Security test is a group of measures to secure an application against unforeseen actions that can cause the application to stop or to expose data. These actions can be intentional (caused by hackers) or unintentional. So apart from the obvious reasons why you should be sure your application is not vulnerable, you have at organization level:
- Corporate responsibility
- Regulatory bodies
And at the technical point of view:
- No repudiation
So, what should you do when creating some security tests ?
You need to seek permission before you start, then try to learn on sandbox applications or virtual machine, not real environments. Keep focused when doing the tests and prepare in advance threat modelling/survey sessions.
The web security vulnerabilities are prioritized depending on exploitability, detectability and impact on software.
- What is needed to exploit the security vulnerability?
Highest exploitability when the attack needs only web browser and lowest being advanced programming and tools.
- How easy is it to detect the threat?
Highest being the information displayed on URL, Cookies, Form or Error message and lowest being source code.
- How much damage will be done if the security vulnerability is exposed or attacked?
Highest being complete system crash and lowest being nothing at all
A range of techniques for analyzing the security of an application, examples:
- Data flow diagrams
- Threat categorization
- Trust levels
You need to understand how the data is manipulated in all levels:
What are the assets you want to protect, which can be physical or abstract:
- Customer data/client
- Corporate data
Threat Modelling – STRIDE
- Information Disclosure
- Denial of service
- Elevation of privilege
There are so many ways to check if your application is vulnerable, like:
- User Inputs
- Error messages
- Files and attachments
- Request/Response headers
- Insecure User Credentials
If you want to test injection flaws for example, you can exploit by submitting untrusted data, also it is very common and easy to exploit causing extremely damaging problems if not fixed. This type of issue can affect UI elements, URLs, parameters in requests and cookies. Examples of Injection are SQL Injection and Cross Site Scripting,
Broken Authentication and Session Management
The causes of a insecure session management may lead to session hijacking, spoofing or fixation and to escalation of privilege. Fairly common, simple to exploit, but can have wide ranging and damaging impact. It can affect session tokens, user credentials, request parameters.
- Browser Add ons:
- SQL Injection:
- Zed Attack Proxy (Free, passive and active scanning, spiders, fuzzers, decrypters and API)