STeP-IN SUMMIT 2009

6th International Conference on Software Testing

January 20 – 23, 2009 @ The Leela Palace, Bangalore, INDIA

Application Security Testing: Trends & Challenges

by

Surendharan S — Business Analyst

Satyam Computer Services

Copyright: STeP-IN Forum and Quality Solutions for Information Technology Pvt. Ltd.

Published with permission for restricted use in ‘STeP-IN SUMMIT 2009’ in agreement with
full copyrights from owner(s) / author(s) of material. All rights reserved. No part of this
publication may be reproduced, stored in a retrieval system or transmitted in any form
or by any means, electronic, mechanical, photocopying, recording or otherwise without
the prior consent of the owner(s) / author(s). This edition is manufactured in India and is
authorized for distribution only during ‘STeP-IN SUMMIT 2009’ as per the applicable
conditions.

Practices Experience Knowledge Automation

Produced By Hosted By

www.stepinforum.org www.qsitglobal.com
 White Paper Submitted for STeP-IN SUMMIT 2009

Application Security Testing: Trends & Challenges

Author(s):

Surendharan S
Designation: Business Analyst
Email: S_Surendharan@satyam.com

Satyam Computer Services Ltd.

Satyam Cyber Space
Survey No. 12 P, Madhapur Road
Kondapur Village, Seerlingampally Mandal
Hyderabad - 500 081
Tel: +91-40-3063 6363 Extn: 36719
Fax: +91-40-6683 3040
1. Abstract:

Introduction:
Companies today are extensively moving their mission-critical applications and data
into Web browsers. Unfortunately, the features that make browsers so convenient also make
them incredibly insecure. As a result, hackers are able to use web applications to penetrate
enterprises and access confidential information. This results in an identity theft that has
become a major concern to corporations and consumers alike.
An ineffective but highly prevalent approach towards Web Application Security in the
present scenario is to merely scan the application for vulnerabilities. In order to devise an
effective methodology for Web Application Security Testing, one should understand its unique
Trends of testing & Challenges. This paper identifies these trends & challenges and henceforth
provides information that could serve as a useful input for testers in Security Testing Projects.

Audience:
¾ Web Application Developers & Testers
¾ Web Designers
¾ Test Leads.

Area of Application:
¾ Application Security Testing

Benefits:
¾ Faster Return of Investment on Security Testing for application
¾ Enhanced coverage on the business critical areas while testing for security

Issues and Challenges:

¾ Need to protect application from willful damage
¾ Standard Software Release Model is not designed for Security Testing
¾ Difficulty in Automating Security Testing
¾ Difficulty in finding skilled testers with the right competencies and it deals with
large number of technologies across domains.
 Table of Contents

1. ABSTRACT: ............................................................................................ 2
2. INTRODUCTION: A BRIEFING OF SOME CRITICAL VULNERABILITIES ... 4
CRITICAL VULNERABILITIES ........................................................................ 4
3. CURRENT TRENDS FOR TESTING APPLICATION SECURITY .................... 5
4. THE 10 BLUNDERS OF THE WEB: 10 TRENDS TO TEST FOR SECURITY ... 5
4.1 INPUT VALIDATION TESTS ............................................................................. 6
4.2 INFORMATION GATHERING ............................................................................. 6
4.3 THE BLACK BOX TESTING METHOD .................................................................... 6
4.4 INJECTION TESTS ...................................................................................... 7
4.5 CODE AND CONTENT INJECTION TESTS ................................................................ 7
4.6 SERVER SIDE INCLUDES (SSI) TESTS ................................................................... 7
4.7 MISCELLANEOUS INJECTION TESTS ..................................................................... 7
4.8 PATH TRAVERSAL AND URL TESTING .................................................................. 8
4.9 COOKIE TESTING ...................................................................................... 8
4.10 SESSION SECURITY AND SESSION-ID TESTING .......................................................... 8
5. CHALLENGES IN APPLICATION SECURITY TESTING .............................. 8
6. CONCLUSION ......................................................................................... 9
7. DEFINITIONS, ABBREVIATION AND ACRONYMS .................................... 9
8. REFERENCES ........................................................................................ 11
9. ACKNOWLEDGEMENTS ......................................................................... 11
10. BIOGRAPHY OF THE AUTHORS ............................................................. 12
STeP-IN SUMMIT 2009 Application Security Testing: Trends & Challenges Paper Publication

2. Introduction: A Briefing of some Critical Vulnerabilities

Critical Vulnerabilities
The Internet has advanced into a vital delivery pipeline for companies to interact with their
customers, partners and employees, thus providing a back door to the security perimeter.
Web Application vulnerabilities provide the potential for an unauthorized party to gain access
to critical and proprietary information, use resources inappropriately, interrupt business or
commit fraud.
A Web application is a software program that typically contains scripts to interact with the end
user. A Web application consists of three components:
¾ The Web server sends pages to the end user's browser,
¾ The application server processes the data for the user, and
¾ The database stores all of required data.

