Professional Documents
Culture Documents
by
Copyright: STeP-IN Forum and Quality Solutions for Information Technology Pvt. Ltd.
Published with permission for restricted use in ‘STeP-IN SUMMIT 2009’ in agreement with
full copyrights from owner(s) / author(s) of material. All rights reserved. No part of this
publication may be reproduced, stored in a retrieval system or transmitted in any form
or by any means, electronic, mechanical, photocopying, recording or otherwise without
the prior consent of the owner(s) / author(s). This edition is manufactured in India and is
authorized for distribution only during ‘STeP-IN SUMMIT 2009’ as per the applicable
conditions.
Produced By Hosted By
www.stepinforum.org www.qsitglobal.com
White Paper Submitted for STeP-IN SUMMIT 2009
Author(s):
Surendharan S
Designation: Business Analyst
Email: S_Surendharan@satyam.com
Introduction:
Companies today are extensively moving their mission-critical applications and data
into Web browsers. Unfortunately, the features that make browsers so convenient also make
them incredibly insecure. As a result, hackers are able to use web applications to penetrate
enterprises and access confidential information. This results in an identity theft that has
become a major concern to corporations and consumers alike.
An ineffective but highly prevalent approach towards Web Application Security in the
present scenario is to merely scan the application for vulnerabilities. In order to devise an
effective methodology for Web Application Security Testing, one should understand its unique
Trends of testing & Challenges. This paper identifies these trends & challenges and henceforth
provides information that could serve as a useful input for testers in Security Testing Projects.
Audience:
¾ Web Application Developers & Testers
¾ Web Designers
¾ Test Leads.
Area of Application:
¾ Application Security Testing
Benefits:
¾ Faster Return of Investment on Security Testing for application
¾ Enhanced coverage on the business critical areas while testing for security
1. ABSTRACT: ............................................................................................ 2
2. INTRODUCTION: A BRIEFING OF SOME CRITICAL VULNERABILITIES ... 4
CRITICAL VULNERABILITIES ........................................................................ 4
3. CURRENT TRENDS FOR TESTING APPLICATION SECURITY .................... 5
4. THE 10 BLUNDERS OF THE WEB: 10 TRENDS TO TEST FOR SECURITY ... 5
4.1 INPUT VALIDATION TESTS ............................................................................. 6
4.2 INFORMATION GATHERING ............................................................................. 6
4.3 THE BLACK BOX TESTING METHOD .................................................................... 6
4.4 INJECTION TESTS ...................................................................................... 7
4.5 CODE AND CONTENT INJECTION TESTS ................................................................ 7
4.6 SERVER SIDE INCLUDES (SSI) TESTS ................................................................... 7
4.7 MISCELLANEOUS INJECTION TESTS ..................................................................... 7
4.8 PATH TRAVERSAL AND URL TESTING .................................................................. 8
4.9 COOKIE TESTING ...................................................................................... 8
4.10 SESSION SECURITY AND SESSION-ID TESTING .......................................................... 8
5. CHALLENGES IN APPLICATION SECURITY TESTING .............................. 8
6. CONCLUSION ......................................................................................... 9
7. DEFINITIONS, ABBREVIATION AND ACRONYMS .................................... 9
8. REFERENCES ........................................................................................ 11
9. ACKNOWLEDGEMENTS ......................................................................... 11
10. BIOGRAPHY OF THE AUTHORS ............................................................. 12
STeP-IN SUMMIT 2009 Application Security Testing: Trends & Challenges Paper Publication
Security professionals have devoted a lot of time and energy identifying and correcting
vulnerabilities in operating systems and server administration setup. Because server security is
being hardened, hackers are forced to find alternative ways to hack into computing resources
to achieve their goals. So hackers are becoming knowledgeable about exploiting legitimate
avenues to gain access to computing resources, and the Web application has become their
target.
HTML source code information, such as programmer-created comments, passwords and IDs
within the code, can provide information that could help hackers better understand your
system. The code and comments within the code may not only be helpful to the authorized
programmer, it may also be good information for the hacker to discern file paths and find other
opportunities.
www.stepinforum.org www.qsitglobal.com
STeP-IN SUMMIT 2009 Application Security Testing: Trends & Challenges Paper Publication
Emphasis on software security issues gained some footing in 2005 [CGI02], and the new wisdom
is for enterprises to test applications for security in addition to functionality, performance, and
usability prior to deployment. The best place to start is where the attacker will by
investigating and testing applications for security problems.
There are three main classes of software security testing tools: application scanning tools,
proxy-based tools, and automated penetration testing tools. Unfortunately, these tools are
difficult to compare in a meaningful way, and their use requires expertise in security, testing,
and the technologies used by the application. So, enterprises will need to either outsource this
testing or train quality assurance (QA) staff to be security testers. Testing application security
will allow organizations to fix or mitigate problems before attackers can find and exploit them.
