What is security testing?
Security testing is a non functional testing process used to determine that the data contained in an information system is secure and protected. Security testing also verifies that only authorized users can login to the system and there is no information leakage. We use a wide range of software, hardware and firewalls like metaspoilt, wireshark, w3af, netsparker, ZED attack proxy (ZAP) etc.
Why do we need security testing?
- To gain customer trust
- To avoid revenue impact
- To avoid website downtime
- To reduce cost by securing the application against future attacks
Principles of Security Testing
- Authentication: The system should validate that the data used by the system is genuine.
- Authorization: Specific users should only be given access to authorized functions.
- Confidentiality: Data inside the systemshould be secured from theft.
- Integrity: The application data is not altered in course of time.
- Non-repudiation: Once data is send or received, the sender or receiver of the information cannot deny it.
Common security threats and techniques
- SQL Injection: Malicious SQL statements are used to get critical information from the database by inserting them to the text fields or url. SQL injection can also grant unauthorized access.
For example: If a user gets a database error on submitting single quotes, it means that some query input is executed by the application. Ideally it should be validated and rejected by the application.
- Cross site scripting(XSS): Through XSS, attackers can inject client side script into webpages and make the user to click on that link. Any HTML <html> or Script <script> should be rejected by the application.
- URL Manipulation: Attackers manipulate the website URL strings to modify the GET method which pass information between client and server. Such modified requests will capture important information from the server. Under such attacks user may also get access to unauthorized pages.
- Brute force attack: Using automated software (e.g. Jmeter), we can try out a large combination of username and passwords to get access to the system. A secure system should prevent repeated and frequent login attempts.
ZAP Penetration Testing
ZAP (Zed attack proxy) is an open source penetration testing tool maintained by the Open Web Application Security Project (OWASP) to know the vulnerabilities in web applications. It stands between the tester’s browser and the web application so that it can intercept and inspect messages sent between browser and web application, modify the contents if needed, and then forward those packets on to the destination.