Security professionals have devoted a lot of time and energy identifying and correcting
vulnerabilities in operating systems and server administration setup. Because server security is
being hardened, hackers are forced to find alternative ways to hack into computing resources
to achieve their goals. So hackers are becoming knowledgeable about exploiting legitimate
avenues to gain access to computing resources, and the Web application has become their
target.
HTML source code information, such as programmer-created comments, passwords and IDs
within the code, can provide information that could help hackers better understand your
system. The code and comments within the code may not only be helpful to the authorized
programmer, it may also be good information for the hacker to discern file paths and find other
opportunities.

Figure: [BLACK HAT 01]

www.stepinforum.org www.qsitglobal.com
STeP-IN SUMMIT 2009 Application Security Testing: Trends & Challenges Paper Publication

3. Current Trends for testing Application Security

Emphasis on software security issues gained some footing in 2005 [CGI02], and the new wisdom
is for enterprises to test applications for security in addition to functionality, performance, and
usability prior to deployment. The best place to start is where the attacker will by
investigating and testing applications for security problems.

There are three main classes of software security testing tools: application scanning tools,
proxy-based tools, and automated penetration testing tools. Unfortunately, these tools are
difficult to compare in a meaningful way, and their use requires expertise in security, testing,
and the technologies used by the application. So, enterprises will need to either outsource this
testing or train quality assurance (QA) staff to be security testers. Testing application security
will allow organizations to fix or mitigate problems before attackers can find and exploit them.

The following sections focus on the areas where applications need to be probed and are
frequent target to these potential hackers. On successful probing of these areas help in
applications that, along with other forms of security testing like design layer, network layer
and data layer, help in building threat free web applications. [OWASP 03]

4. The 10 Blunders of the Web: 10 Trends to Test for Security

Security testing is also referred as ‘Penetration testing’. Web application environments expose
data elements in a manner that fails to identify how they were captured and hence what kind
of validation and sanity checking should be applied. Because the Web "environment" is so
diverse and contains so many forms of programmatic content, input validation and sanity
checking is the key to Web applications security. This involves both identifying and enforcing
the valid domain of every user-definable data element, as well as a sufficient understanding of
the source of all data elements to determine what is potentially user definable. Based on the
type of application, application design and functionality, the following tests can be performed
as applicable to test for security.

www.stepinforum.org www.qsitglobal.com
STeP-IN SUMMIT 2009 Application Security Testing: Trends & Challenges Paper Publication

4.1 Input Validation Tests

Input validation issues can be difficult to locate in a large
codebase with lots of user interactions, which is the main
reason that developers employ penetration testing
methodologies to expose these problems. When approaching a
Web application as a penetration tester, all this must be taken
into account, and a methodical process of input/output or
"black box" testing, must be applied.
4.2 Information Gathering
One of the first steps of the penetration test should be to identify the Web application
environment, including the scripting language and Web server software in use, and the
operating system of the target server. All of these crucial details are easy to obtain from a
typical Web application server, following the below steps:
¾ Investigate the output from HEAD and OPTIONS http requests
¾ Investigate the format and wording of 404/other error pages
¾ Test for recognized file types/extensions/directories
¾ Examine source of available pages
¾ Manipulate inputs in order to elicit a scripting error
¾ TCP/ICMP and Service Fingerprinting
¾ Hidden form elements and source disclosure
¾ Determining Authentication Mechanisms
¾ Checking for all OWASP announced vulnerabilities
4.3 The Black box Testing Method
The black box testing method is a technique for hardening and penetration-testing Web
applications where the source code of the application is
not available to the tester. It forces the penetration
tester to look at the Web application from a user's
perspective (and therefore, an attacker's perspective).
The black box tester, at first, should get a 'feel' of the
application and learn its expected behavior. The term black box refers to this
Input/Unknown Process/Output approach to penetration testing.

