Professional Documents
Culture Documents
Web application security is the process of protecting websites and online services against
different security threats that exploit vulnerabilities in an application’s code. Common
targets for web application attacks are content management systems (e.g., WordPress),
database administration tools (e.g., phpMyAdmin) and SaaS applications.
Organizations failing to secure their web applications run the risk of being attacked.
Among other consequences, this can result in information theft, damaged client
relationships, revoked licenses and legal proceedings.
Why is web app security testing important
Testing the security of a Web application often involves sending different types of input
to provoke errors and make the system behave in unexpected ways. These so called
“negative tests” examine whether the system is doing something it isn’t designed to do.
It is also important to understand that Web security testing is not only about testing the
security features (e.g., authentication and authorization) that may be implemented in the
application. It is equally important to test that other features are implemented in a secure
way (e.g., business logic and the use of proper input validation and output encoding). The
goal is to ensure that the functions exposed in the Web application are secure.
Types of security tests
Cryptographic Failures
Cryptographic failures (previously referred to as “sensitive data exposure”) occur when data
is not properly protected in transit and at rest. It can expose passwords, health records, credit
card numbers, and personal data.
Injection (Including XSS, LFI, and SQL Injection)
Injection vulnerabilities enable threat actors to send malicious data to a web application
interpreter. It can cause this data to be compiled and executed on the server. SQL injection is
a common form of injection.
What features should be reviewed during a
web application security test
Authorization. Testing the ability of the application to protect against vertical and
horizontal privilege escalations.
Business logic. These are important to most applications that provide business
functionality.
Client-side logic. With modern, JavaScript-heavy webpages, in addition to webpages
using other types of client-side technologies (e.g., Silverlight, Flash, Java applets), this
type of feature is becoming more prevalent.