Read Time: 5 min. 1.3k

Web application security testing is a non-functional type

of software testing that is conducted to detect the vulnerabilities of the application

under test and to determine how secure the data and system are from various attacks.

Web Application Security Testing

The Main Goals of Web Application Security Testing

An inherent part of complete security providing is web application security testing. This process is an action that demonstrates the application meets the security requirements of all interested parties. The testing is targeted at diagnosing hacking paths, evaluating the safety of web applications or a website, as well as analyzing the risks associated with the treatment to protecting against intruders and access to confidential data.

Want to have an in-depth understanding of all modern aspects of Web Application Security Testing? Read carefully this article and bookmark it to get back later, we regularly update this page.

The key goals of web application security testing are:

Securing online transactions;

Protection of confidential information from unauthorized access;

Minimizing the risk of data loss, distortion or theft;

Increased resistance to DoS attacks.

To achieve QA security objectives, specialists must audit potential threats based on the specifics of the software. Grounded on the rule of confidentiality, facility of access and continuity, web application security testing assists guaranty the safeness of information, accounts, accession and user communications. Evaluating the would-be weak point of system elements within web application security testing, a team of QA engineers should check the actual reaction of the product’s defense mechanisms and then propose a set of measures to increase the level of security of web applications from unauthorized actions.

Also, all basic requirements for the security of web applications must be checked and applied, as a result of which a list of comments and defects with a gradation in the criticality of vulnerabilities should be generated.

Vulnerabilities Identified by Web Application Security Testing

If you are seriously interested in this topic, then you should definitely start by studying the main types of vulnerabilities in web applications. A list of the most popular ones can be found in the OWASP Top 10 list. This is an open source project created by web security enthusiasts. They post statistics on the popularity of vulnerabilities in the previous 3-4 years.

Although OWASP does not claim to be standardized, they have become an informal standard for testing web applications. They now have many guides, the most useful of which for the web application security tester is the OWASP Testing Guide. This is the basis of the basics, which you must at least get acquainted.

In most cases, vulnerabilities in web applications are caused by common web security mistakes that can cost millions . Currently, the most common types of software security vulnerabilities are the following:

Code injections. According to statistics, it infected 28% of companies. That vulnerability is becoming less and less common every year, but remains the most critical of all, because it can take away your entire database. This vulnerability is divided into the following attack vectors:

- injection through OS command;

- injections through SQL, LDAP, XPath queries;

- injection through parsing XML.

Using these vectors, an attacker can gain access to both one account and the entire database of clients of this resource. To use the attack, only special characters and additional operators are used, depending on the type of SQL database.

XSS (Cross-Site Scripting) is a Web application vulnerability that allows attackers to launch malicious scripts on a server-generated page to attack the system. This is one of the types of web application vulnerabilities that allows a script to work on a page written in JS. Such a vulnerability allows an attacker to inject his script into your application. According to statistics, 40% of companies that have passed through scanners have this vulnerability. In the OWASP Top 10 ranking, it is in 7th place. The reason for this vulnerability is the trust on the part of the developer that the user will not contribute various pieces of code to the website.

DOM models of XSS. This type of XSS is the most dangerous of all. XSS in the DOM model appears on the client side during data processing inside JavaScript itself. This type of XSS got its name because we need a Document Object Model to make it. As you understand, DOM is an abbreviation. Through it, you can access the contents of HTML and XML documents, even change the content: either the structure of the document or its design.

XSRF / CSRF (Request Forgery) is a type of vulnerability that allows exploiting the disadvantages of the HTTP protocol, while attackers work according to the following scheme: a link to a malicious website is installed on a page that is trusted by the user, when clicking on a malicious link, a script is stored that preserves personal data the user (passwords, billing information, etc.), either sending SPAM messages on behalf of the user, or changing access to the user account to gain complete control over it.

Authorization Bypass is a type of vulnerability in which it is possible to gain unauthorized access to the account or documents of another user.

Server-Side Includes (SSI) Injection. This type of vulnerability uses the launch of server commands directly from the server or inserts them into HTML code.

Typically, web application security testing checks the following parameters:

Cryptography - detects problems associated with encryption, decryption, signature, authentication, including the level of network protocols, working with temporary files and cookies.

- detects problems associated with encryption, decryption, signature, authentication, including the level of network protocols, working with temporary files and cookies. Authentication. It allows you to make sure that there is no way to bypass the registration and authorization procedure; make sure that user data management is correct, exclude the possibility of obtaining information about registered users and their credentials.

It allows you to make sure that there is no way to bypass the registration and authorization procedure; make sure that user data management is correct, exclude the possibility of obtaining information about registered users and their credentials. Validation of input values. Is used to check data processing algorithms, including incorrect values, before the application refers to them.

Is used to check data processing algorithms, including incorrect values, before the application refers to them. Access control. It identifies problems associated with unauthorized user access to information and functions, depending on what role they are given. Testing the configuration of the role model.

It identifies problems associated with unauthorized user access to information and functions, depending on what role they are given. Testing the configuration of the role model. Test of resistance to Dos /DDos attacks. It checks the ability of the application to handle unplanned high loads and large amounts of data that can be sent to disable the application.

It checks the ability of the application to handle unplanned high loads and large amounts of data that can be sent to disable the application. Server configuration. This looks for errors in multithreaded processes related to the availability of variable values for sharing by other applications and requests.

This looks for errors in multithreaded processes related to the availability of variable values for sharing by other applications and requests. Integration with third-party services - allows you to verify the impossibility of manipulating the data transmitted between the application and third-party components, for example, payment systems or social networks.

- allows you to verify the impossibility of manipulating the data transmitted between the application and third-party components, for example, payment systems or social networks. Error handling mechanisms, that includes checking the system errors of the application for the lack of disclosure of information about internal security mechanisms (for example, by demonstrating exceptions, program code).

Web applications are more susceptible to security risks than others, as they are by definition accessible from the Internet. Testing the security of web applications requires the executor to have a sufficiently deep knowledge of programming and the OS, for which companies involved must permanently improve the skills of their own specialists. With the development of technologies and tools, the advent of new versions of the OS, security checklists are expanding, articles regularly appear that describe current security threats and how to fix them.

When Should You Audit Applications?

Before launching a new business application;

When appending add-ons to existing applications;

For critical applications already used with the selected frequency or when making changes;

In the event of an incident related to the operation of the application, and if it is suspected

of incorrect operation of the application from the point of view of information security.

Before you audit applications, it’s a good idea to actually find all the applications that you have. ImmuniWeb Discovery will help you find any expired and vulnerable applications in your external infrastructure.

The degree of security of your system will be evaluated in accordance with the OWASP international security approval standard. We will also carry out advisory work to eliminate vulnerabilities and risks, optionally we can develop a product work schedule for operators and developers, this way you protect your own business and resource users.

Now your task is to, when the scanner finds a new type of vulnerability, familiarize yourself with it, find out how it reproduces and which level of seriousness it carries. Thus, when encountering a new vulnerability in the process of web application security testing, the information detected by the scanner accumulates information and experience with which you can then look for the same gaps in other projects in order to make the product safe.

Additional Resources