Skip to main content

Web Application Security Testing - Part 2

Hope that you have already read first part of this article and familiar with the concept of how web applications are different from traditional client-server applications. If you have not, you might find it useful to read part – 1 as well.

In this part we will explore what kind of information is available to the client? What kind of information can be gathered from the pages which client can access? How validation is important to ensure proper security for the web application? What are cookies and how web applications use them?

It is very important in web application security testing to gather as much information about your application as you can. You need to find out how people outside your organization will access your web application and what kind of information they can access. Typical information that will be available to any person outside your organization could be categorized as

  • Comments & Sensitive information embedded in the HTML source code
  • Error messages generated at the server and HTTP response returned.
  • Application error message 

During web application development, it is very important to think about these aspects. Comments or sensitive information can be very useful for you while developing and maintaining the code, but if it is accessed by malicious user it can be dangerous. Similarly, detailed error messages given to improve usability can results in the security loophole.

HTML source present on the client side can be an excellent source of information for the attacker. It is very easy for everyone to view HTML source code and since it is not compiled, there is no way to hide HTML comments. For testing web applications for security, you should look for the sensitive information like passwords, usernames, database names, connection strings etc. As a person responsible for security testing you need to make sure that sensitive information is not present in the HTML source code.

In order to start attack on any web application, it is important to know how its pages can be accessed, what kind of data and parameters are passed from one page to another. You can keep an eye on the URL for this purpose and look for key-value pairs.  You should always consider creating page map of your site containing this information. You can use tool or can create it manually by navigating to all the pages and making appropriate maps. After you have created this page map, you can search HTML source for specific strings containing information related to HTML comments, Application Comments, IP Address, E-Mail Address, SQL Queries, Database Connection Strings, Hidden input fields etc.

If you try to change parameters selected during this process and resubmit the request, you can find interesting information in error messages. Sometimes server or application throws overly helpful error messages which can give subtle hints to the attackers.  For example on supplying invalid password during login process if system throws error like 'invalid password', it essentially means that username is proper.

Page map created earlier can also help you in guessing file names and directory structure present on the web server. Using this technique you can access files for which there is no link present on the pages, or which is not intended to be visible to the user. You must always check for the presence of any pattern in file names and location. Files which should not be viewed by clients should be located in places not accessible to the clients. Using this technique of educated guessing, malicious users can even access admin or control panel of the website, which usually runs as a separate sub-site or run on a different port. These type of loopholes can be identified easily by tools like port scanners and other brute-force tools.

Vulnerability of the web application can also be exposed by manipulating UI controls. For example, you might have used websites containing list boxes to take user input. Reason for providing list box is to make sure that client do not choose any other option apart from whatever is supplied in the list. It is very easy for development team to make this assumption and not do any other form of validation. What they fail to realize is that, these values can be changed by making changes in the page source even request can be tampered on transit using appropriate tools. Also if validations are present at the client-side, it is still possible to bypass those validations. This could be achieved either by disabling the java scripts or saving a local copy of the file and removing those validations. To safeguard from these vulnerabilities, it is essential to make sure that validations are present on the server side as well.

Another thing that should be checked at the client side is cookies. For people not familiar with cookies, cookies are small files of textual data that a web application writes on a client's hard drive. Web application can reuse this data on subsequent visits. Cookies can be delivered by web application using either persistent/non-persistent and secure/non-secure mode.  Cookies can be used for personalization or making sure that information is not accessed after it is expired. There are many ways in which cookies can be used. Cookies are normally stored at predefined location with predefined formats. If your application relies on cookies for any functionality, it is essential for you to make sure that tempered cookies can not be used with your application.

Hope after understanding the different ways in which security can be compromised, you will appreciate  the importance of security testing of web applications. In the next article, we will explore how data supplied by client can be tempered and servers can be attacked.

These articles are influenced by the book ( "How to Break Web Software" from Mike Andrews and James A. Whittaker ) I have recently read and should be a good read for you if you need information on web application security testing.

Comments

Post a Comment

Popular posts from this blog

SQL SERVER Questions And Answers

SQL SERVER Questions And Answers 1. What is an Entity? The basic data item stored in database is called entity. An entity can be any object, item, place, person, concept, or activity about which data is stored. 2. What is an attribute? An attribute is a property of an entity. It describes a part of an entity. Entity could have one or more attributes. 3. What is ER diagram? An Entity Relationship Diagram is diagrammatic representation of the logical structure of a database system. 4. Describe the concept of keys. Candidate key An attribute that uniquely identifies a row is called candidate key. It is also called das surrogate key. Primary key A candidate key that you choose to identify rows uniquely is called a primary key. Alternate key If there are multiple candidate keys in a table, the candidate keys that are chosen as primary key are called the alternate keys. Composite key When the key that uniquely identifies the rows of a table is made up of more than one attribute, it is ca...
Post a Comment
Read more

Testing Measurement

Someone has rightly said that if something can not be measured, it can not be managed or improved. There is huge value in measurement, but you should always make sure that you get some value out of any measurement that you are doing. You should be able to answer the following questions: What is the purpose of this measurement program? What data items you are collecting and how you are reporting it? What is the correlation between the data and conclusion? Value addition: Any measurement program can be divided into two parts. The first part is to collect data, and the second is to prepare metrics/chart and analyses them to get the valuable insight which might help in decision making. Information collected during any measurement program can help in: Finding the relation between data points, Correlating cause and effect, Input of future planning. Normally, any metric program involves certain steps which are repeated over a period of time. It starts with identifying what to measure. After t...
Post a Comment
Read more

What’s New with QTP 9.5?

This is the general overview giving the brief description of what is new in QTP9.5 New Features: 1.  New design time panes: Various new IDE panes have been introduced which does not provide any new functionality to add up but basically the operations which were in the deep sub menus are now put up in front. Available Keyword Pane: This pane shows all the available functions in the current test (either in-action or externally added), as well as all the objects in your object repository (local and external). The items are effectively separated into groups, making it easier to search for a relevant item. Double clicking any item in the pane will open it, and dragging the item to the main window will add it to the script in the drop position. Double clicking a function will not only open the hosting file in the main window, but also focus on the exact position of the function within the file. Test Flow Pane: This pane lays out the action call structure of the current test. It outlines...
Post a Comment
Read more