www.stepinforum.org www.qsitglobal.com
STeP-IN SUMMIT 2009 Application Security Testing: Trends & Challenges Paper Publication

4.4 Injection Tests

Many Web application developers (regardless of the environment) do not properly strip user
input of potentially "nasty" characters before using that
input directly in SQL queries, server OS etc. The most
effective method of locating injection vulnerabilities is by
hand - studying application inputs and inserting special
characters. With many of the popular back ends,
informative errors pages are displayed by default, which
often give clues to the SQL query and the Server directories in use.
4.5 Code and Content Injection Tests
Code injection vulnerabilities occur where the output or content served from a Web
application can be manipulated in such a way that it
triggers server-side code execution.
This vulnerability hinges upon the manner in which the
application loads and passes through the contents of
these manipulated files - if this is done before the
scripting language is parsed and executed, the user-
modified content may also be subject to parsing and
execution.
4.6 Server Side Includes (SSI) Tests
SSI is used include libraries of code or re-usable
elements of content, such as a site template header
and footer. SSI is interpreted by the Web server, not
the scripting language. If SSI tags can be injected at
the time of script execution these will often be
accepted and parsed by the Web server. Methods of
attacking this vulnerability are similar to those shown
above for scripting language injection.
4.7 Miscellaneous Injection Tests
Web application primarily relies upon the contents of
headers, cookies and GET/POST variables as input, the
actions performed by the application that is driven by these
variables must be thoroughly examined. There is a potentially
limitless scope of actions a Web application may perform
using these variables: open files, search databases,

www.stepinforum.org www.qsitglobal.com
STeP-IN SUMMIT 2009 Application Security Testing: Trends & Challenges Paper Publication

interface with other command systems and, as is increasingly common in the Web services
world, interface with other Web applications. Each of these actions requires its own syntax
and requires that input variables be sanity-checked and validated in a unique manner.
4.8 Path Traversal and URL Testing
A common use of Web applications is to act as a wrapper for files of Web content, opening
them and returning them wrapped in chunks of HTML. Once again, sanity checking is the
key. If the variable being read in to specify the file to be wrapped is not checked, a
relative path can be entered.
4.9 Cookie Testing
Cookies are often used to authenticate users to an application. If the user's cookie is stolen
or captured, an attacker can impersonate that user. Cookies should be treated by the
tester as another form of user input and be subjected to the same validation routines.
4.10 Session Security and Session-ID Testing

Session IDs maintain state for HTTP -- an essentially stateless technology. The penetration
tester should examine in detail the mechanism used to generate Session IDs, how the IDs
are being persisted and how this can be combined with client-side bugs (such as cross site
scripting) to facilitate replay attacks.

5. Challenges in Application Security Testing

Organizations are now engaged in software development with an increased attention to

application security issues during the SDLC. These are very positive developments but it is our
thesis that these efforts can succeed only when accompanied by improvements in the
methodology and tools used in Web Application Security Testing. This section identifies the
unique challenges of Web Application Security Testing Tends that were discussed earlier.

www.stepinforum.org www.qsitglobal.com
STeP-IN SUMMIT 2009 Application Security Testing: Trends & Challenges Paper Publication

¾ High-Priority Vulnerabilities: Cost sensitive and legal issues arise when the testing done is
not robust and some bugs are not found later.
¾ Need to test hidden parts of the application
¾ Need to protect application from willful damage
¾ Standard Software Release Model is not designed for Security Testing
¾ Difficulty in Automating Security Testing
¾ Difficulty in finding skilled testers with the right competencies and it deals with large
number of technologies across domains.

6. Conclusion

In this paper we have attempted to identify the important trends and main challenges in
creating the right methodology for doing Web Application Security Testing. It is believed that a
skillful focus from the Chief Security Officer’s and Higher Management, will help in mitigating
the above discussed challenges to an extent and help to gain significant business, justifying
substantial investment. However some challenges must be dealt along with time and a priority
that depends on the business investment and security need.

