8 tips for security testing web applications

A lot of sensitive data passes through web apps every day. If you want to make sure that data doesn’t fall into the wrong hands, then you have to take security testing seriously. To do that effectively, you’ll need to take a different approach than you normally would with software testing. Hopefully, these tips will help you secure your web apps.

Channeling an attacker

Try to get into the mindset of a potential attacker. Just as you try to emulate the end user when software testing, with security testing you want to emulate an attacker. It’s fair to assume that they’ll seek entry via the path of least resistance. Start with the most common methods and attack scenarios. But it’s important to remember that nothing’s off the table, because an attacker will do anything that will get them the data they want.

Assessing your app

Analyse your app as an attacker might. What are all the different technologies that have been employed to make it work? What are the different levels of access that users can be granted? How is data accessed and stored? You want to identify potential weak points and cross reference them with common types of attack.

Password safety

The easiest way for any attacker to gain access is probably going to be by cracking a password. Is there any prospect of them guessing username and password combinations, or using a tool to do it for them? Is your app enforcing strong passwords and encrypting cookies? Passwords should always be encrypted, wherever they are stored.

SQL injection

Can attackers input nefarious SQL statements into a text entry field and extract the contents of your database? Sometimes they can access the data they want via error codes in the browser. If you don’t take the right precautions they’ll be able to add, modify, or delete records in your SQL-based database using this common web app vulnerability.

URL manipulation

It’s very easy to edit the URL string in a browser. If your security is lacking, this simple method could be used to expose sensitive data or redirect your users. One of the biggest dangers online is fake websites which look like the real thing, but are in fact designed to install malware on the user’s machine or to trick them into handing over personal information. Test to make sure that attackers can’t manipulate URLs to gain access to restricted areas and data, or to redirect users from your legitimate website to their fake version.

Cross site scripting

If an attacker can inject malicious scripts into your website or web app, then they can potentially use your app as a delivery method. You may be unwittingly helping them to get that malicious script onto your customer’s computers. If your web app utilises user input that’s not encoded or validated, then the attacker can insert a string that will be executed by your user’s browser. Many different types of cross site scripting (XSS) attacks can be used to embed malicious scripts.

Security misconfiguration

You could be giving attackers an easy way in by using out of date software or providing informative error messages. When unnecessary features and default accounts enabled, they can be exploited. In the rush to develop new web apps, unfamiliarity with the technology being used can lead to unpatched flaws and misconfigurations. This easily remedied problem makes it very easy for attackers to gain access. If, for example, default accounts are still accessible an attacker could get into your data without you spotting it.

Keep reading

These are just a few of the things you have to consider when security testing web apps. A good resource to find more common attacks is OWASP. Start with the OWASP top 10, but bear in mind that security is an ongoing battle and new dangers emerge all the time. It’s important to keep up to date. OWASP is currently in the process of updating the top 10 for 2016. There are many other free resources and tools online that can help you test your web app’s security.