Security Testing

Security Testing
Type of testing which validates that system doesn’t has any loophole for any unauthorized access to the data or part of the system.
Every Software Product Should Undergo Security Test. It is observed while software development process. Developers follow shortcuts to save time and these speedy coding processes leave the product open data theft.

Security testing on web Applications.
Securing a Web Application can be an all together different job. If data in source is highly confidential and it needs to be protected from unauthorized access then application needs to go through high Security Test.
Most of the web applications are equipped with Roll/Authorization functionality.

Let Us say we have a Huge Website with Many People Using this Website.
Users Of the website may Vary with their Profile i.e. There may Be Customers, Sellers, Re-sellers, Administrators, Inventory Managers, Advertisers and many More.

It’s Not the Good Practice to give all users with different website & Different Login.
The Whole Product is developed with different sections, now we introduce Role which has different authorizations to sections.

Let Us say we have a Role with a name customer, This Role will have authorizations t the section or pages which are developed for customer use.
For Seller we will have Different Role, which will have authorizations to seller pages on the website.

Whenever the user logs in to the system with his/her credentials only those parts of the system are accessible to him which is allocated to his role.
Tester has to ensure that Roll by Authorization matrix should be validated for every combination.
Tester Should Deliver a Test Matrix to the client for validating that Role / Authorization functionality is working fine on the system.

Most Common Terms used in Security Testing

Login Testing
Testing user login credentials is a security testing scenario. User should be successfully able to login to the application using their password.
Need to check system lock’s after 3 or 5 incorrect login requests.
Proper Message should be displayed to users in case of any access or login related Problems occur.
If anyone attribute, Username or Password is wrong. System should not say please check your username or please check your password. Either it should say please check your login credentials. This helps is reducing brute force attack. Some of the hackers use crawling software for logging in to website using artificial intelligence.

Password Encryption & Decryption
Login Page gets open on Client side. User enters username & Password. Now when user clicks on Login Button, Both the credentials are sent to server via post or any other method.
This means that that your user name and Password travel over internet and hit to the required server.
We suggest that whenever the page gets loaded, we should also load some encryption scripts with that page.
When Login Button is clicked, before the credentials start traveling over internet, they should get encrypted and as soon as they reach the server, decryption script is waiting over there for conversion.
This Mechanism will act as Prevention to many Attacks.


Cookie Testing
Now we should know what a Cookie is?
Cookie’s can be considered as Register which can store information. Cookies are present on your computer itself. Cookies can save your passwords. Let us say you use visit cybercafé and checked your email.
Mostly we have an option on standard websites with a check Box.
-Stay Logged on
-Keep me signed in
-Remember password
Now if you check this, the cookie will be saved on that PC containing your username and password and the next time you login, you are not asked username and password.
Initially we are happy because we have skipped one step, but no one knows that this is a threat to your privacy.

In case next customer uses the same computer and visits the same site which you were using he will be logged in to the system using your login credentials and can easily see your data.

Let’s Come Back To Testing:
In respect to Cookie Testing, Tester should confirm that cookie should be working fine.

Session Testing
Once you login to the system, a session is established. Every session has a unique session id. Every site has some session expiry time set. This Time starts as user’s stops any activity after logging in to application.
This Time can vary from 5 minutes to number of hours, depending upon the website requirement.
If User comes on the system after the session time has been expired, any link clicked on that website, the user should be directed on login page.
Testers should verify that Session Expiry Time is working as per the Requirement. Session Testing should be implemented on different browsers also.


URL Manipulation
While testing web application, this is the most important part of security testing.
Most Of the software developers miss this part while coding, I have see many projects in the past which were developed using many complicated frameworks and they failed when we stared URL manipulation.
This can be explained with the help of below Example.
Let us say we have a user “Jones” who is allowed to see only some of the web pages.
A.jsp
B.jsp
c.jsp

Another user “Pal” who we allowed to see other web pages
x.jsp
y.jsp
z.jsp

Now how will you conduct URL Manipulation Testing?
Login to the application using Username: Jones
Manually Change or manipulate the URL
Say:
http://example.com/main/A.jsp?dir=Language%20Training&content=Spanish
to
http://example.com/main/X.jsp?dir=Language%20Training&content=Spanish
And Press Enter.

What should we get?
We should get a message that “You are not authorized to access This Page”
Now if the page is getting opened using Jones as a Logged in User, then this is a security Breach.

SQL Injection Attack

We all know that there is much variable information which is user dependent.
This information is required from user end to fetch records or data from the database.
The information is gathered in the form of forms as well as Query string values in url’s.

These values are sometimes directly used in the SQL statement.
Some Hackers use special character like single quotes. They add special characters with the values. This is called injection, now it depends upon the database server, how it behaves when this sql command is triggered.

To Prevent Application from SQL Injection Attack, Tester needs to check what information is needed to Fetch Data from the Application.

Values Coming from Forms, from URL’s, Web Services should be checked before giving release.

Spoofing
There are many Types of Spoofing techniques used by hackers to gather personal information.
Content Spoofing, Email Spoofing, Phishing, Caller ID Spoofing, IP Spoofing
As Testing Point of view, we don’t have any mechanism to prevent Product from Spoofing.
Although this is not consider to be a security breach, because we are not touching the Real Application but then also we are losing information.

Open ID
Open ID is A Project where one single Username and be used on many sites.
Most Of The websites are now using Open ID to login their users.
The Big Disadvantage of Having Open ID is that, If This ID is hacked, then Hacker will be able to log into many Website’s Using Your Identity.


We have a New Term knows as “Web Application Penetration Testing”
This is said to be the combination of above Techniques discusses packed in one single bundle.
Companies Have Developed Set of tools which can be configured to test Web Application, The results can help to create much Better Applications.



Security Testing Tools
http://www.powerfuzzer.com/
http://www.owasp.org/
http://www.tenablesecurity.com/solutions/
http://www.cerias.purdue.edu/


Security Testing Certification
http://www.comptia.org/certifications.aspx
http://www.technologytransfer.eu/event/902/Q/SA_(Qualified_Security_Analyst)_Penetration_Testing_Certification.html
http://www.coresecurity.com/content/Training-Certification-and-Support
http://www.rsa.com/node.aspx?id=1261