Welcome to Scribd, the world's digital library. Read, publish, and share books and documents. See more
Download
Standard view
Full view
of .
Look up keyword
Like this
3Activity
0 of .
Results for:
No results containing your search query
P. 1
Web Application Security Testing

Web Application Security Testing

Ratings: (0)|Views: 88|Likes:
Published by chiru94

More info:

Published by: chiru94 on Jul 14, 2011
Copyright:Attribution Non-commercial

Availability:

Read on Scribd mobile: iPhone, iPad and Android.
download as DOC, PDF, TXT or read online from Scribd
See more
See less

12/06/2012

pdf

text

original

 
Web Application Security Testing - Part1
Web application and Client-Server, are they same? This question isvery common in software testing interviews, if you are part of somee-groups related to testing, you might have heard it many timesfrom different people.There are numerous differences in Client-Server and Webapplication architecture. As a tester if you are testing Webapplications, it is important to understand what Client-Server architecture is and how Web is different from traditional Client-Server architecture.Web is a specialized version of client server network, but it has got noticeable differences. Inclient server network, computing resources are conserved by delegating complex and timeconsuming task to powerful, expensive computers called server. These server machines are muchmore powerful in terms of large storage and computing power. They do all the computing anddelivers result back to the machines called client over a communication path. Thus client-server architecture comprises of server, client and communication path connecting them.If you see at the lower level, client server architecture is not that simple. In order to connect twocomputers, you need network level protocol, you need proper software at client side and server side to send and receive data over network. You need to take care of data loss duringtransmission, bandwidth issues, dropped connectivity etc. Most of these issues are alreadyaddressed by protocols like TCP/IP, UDP, ARP etc. and developers face very little problem inimplementing them. These protocols are backbone of the client server architecture.WWW was developed on top of existing client server architecture. It came into existence as areplacement for FTP and email as a mechanism of sharing files and data. New development inservers to handle more requests, new client software to connect and browse resources on server;new development like HTTP, HTML etc fueled the growth of Web. Main component of the Webarchitecture is the Web Server, which can serve request from any client. Initially, web startedserving static content and soon it was explored for the possibility of doing much more than juststatic content.Even though Web is built on top of client server, there are noticeable differences. For example
Web is a special case of client server architecture in which fat clients are used tocommunicate with the server using variety of protocols and standards like HTTP, HTML,XML, SOAP etc.
In client server architecture, both client and server exist within the walls of a singlecompany, thus operates in a protected environment. Clients in that case become thetrusted user. Web is different, since client can connect server from anywhere thus not asingle connection can be treated as trusted.
Because client server is typically within a company’s firewall, issues related to securityare not as important as in Web applications.
 
In client server architecture, clients are controlled as in who can access, how clients willcommunicate and use server’s resources etc. In Web, mostly anyone with a browser canconnect to the Web.
In client server architecture, every client is known; every request received by server willhave information on who originated this request. In Web, users are anonymous thus posea greater security risk.
Web gives more opportunity to malicious users to tamper data at the client side as well asat the network level. Chances of data being tampered in the traditional client server architecture are much lesser as compare to Web.
 Number of clients that can be connected to the server is predictable and can be controlledin the traditional client server, but it can not be controlled in the Web.
Clients are much more controlled in client-server. Which OS they will use, which platform they will run on, what browser will be used every thing can be controlled. Incomparison to that, nothing can be controlled in Web.Because of the fact that both are different, testing applications in client server, or web will also be different. The main areas where the testing gets affected can be summarized as:
Business Logic: Mostly in the cases of Client-Server client side business logic needs to be tested which is mostly not needed in for the web-based applications.
Platform / OS Dependence: The web based applications are O/S independent; they justneed to be tested on different browsers. The Client-Server applications depend upon thePlatform/ OS used, which accentuate their testing on different Platforms and OS.
Scalability: Web based Application have to be tested for performance against thousandsof simultaneous users. This number will be considerably less for Client Server application
Security: This forms an integral part of web based applications but it might be relaxed just a bit for Client Server applications. The reason for this relaxation is based on the factthat the in case of Client-server interaction is taking place mostly between thetrusted/known sources which is not the case for web based applications.In a nutshell it can be stated that although web-based applications are a special case of client-server applications, yet their testing differ in many areas. All the areas identified above need to be addressed adequately in your testing, specially security since every client connected in theweb environment is a potential threat to the system.Hope with this article you can appreciate the difference between client-server architecture andweb application architecture. Also, how testing applications based on these architecture isdifferent from one another. Importance of security testing in the web application testing is alsoestablished in this article. Next article will take this subject further and discuss various techniques and tools to performsecurity testing for web applications.
 
These articles are influenced by the book 
( “How to Break Web Software” from Mike Andrewsand James A. Whittaker )
I have recently read and should be a good read for you if you needinformation on web application security testing.
Web Application Security Testing - Part 2
I hope that you have already read first part of this article andfamiliar with the concept of how web applications are differentfrom traditional client-server applications. If you have not, youmight find it useful to readPart-1as well.In this part we will explore what kind of information is available tothe client? What kind of information can be gathered from the pageswhich client can access? How validation is important to ensure proper security for the web application? What are cookies and howweb applications use them?It is very important in web application security testing to gather as much information about your application as you can. You need to find out how people outside your organization will accessyour web application and what kind of information they can access. Typical information that will be available to any person outside your organization could be categorized as
Comments & Sensitive information embedded in the HTML source code
Error messages generated at the server and HTTP response returned.
Application error messageDuring web application development, it is very important to think about these aspects.Comments or sensitive information can be very useful for you while developing and maintainingthe code, but if it is accessed by malicious user it can be dangerous. Similarly, detailed error messages given to improve usability can results in the security loophole.HTML source present on the client side can be an excellent source of information for theattacker. It is very easy for everyone to view HTML source code and since it is not compiled,there is no way to hide HTML comments. For testing web applications for security, you shouldlook for the sensitive information like passwords, usernames, database names, connection stringsetc. As a person responsible for security testing you need to make sure that sensitive informationis not present in the HTML source code.In order to start attack on any web application, it is important to know how its pages can beaccessed, what kind of data and parameters are passed from one page to another. You can keepan eye on the URL for this purpose and look for key-value pairs. You should always consider creating page map of your site containing this information. You can use tool or can create itmanually by navigating to all the pages and making appropriate maps. After you have createdthis page map, you can search HTML source for specific strings containing information relatedto HTML comments, Application Comments, IP Address, E-Mail Address, SQL Queries,Database Connection Strings, Hidden input fields etc.

You're Reading a Free Preview

Download
scribd
/*********** DO NOT ALTER ANYTHING BELOW THIS LINE ! ************/ var s_code=s.t();if(s_code)document.write(s_code)//-->