The following sections focus on the areas where applications need to be probed and are
frequent target to these potential hackers. On successful probing of these areas help in
applications that, along with other forms of security testing like design layer, network layer
and data layer, help in building threat free web applications. [OWASP 03]
Security testing is also referred as ‘Penetration testing’. Web application environments expose
data elements in a manner that fails to identify how they were captured and hence what kind
of validation and sanity checking should be applied. Because the Web "environment" is so
diverse and contains so many forms of programmatic content, input validation and sanity
checking is the key to Web applications security. This involves both identifying and enforcing
the valid domain of every user-definable data element, as well as a sufficient understanding of
the source of all data elements to determine what is potentially user definable. Based on the
type of application, application design and functionality, the following tests can be performed
as applicable to test for security.
www.stepinforum.org www.qsitglobal.com
STeP-IN SUMMIT 2009 Application Security Testing: Trends & Challenges Paper Publication
www.stepinforum.org www.qsitglobal.com
STeP-IN SUMMIT 2009 Application Security Testing: Trends & Challenges Paper Publication
www.stepinforum.org www.qsitglobal.com
STeP-IN SUMMIT 2009 Application Security Testing: Trends & Challenges Paper Publication
interface with other command systems and, as is increasingly common in the Web services
world, interface with other Web applications. Each of these actions requires its own syntax
and requires that input variables be sanity-checked and validated in a unique manner.
4.8 Path Traversal and URL Testing
A common use of Web applications is to act as a wrapper for files of Web content, opening
them and returning them wrapped in chunks of HTML. Once again, sanity checking is the
key. If the variable being read in to specify the file to be wrapped is not checked, a
relative path can be entered.
4.9 Cookie Testing
Cookies are often used to authenticate users to an application. If the user's cookie is stolen
or captured, an attacker can impersonate that user. Cookies should be treated by the
tester as another form of user input and be subjected to the same validation routines.
4.10 Session Security and Session-ID Testing
Session IDs maintain state for HTTP -- an essentially stateless technology. The penetration
tester should examine in detail the mechanism used to generate Session IDs, how the IDs
are being persisted and how this can be combined with client-side bugs (such as cross site
scripting) to facilitate replay attacks.
www.stepinforum.org www.qsitglobal.com
STeP-IN SUMMIT 2009 Application Security Testing: Trends & Challenges Paper Publication
¾ High-Priority Vulnerabilities: Cost sensitive and legal issues arise when the testing done is
not robust and some bugs are not found later.
¾ Need to test hidden parts of the application
¾ Need to protect application from willful damage
¾ Standard Software Release Model is not designed for Security Testing
¾ Difficulty in Automating Security Testing
¾ Difficulty in finding skilled testers with the right competencies and it deals with large
number of technologies across domains.
6. Conclusion
In this paper we have attempted to identify the important trends and main challenges in
creating the right methodology for doing Web Application Security Testing. It is believed that a
skillful focus from the Chief Security Officer’s and Higher Management, will help in mitigating
the above discussed challenges to an extent and help to gain significant business, justifying
substantial investment. However some challenges must be dealt along with time and a priority
that depends on the business investment and security need.
Acronym Description
Authentication The process of confirming the correctness of the claimed identity.
Attack A vulnerability that has been dangerously exploited
Attacker One who simulates an attack
Testing that is based on an analysis of the specification of the
Black box testing
component without reference to its internal workings.
A method of defeating a secured scheme by trying a large number
Brute force
of possibilities
Cross-site scripting (XSS) is a type of computer security
vulnerability typically found in web applications which allow code
Cross site scripting
injection by malicious web users into the web pages viewed by
other users
Cryptographic attack A technique for successfully undermining an encryption scheme.
Cryptography Cryptography garbles a message in such a way that anyone who
www.stepinforum.org www.qsitglobal.com
STeP-IN SUMMIT 2009 Application Security Testing: Trends & Challenges Paper Publication
www.stepinforum.org www.qsitglobal.com
STeP-IN SUMMIT 2009 Application Security Testing: Trends & Challenges Paper Publication
8. References
Item Description
[SANS 04] SANS Glossary of Terms Used in Security and Intrusion Detection
9. Acknowledgements
Name Description
Pagolu Rahul Technical Review of the paper
Abdulghouse Mohammed Technical Review of the paper
Kuber Chopra General Review of the paper
M K Sreenivas General Review of the paper
www.stepinforum.org www.qsitglobal.com
STeP-IN SUMMIT 2009 Application Security Testing: Trends & Challenges Paper Publication
Surendharan S:
Surendharan is a lead to the Security Testing Service Offering at Satyam. He was responsible
for building the service offering competency by incorporating security testing practices in
application at Qedge: Satyam’s Independent Product and Application Testing Practice.
Surendharan has 3 years experience in software testing with 2 years on Application
Security testing experience and 1 year white box testing in the Avionics and Aerospace
domain. He is well versed with the security aspects of web applications and has good
knowledge on the Web Application Vulnerabilities and their mitigations. He is extensively
trained in C and .NET languages.
Surendharan began his career in Satyam as a software engineer developer with
specialization in web designing and development in .NET with the having graduated with a
first class degree from Andhra University College of Engineering, Visakhapatnam, India as a
Chemical Engineer. After a spell at Chennai where he where he worked as a .NET developer,
Surendharan moved to Testing space to become a part of the then newly formed Avionics
Competency unit at satyam. He worked there as a Software Test engineer in the embedded
field specializing in DO178B testing standards for an year. Surendharan then moved to
Hyderabad in his current role as Application Security Test Lead
www.stepinforum.org www.qsitglobal.com