Security Testing is a process to determine how well a system protects against unauthorized internal or external access or wilful damage. It is performed to check whether there is any information leakage in the sense by encrypting the application or using wide range of software etc..
HTML Injection Attacks: Impact and Mitigation Strategies
Security Testing
1. S ECURITY T ESTING FOR W EB
AND M OBILE D EVELOPMENT
Prepared by: Jyothi Venugopalan
(QA Team Member)
BOSS Webtech Private Limited
www.bosswebtech.com
2. S ECURITY T ESTING
The security testing is performed to check
whether there is any information leakage in
the sense by encrypting the application.
Security testing is a process to determine that
an information system protects data and
maintains functionality as intended.
3. S ECURITY T ESTING
The six basic security concepts:
Authentication - It allows a receiver to have confidence that information it
receives originated from a specific known source.
Authorization - Determining that a requester is allowed to receive a service
or perform an operation.
Confidentiality - A security measure which protects the disclosure of data or
information to parties other than the intended.
Integrity – Whether the intended receiver receives the information or data
which is not altered in transmission.
Non-repudiation - Interchange of authentication information with some form
of provable time stamp e.g. with session id etc.
Availability - Assuring information and communications services will be ready
for use when expected.
4. N EED OF S ECURITY
T ESTING
Security test helps in finding out loopholes that can
cause loss of important information and allow any
intruder enter into the systems.
Security Testing helps in improving the current
system.
Ensures that the system will work for longer time.
Ensures that people in your organization understand
and obey security policies.
5. D IFFERENT T YPES OF
S ECURITY T ESTING
Security Auditing: Security Auditing includes direct inspection of
the application developed and Operating Systems. This also
involves code walk-through.
Security Scanning: It is all about scanning and verification of the
system and applications.
Vulnerability Scanning: Vulnerability scanning involves scanning
of the application for all known vulnerabilities.
Risk Assessment: Risk assessment is a method of analyzing and
deciding the risk that depends upon the type of loss and the
possibility of loss occurrence.
Penetration Testing: In this type of testing, a tester tries to
forcibly access and enter the application under test.
Ethical Hacking: It’s a forced intrusion of an external element
into the system & applications that are under Security Testing.
6. S ECURITY T HREATS FOR
W EBSITE
SQL Injection - Insertion of the SQL query
into the web application which can directly
interact with the backend database on
server to reveal information stored in it.
Cross Site Scripting- Insertion of the
scripting code into client browser. So when
client send data to server database,
scripting code on client side get stored into
the server database.
8. S ECURITY T ESTING
A PPROACH FOR W EBSITE
Password cracking: In order to log in to the private areas of the
application, one can either guess a username/ password or use
some password cracker tool for the same.
URL manipulation through HTTP GET methods: The tester
should check if the application passes important information in
the querystring.
SQL Injection: Entering a single quote (‘) in any textbox should
be rejected by the application.
Cross Site Scripting (XSS): Any HTML e.g. <HTML> or any script
e.g. <SCRIPT> should not be accepted by the application.
9. S ECURITY T HREATS FOR
M OBILE A PPLICATION
Mobile malware and viruses: A mobile virus is an
electronic virus that targets mobile phones or wireless-
enabled PDAs.
Eavesdropping: Eavesdropping is the unauthorized real-time
interception of a private communication, such as a phone call,
instant message etc.
Unauthorized access: careful attention needs to be paid to
AAA – authentication, authorization, and accounting.
Physical security: While many notebook computers are indeed
lost or stolen every year, it's a lot easier to simply misplace a
mobile device.
10. S ECURITY T ESTING A PPROACH
FOR M OBILE A PPLICATION
Authentication checks
Input Validation checks
Session Management checks
Encryption checks
Application checks
SQL injection checks
LDAP injection checks
XPATH injection checks
11. S ECURITY T ESTING TOOLS
Netsparker Community Edition
Websecurify
Wapiti
N-Stalker
skipfish
Scrawler
Watcher
x5s
Exploit-Me
WebScarab
12. S UMMARY
No Website is 100% Secure. Prevention is the better way to
secure the website.
Security Vulnerability arise on different ways which up on
risks.
The Critical risk is attacking the website and stealing the
data.
13.
14. A BOUT BOSS W EBTECH
BOSS Webtech is a process oriented design house specializing
in web design, web development, backend web programming,
mobile application development and other web and mobile
related design and support services.
Recently launched BizPlus – Mobile based survey software.
Check it more here http://bizplusonline.com/
More products here
http://www.bosswebtech.com/products/products.html
CONTACT BOSS WEBTECH
Call 831-998-9121 at US EST/CST/MST/PST Zone
or email info@bosswebtech.com