Skip to main content

Web Application Security Testing - Part1

Web application and Client-Server, are they same? This question is very common in software testing interviews, if you are part of some e-groups related to testing, you might have heard it many times from different people.

There are numerous differences in Client-Server and Web application architecture. As a tester if you are testing Web applications, it is important to understand what Client-Server architecture is and how Web is different from traditional Client-Server architecture.

Web is a specialized version of client server network, but it has got noticeable differences. In client server network, computing resources are conserved by delegating complex and time consuming task to powerful, expensive computers called server. These server machines are much more powerful in terms of large storage and computing power. They do all the computing and delivers result back to the machines called client over a communication path. Thus client-server architecture comprises of server, client and communication path connecting them.

If you see at the lower level, client server architecture is not that simple. In order to connect two computers, you need network level protocol, you need proper software at client side and server side to send and receive data over network. You need to take care of data loss during transmission, bandwidth issues, dropped connectivity etc. Most of these issues are already addressed by protocols like TCP/IP, UDP, ARP etc. and developers face very little problem in implementing them. These protocols are backbone of the client server architecture.

WWW was developed on top of existing client server architecture. It came into existence as a replacement for FTP and email as a mechanism of sharing files and data. New development in servers to handle more requests, new client software to connect and browse resources on server; new development like HTTP, HTML etc fueled the growth of Web. Main component of the Web architecture is the Web Server, which can serve request from any client. Initially, web started serving static content and soon it was explored for the possibility of doing much more than just static content.

Even though Web is built on top of client server, there are noticeable differences. For example

  • Web is a special case of client server architecture in which fat clients are used to communicate with the server using variety of protocols and standards like HTTP, HTML, XML, SOAP etc.
  • In client server architecture, both client and server exist within the walls of a single company, thus operates in a protected environment. Clients in that case become the trusted user. Web is different, since client can connect server from anywhere thus not a single connection can be treated as trusted.
  • Because client server is typically within a company's firewall, issues related to security are not as important as in Web applications.
  • In client server architecture, clients are controlled as in who can access, how clients will communicate and use server's resources etc. In Web, mostly anyone with a browser can connect to the Web.
  • In client server architecture, every client is known; every request received by server will have information on who originated this request. In Web, users are anonymous thus pose a greater security risk.
  • Web gives more opportunity to malicious users to tamper data at the client side as well as at the network level. Chances of data being tampered in the traditional client server architecture are much lesser as compare to Web.
  • Number of clients that can be connected to the server is predictable and can be controlled in the traditional client server, but it can not be controlled in the Web.
  • Clients are much more controlled in client-server. Which OS they will use, which platform they will run on, what browser will be used every thing can be controlled. In comparison to that, nothing can be controlled in Web.

 Because of the fact that both are different, testing applications in client server, or web will also be different. The main areas where the testing gets affected can be summarized as:

  • Business Logic: Mostly in the cases of Client-Server client side business logic needs to be tested which is mostly not needed in for the web-based applications.
  • Platform / OS Dependence: The web based applications are O/S independent; they just need to be tested on different browsers. The Client-Server applications depend upon the Platform/ OS used, which accentuate their testing on different Platforms and OS.
  • Scalability: Web based Application have to be tested for performance against thousands of simultaneous users. This number will be considerably less for Client Server application
  • Security: This forms an integral part of web based applications but it might be relaxed just a bit for Client Server applications. The reason for this relaxation is based on the fact that the in case of Client-server interaction is taking place mostly between the trusted/known sources which is not the case for web based applications.

 In a nutshell it can be stated that although web-based applications are a special case of client-server applications, yet their testing differ in many areas. All the areas identified above need to be addressed adequately in your testing, specially security since every client connected in the web environment is a potential threat to the system.

Hope with this article you can appreciate the difference between client-server architecture and web application architecture. Also, how testing applications based on these architecture is different from one another. Importance of security testing in the web application testing is also established in this article.

Next article will take this subject further and discuss various techniques and tools to perform security testing for web applications.

These articles are influenced by the book ( "How to Break Web Software" from Mike Andrews and James A. Whittaker ) I have recently read and should be a good read for you if you need information on web application security testing.

Comments

Post a Comment

Popular posts from this blog

SQL SERVER Questions And Answers

SQL SERVER Questions And Answers 1. What is an Entity? The basic data item stored in database is called entity. An entity can be any object, item, place, person, concept, or activity about which data is stored. 2. What is an attribute? An attribute is a property of an entity. It describes a part of an entity. Entity could have one or more attributes. 3. What is ER diagram? An Entity Relationship Diagram is diagrammatic representation of the logical structure of a database system. 4. Describe the concept of keys. Candidate key An attribute that uniquely identifies a row is called candidate key. It is also called das surrogate key. Primary key A candidate key that you choose to identify rows uniquely is called a primary key. Alternate key If there are multiple candidate keys in a table, the candidate keys that are chosen as primary key are called the alternate keys. Composite key When the key that uniquely identifies the rows of a table is made up of more than one attribute, it is ca...
Post a Comment
Read more

Testing Measurement

Someone has rightly said that if something can not be measured, it can not be managed or improved. There is huge value in measurement, but you should always make sure that you get some value out of any measurement that you are doing. You should be able to answer the following questions: What is the purpose of this measurement program? What data items you are collecting and how you are reporting it? What is the correlation between the data and conclusion? Value addition: Any measurement program can be divided into two parts. The first part is to collect data, and the second is to prepare metrics/chart and analyses them to get the valuable insight which might help in decision making. Information collected during any measurement program can help in: Finding the relation between data points, Correlating cause and effect, Input of future planning. Normally, any metric program involves certain steps which are repeated over a period of time. It starts with identifying what to measure. After t...
Post a Comment
Read more

What’s New with QTP 9.5?

This is the general overview giving the brief description of what is new in QTP9.5 New Features: 1.  New design time panes: Various new IDE panes have been introduced which does not provide any new functionality to add up but basically the operations which were in the deep sub menus are now put up in front. Available Keyword Pane: This pane shows all the available functions in the current test (either in-action or externally added), as well as all the objects in your object repository (local and external). The items are effectively separated into groups, making it easier to search for a relevant item. Double clicking any item in the pane will open it, and dragging the item to the main window will add it to the script in the drop position. Double clicking a function will not only open the hosting file in the main window, but also focus on the exact position of the function within the file. Test Flow Pane: This pane lays out the action call structure of the current test. It outlines...
Post a Comment
Read more