Scribd Logo
Upload

Welcome to Scribd!

  • Web Application Security

    Uploaded by

    tbt
    7 views9 pages

    Copyright

    © © All Rights Reserved

    Available Formats

    PPTX, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    © All Rights Reserved
    Download as PPTX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    7 views9 pages

    Web Application Security

    Uploaded by

    tbt

    Copyright:

    © All Rights Reserved
    Download as PPTX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 9

    Web Application Security

    WHAT IS WEB APPLICATION SECURITY.


    WHY IS WEB APP SECURITY TESTING IMPORTANT.
    TYPES OF SECURITY TESTS.
    TOP 3 WEB APPLICATION SECURITY RISKS.
    WHAT FEATURES SHOULD BE REVIEWED DURING A WEB APPLICATION
    SECURITY TEST.
    What is web application security

     Web application security is the process of protecting websites and online services against
    different security threats that exploit vulnerabilities in an application’s code. Common
    targets for web application attacks are content management systems (e.g., WordPress),
    database administration tools (e.g., phpMyAdmin) and SaaS applications.
     Organizations failing to secure their web applications run the risk of being attacked.
    Among other consequences, this can result in information theft, damaged client
    relationships, revoked licenses and legal proceedings.
    Why is web app security testing important

      Testing the security of a Web application often involves sending different types of input
    to provoke errors and make the system behave in unexpected ways. These so called
    “negative tests” examine whether the system is doing something it isn’t designed to do.
     It is also important to understand that Web security testing is not only about testing the
    security features (e.g., authentication and authorization) that may be implemented in the
    application. It is equally important to test that other features are implemented in a secure
    way (e.g., business logic and the use of proper input validation and output encoding). The
    goal is to ensure that the functions exposed in the Web application are secure.
    Types of security tests

      Dynamic Application Security Testing (DAST)


    DAST tools assist black box testers in executing code and inspecting it at runtime. It helps
    detect issues that possibly represent security vulnerabilities. DAST can help identify issues
    such as requests and responses, memory leakage, authentication, cookie and session handling,
    execution of third-party components, DOM injection, and data injection.
     Static Application Security Testing (SAST)
    SAST tools assist white box testers in inspecting the inner workings of applications. SAST
    can help find issues, such as syntax errors, input validation issues, invalid or insecure
    references, or math errors in non-compiled code. You can use binary and byte-code analyzers
    to apply SAST to compiled code.
    Types of security tests

     Runtime Application Self-Protection (RASP)


    RASP technology can analyze user behavior and application traffic at runtime. It aims to help
    detect and prevent cyber threats by achieving visibility into application source code and
    analyzing vulnerabilities and weaknesses.
    RASP tools can identify security weaknesses that have already been exploited, terminate
    these sessions, and issue alerts to provide active protection.
    Top 3 Web Application Security Risks

     Broken Access Control


    Broken access control allows threats and users to gain unauthorized access and privileges.
    Here are the most common issues:
    • It enables attackers to gain unauthorized access to user accounts and act as administrators
    or regular users.
    • It provides users with unauthorized privileged functions.
    You can remediate this issue by implementing strong access mechanisms that ensure each
    role is clearly defined with isolated privileges.
    Top 3 Web Application Security Risks

     Cryptographic Failures
    Cryptographic failures (previously referred to as “sensitive data exposure”) occur when data
    is not properly protected in transit and at rest. It can expose passwords, health records, credit
    card numbers, and personal data.
     Injection (Including XSS, LFI, and SQL Injection)
    Injection vulnerabilities enable threat actors to send malicious data to a web application
    interpreter. It can cause this data to be compiled and executed on the server. SQL injection is
    a common form of injection.
    What features should be reviewed during a
    web application security test

     Application and server configuration. Potential defects are related to


    encryption/cryptographic configurations, Web server configurations, etc.
     Input validation and error handling. SQL injection, cross-site scripting (XSS), and
    other common injection vulnerabilities are the result of poor input and output handling.
     Authentication and session management. Vulnerabilities potentially resulting in user
    impersonation. Credential strength and protection should also be considered.
    What features should be reviewed during a
    web application security test

     Authorization. Testing the ability of the application to protect against vertical and
    horizontal privilege escalations.
     Business logic. These are important to most applications that provide business
    functionality.
     Client-side logic. With modern, JavaScript-heavy webpages, in addition to webpages
    using other types of client-side technologies (e.g., Silverlight, Flash, Java applets), this
    type of feature is becoming more prevalent.

    You might also like