Security testing – A few words…
As we all know security is vitally important in software applications nowadays. So it is not recommended to release an application without testing for its security threats. Security testing intends to reveal the security flaws of an application and to confirm that the data and resources are protected from possible intruders.
Though web applications demand more security regarding the access and data protection, desktop application should also be secure enough in regard of its access and organization and storage of its data.
In order to be a security tester, we should put oursleves in the shoes of a malicious user or black hat hacker who aims to break the application.Breaking the application helps to analyze whether the application is secure enough to handle attacks and discover the vulnerabilities
There are four main focus areas in security testing:
- Network security: This involves securing a computer network infrastructure (resources and policies) and is handled by network administrator or system administrator
- System software security: This involves securing a software – operating system, database system, and other software
- Client-side application security: This deals with ensuring that the client (browser or any such tool) cannot be manipulated.
- Server-side application security: This involves making sure that the server code and its technologies are robust enough to fend off any intrusion.
Now, let us find some key terms and approaches which we may often come across while talking about security testing:
Vulnerable:
Term used to define how weak a web application is. An application can be vulnerable either due to the presence of viruses or bugs in application or SQL injection. There are some web applications available to learn or test the skills in web penetration testing. For example http://www.dvwa.co.uk provides such an application – DVWA which helps the security professions to try out their testing skills
Url manipulation:
Communication between client and server may have to provide additional information in the URL. The change in url is known as url manipulation which leads to unexpected flaws in the application.
By manipulating certain parts of URL, a hacker may access some pages which he is not supposed to access. On dynamic websites, mostly parameters are passed through URL. The values present on URL are created by site when a user navigates normally by clicking a link. URL can be manipulated by changing the values of the parameters manually there by accessing an unauthorized pages.
For example if a URL is http://target/forum/?p=1 , a hacker can try out changing the parameters like http://target/forum/?p=20 which may allow him to access an area which is actually protected
SQL Injection:
Here the hacker tries to inject his own SQL codes into someone else ‘s database and force to execute the SQL to run his code or more precisely the application under attack should have to run SQL that it was never supposed to run.
For example, some of the website having login form – with username and password as input fields may have additional link called ‘Forgot password, Mail me my password’. The idea is that If a user forgets his password, clicking the link will send the password to the email address provided. But this is a security flaw in the application.
When a user tries to retrieve password, the query would be something like this:
SELECT data
FROM table
WHERE Emailinput =’$email_input’;
A hacker tries the same code in another way like
SELECT data
FROM table
WHERE Emailinput=’$email_input”;
The “$email_input'” variable is used to hold whatever text the user inputs into the email address form field. The extra quote in the input field will give rise to errors as it cannot be recognized by SQL parser.
The error response gives enough information to hacker because if the response is ‘Email address is unknown ‘ or ‘Cannot recognize your email’ he can confirm that the application is really sanitized . But response like ‘Server error’ or ‘Database error’ says that the input to the database is not sanitized. If the application is not sanitized, then it means that the database can most probably be exploited, destroyed and manipulated in some way that could be very bad for the application owner.
XSS (Cross Site Scripting):
Cross site scripting is nothing but injection of client side scripts into a website.
The scripts can be HTML scripts or JavaScript scripts. Cross site scripting can be performed by passing scripts in form of – TextBox (input controls), Query Strings, Cookies, Session variables, Application variables, Retrieved data from an external or shared source.
Spoofing:
A technique used to gain unauthorized access to computers, whereby the intruder sends messages to a computer with an IP address indicating that the message is coming from a trusted host. There are different types of spoofing attacks – IP spoofing, ARP spoofing, DNS Spoofing, email spoofing etc.
A simple example of email spoofing is emails of lottery winning message or fake job offers etc.
Brute Force attack:
Brute force attack is a trial and error mechanism to obtain information such as user password or PIN. There are password cracker tools available nowadays. List of common user and password are available along with these password crackers. So it is essential for an application to enforce the users to use complex credentials to access most private areas of application.
These are some of the approaches hackers may use to attack the application. There are many more like browser exploit, clickjacking, content sniffing, session hijacking and mass assignment etc. The more security exploits come up,security testing becomes more and more demanding and it helps the developers to pay serious attention on protecting their application from malicious attacks.