax look alike websites or emails is called Spoofing. Penetration Testing Professional PTP is the premier online penetration testing course that teaches all the skills needed to be a professional penetration tester. In this video we will cover some basic Windows and Linux command line operations. As most pentesters attest, command line mastery is a key component of. Wireless network basics. Wireless localarea networks are based on IEEE 802. This is a set of standards defined by the Institute of Electrical and Electronics. In this article on Hacking Tutorials we will be looking at a new penetration testing course priced at only 99, offered by a newcomer on the block The Virtual. Security Testing Approach. In order to perform a useful security test of a web application, the security tester should have good knowledge about the HTTP protocol. It is important to have an understanding of how the client browser and the server communicate using HTTP. Additionally, the tester should at least know the basics of SQL injection and XSS. Hopefully, the number of security defects present in the web application will not be high. However, being capable of describing all the security defects accurately with all the required details will definitely help. Password Cracking. The security testing on a web application can be kicked off by password cracking. In order to log in to the private areas of the application, one can either guess a username password or use some password cracker tool for the same. List of common usernames and passwords are available along with open source password crackers. If the web application does not enforce a complex password E. If a username or password is stored in cookies without encrypting, an attacker can use different methods to steal the cookies and the information stored in the cookies like username and password. Geek-White-Hat-625x350.png' alt='Basics Of Hacking And Penetration Testing' title='Basics Of Hacking And Penetration Testing' />For more details see an article on Website cookie testing. URL Manipulation through HTTP GET methods. A tester should check whether the application passes important information in the query string or not. This happens when the application uses the HTTP GET method to pass information between the client and the server. The information is passed through the parameters in the query string. The tester can modify a parameter value in the query string to check if the server accepts it. Kali Linux on AWS By Frank Siemons on October 12, 2017 The Top 5 Pen Testing Tools You Will Ever Need By Ravi writerrevisions editor on July 26, 2017. Via HTTP GET request user information is passed to the server for authentication or fetching data. The attacker can manipulate every input variable passed from this GET request to a server in order to get the required information or to corrupt the data. In such conditions, any unusual behavior by application or web server is the doorway for the attacker to get into an application. SQL Injection. The next factor that should be checked is SQL injection. Entering a single quote in any textbox should be rejected by the application. Instead, if the tester encounters a database error, it means that the user input is inserted in some query which is then executed by an application. ADNupMnWyR7kCWRvm76Laz/resize=width:705/https://d2vvqscadf4c1f.cloudfront.net/zWwVcSWSyujGlH9Y1Qh8_IOS%20Thumbnail.jpg' alt='Basics Of Hacking And Penetration Testing' title='Basics Of Hacking And Penetration Testing' />In such a case, the application is vulnerable to SQL injection. SQL injection attacks are very critical as an attacker can get vital information from the server database. To check SQL injection entry points into your web application, find out the code from your codebase where direct My. SQL queries are executed on the database by accepting some user inputs. If the user input data is crafted in SQL queries to query the database, an attacker can inject SQL statements or part of the SQL statements as user inputs to extract vital information from a database. Even if an attacker is successful to crash the application, from the SQL query error shown on a browser, the attacker can get the information they are looking for. Special characters from user inputs should be handledescaped properly in such cases. Cross Site Scripting XSSA tester should additionally check the web application for XSS Cross site scripting. Any HTML E. g. lt HTML or any script E. SCRIPT should not be accepted by the application. If it is, then the application can be prone to an attack by Cross Site Scripting. The attacker can use this method to execute malicious script or URL on the victims browser. Using cross site scripting, an attacker can use scripts like Java. Script to steal user cookies and information stored in the cookies. Many web applications get some useful information and pass this information in some variables from different pages. E. g. http www. The attacker can easily pass some malicious input or lt script as a query parameter which can explore important userserver data on the browser. Important During Security testing, the tester should be very careful as not to modify any of the following Configuration of the application or the server Services running on the server Existing user or customer data hosted by the application. Adobe Premiere Cs4 Tutorials Free. Additionally, a security test should be avoided in a production system. Conclusion. The purpose of a security test is to discover the vulnerabilities of the web application so that the developers can remove these vulnerabilities from the application and make the web application and data safe from any unauthorized action. About the Author This is a guest article by Inder P SinghFeel free to share your commentssuggestions about this article.