Table of Contents
Security Testing Techniques
The main objective of security testing is to find out the loopholes or weakness of the software application and preventing it from the possible threats. Performing security testing regularly may be more effective in identifying potential vulnerabilities of any software application. Following security testing techniques will be most useful in performing quality security testing.
Cross Site Scripting(XSS)
Cross-site scripting (XSS) is one of the vulnerabilities found in the web application where one user enters a script and executes on the computer of another user. It enables attackers to enter HTML, JavaScript or any other programming scripts through the input fields of an application. When any script is executed through cross-site scripting, it will change the application behavior or steals personal data.
In order to prevent the web application affecting through cross-site scripting, a tester should check whether the application accepts any HTML e.g.<HTML> or any script e.g. <SCTIPT> tags.
URL Manipulation Through CGI Parameters
CGI parameters such as GET or POST methods are used to pass data between pages. They are passed in page request’s URL after the questions mark(?) and the name-value pairs are separated by the ampersand(&) characters. Among them GET method is mostly used in the web application to transfer the data between client and server. The attacker can manipulate every variable passed from this GET request to obtain the required data or to corrupt the most important data.
A tester should check whether the application passes the important data through the query string or not. A tester should also check whether it accepts changing CGI parameter values.
Password Cracking
The attacker can access the secured areas of an application by cracking the password either by guessing the password or using the password cracking software. The tester should check whether the password input field accepts weak password or not.
Altering Website Cookies
Small files of textual data that a web application or a website writes on a client’s hard drive are called cookies. The stored cookies are reused by the web application whenever necessary on subsequent visits. Cookies are stored either permanently on a hard drive or temporarily in primary memory. Since the cookies are stored in predefined locations. Hackers may also attack the data within a cookie and able to alter them easily.
In order to prevent the cookies from being attacked check whether the cookies are stored by encrypting the data. The stored cookie should have an expiration date.
SQL Injection
SQL injection is the process of inserting ‘SQL statements’ through the input fields that are executed by the server. Inserting such queries and commands can cause the data corruption or data loss. An attacker is able to use SQL injection to obtain unauthorized access to get the information from the database.
To prevent the application from being attacked with SQL injection. The application should reject entering a single quote (‘) in any text box. The application should also filter special characters and reserved words of SQL from the URL and form input fields.
Denial Of Service
Denial of service is an attack that makes deny the users from accessing the application by sending unlimited requests to the server machine or network resources. When the application is attacked with denial of service, sometimes the entire machine may be unusable.
Protecting the web application from denial of service attack is very difficult. You may trigger firewall updates to block the unusual amount of traffic received from an address or group of addresses.
URL Jumping
Users can jump to any web pages of the website by typing URL address to the browser address bar. If the users are allowed to jump from one page to another page. They may access the unauthorized page with breaking the sequence. For example, if the users are allowed to go directly delivery page with skipping the checkout page. He may receive the product or services without paying.
The tester should check whether web application or website allowed jumping from one page to another page with breaking the sequence. This type of attack can be prevented with storing last visited page and comparing with it.
Read Next: What is Automated Testing and Why it is Required