7. Definitions, Abbreviation and Acronyms

Acronym Description
Authentication The process of confirming the correctness of the claimed identity.
Attack A vulnerability that has been dangerously exploited
Attacker One who simulates an attack
Testing that is based on an analysis of the specification of the
Black box testing
component without reference to its internal workings.
A method of defeating a secured scheme by trying a large number
Brute force
of possibilities
Cross-site scripting (XSS) is a type of computer security
vulnerability typically found in web applications which allow code
Cross site scripting
injection by malicious web users into the web pages viewed by
other users
Cryptographic attack A technique for successfully undermining an encryption scheme.
Cryptography Cryptography garbles a message in such a way that anyone who

www.stepinforum.org www.qsitglobal.com
STeP-IN SUMMIT 2009 Application Security Testing: Trends & Challenges Paper Publication

intercepts the message cannot understand it.

Cryptographic transformation of data (called “plaintext”) into a
Encryption form (called “cipher text”) that conceals the data’s original
meaning to prevent it from being known or used.
The inability of a system or component to perform its required
Failure
functions within specified performance requirements.
A manifestation of an error in software. A fault, if encountered,
Fault
may cause a failure.
Hypertext transfer The protocol in the Internet Protocol (IP) family used to transport
protocol (http) hypertext documents across an internet
Negative requirements Requirements that state what software should not do.
A capability that must be met or possessed by the system/software
Requirement
(requirements may be functional or non-functional).
The process by which risks are identified and the impact of those
Risk assessment
risks is determined
SDLC Software Development Life Cycle
A set of rules and practices that specify or regulate how a system
Security policy or organization provides security services to protect sensitive and
critical system resources.
A system entity that provides a service in response to requests
Server
from other system entities called clients.
A virtual connection between two hosts by which network traffic is
Session
passed.
SQL injection is a type of input validation attack specific to
SQL injection database-driven applications where SQL code is inserted into
application queries to manipulate the database.
A set of inputs, execution preconditions, and expected outcomes
developed for a particular objective, such as to exercise a
Test case
particular program path or to verify compliance with a specific
requirement.
A description of the hardware and software environment in which
tests will be run and any other software with which the software
Test environment
under test interacts when under test, including stubs and test
drivers.
Test plan A record of the test planning process detailing the degree of tester

www.stepinforum.org www.qsitglobal.com
STeP-IN SUMMIT 2009 Application Security Testing: Trends & Challenges Paper Publication

independence, the test environment, the test case design

techniques and test measurement techniques to be used, and the
rationale for their choice.
A defect or weakness in a system’s design, implementation, or
Vulnerability operation and management that could be exploited to violate the
system’s security policy.
A software process that runs on a host computer connected to the
Web server Internet to respond to HTTP requests for documents from client
web browsers.

8. References

Item Description

[BLACK HAT 01] http://www.blackhat.com/html/bh-europe-01/bh-europe-01-speakers.html

[CGI 02] http://www.cgisecurity.com

[OWASP 03] http://owasp.org

[SANS 04] SANS Glossary of Terms Used in Security and Intrusion Detection

[BLACK HAT 01] http://www.blackhat.com/html/bh-europe-01/bh-europe-01-speakers.html

9. Acknowledgements

Name Description
Pagolu Rahul Technical Review of the paper
Abdulghouse Mohammed Technical Review of the paper
Kuber Chopra General Review of the paper
M K Sreenivas General Review of the paper

www.stepinforum.org www.qsitglobal.com
STeP-IN SUMMIT 2009 Application Security Testing: Trends & Challenges Paper Publication

10. Biography of the authors

Surendharan S:
Surendharan is a lead to the Security Testing Service Offering at Satyam. He was responsible 
for building the service offering competency by incorporating security testing practices in 
application at Qedge: Satyam’s Independent Product and Application Testing Practice.   
 
Surendharan has 3 years experience in software testing with 2 years on Application 
Security testing experience and 1 year white box testing in the Avionics and Aerospace 
domain. He is well versed with the security aspects of web applications and has good 
knowledge on the Web Application Vulnerabilities and their mitigations. He is extensively 
trained in C and .NET languages. 
 
Surendharan began his career in Satyam as a software engineer developer with 
specialization in web designing and development in .NET with the having graduated with a 
first class degree from Andhra University College of Engineering, Visakhapatnam, India as a 
Chemical Engineer.  After a spell at Chennai where he where he worked as a .NET developer, 
Surendharan moved to Testing space to become a part of the then newly formed Avionics 
Competency unit at satyam. He worked there as a Software Test engineer in the embedded 
field specializing in DO178B testing standards for an year.  Surendharan then moved to 
Hyderabad in his current role as Application Security Test Lead 

www.stepinforum.org www.qsitglobal.com