Tester’s Guide To The Security Testing of Web Applications

Reading Time: 6 minutes:

Introduction To Security Testing & Security Testing Tools

From individuals to federal bodies, cyber attackers are eyeing every small opportunity to steal valuable data. This data is Personality Identifiable Information (PII). We saw a lot of real-life examples,  like Facebook and Equifax. A single vulnerability has caused them to lose both revenue and reputation. What do security incidents like this teach us? Web security is crucial and even the best system is not safe from it. Website security testing tools play a vital role in detecting vulnerabilities, threats.

We can feel impact of the gravity only after experiencing a breach. Imagine the information which your valuable customers trusted you with, sold in Darknet. This information reaches some shady figures with evil machinations. The trust-based relationship that you so carefully built over the years is dissolved in an instant. The owners take ample effort to secure their system and serve their clients better. Confidentiality and Integrity play a major role in any relationship

What is Security Testing?

Security Testing safeguards your software from vulnerabilities, threats, risks posed by intruders. By detecting the weakness in the system beforehand, you can avoid potential loss of information, revenue, and reputation at the hands of nefarious entities.

Therefore, we need to first understand, The Open-Source Security Testing Methodology Manual (OSSTMM), and how it delivers a scientific process for the accurate description of business security that can be used for penetration testing, ethical hacking, and security testing.

Open-Source Security Testing:

OSSTMM is a peer-reviewed methodology for security testing, maintained by the Institute for Security and Open Methodologies (ISECOM). The manual is updated every six months or so to remain relevant to the current state of security testing. ISECOM focuses on verified facts to perform testing methodologies in their organization and can know they are making fact-based decisions. To enumerate, each security testing method is explained in brief. They are as follows:

  • Vulnerability Scanning
  • Security Scanning
  • Penetration Scanning
  • Risk Assessment
  • Security Auditing
  • Posture Assessment
  • Ethical Hacking

1. Vulnerability Scanning

  • Vulnerability scanners are automated tools that help in checking if systems are intact.
  • Enterprise networks are subjected to vulnerability scanning both internally and externally.
  • External vulnerability scanning is performed from outside their network edge. It determines exposure to attacks of servers and apps that can be accessed from the internet.
  • An Internal vulnerability scan is performed to find out the flaws that hackers could take advantage of. It also helps in identifying spread to different systems and servers if they get access to the network.

2. Security Scanning

  • Security Scanning consists of identifying network and system weaknesses. It helps in providing solutions to reduce these risks.
  • Can be performed by both as Manual and Automated Scanning

3. Penetration Testing

  • Penetration Testing simulates an attack from a malicious intruder.
  • Involves evaluation of a particular system to check for possible exposures from any external hacking.

4. Risk Assessment

  • This Testing involves the assessment of security risks observed in the software applications.
  • Risks are categorized as Low, Medium, and High.
  • Proposes control measures to reduce the risk.

5. Security Auditing

  • Security Auditing performs internal Inspection of Applications and OS for security flaws.
  • Line by line inspection of code audit recommended.

6. Ethical Hacking

  • This is different from other testing methods and it is hacking an entire Organization’s Software system. 
  • Unlike malicious hackers, the intent is to expose security flaws in the system to fix them. 

7. Posture Assessment

  • Posture Assessment is a combination of Securing Auditing, Ethical Hacking, and Risk Assessments to show the security posture of an organization.

When to do Security Testing?

It’s consented, that the cost will be more if we defer security testing after implementation. So, it is crucial to involve security testing in the earlier SDLC phases.

Practices Of Security Testing

We can take the below to prepare and plan for Security Testing:

  1. Security Architecture Study:  Understand the business requirements, security goals, objectives against the compliance of the organization.
  2. Classify Security Testing: Collect system setup information used for the application like Operating System, technology, and Hardware. List the Vulnerabilities and Security Risks.
  3. Threat Modelling: Identify the threat and break them into smaller parts. We need to think like an attacker to derive the threat modelling matrix.
  4. Test Plan: Create a Test plan by deriving the activities, timelines, and resources needed.
  5. Security Test Tool Identification:  Security testing is not always manual, sometimes we need to automate too. This is the heart of our article and will explain it in detail later. Security test tools available in open source and paid range.
  6. Test Cases Execution: Security test execution divided into 4 groups: Dependency, User Interface, Design, and Implementation. Attacks of each stage were conducted.
  7. Problem report: This is a vital element as it provides proof of the vulnerabilities, the seriousness of the vulnerability, and the manipulated consequences.
  8. Perform Post-mortem: The entire security team will take part and analyse how they missed the bugs during the development. By identifying how the security loopholes are skipped, suggestions for process enhancement can be made.

The Security testing team will have the following members:

  • Hacker – Will access computer systems or networks without authorization.
  • Crackers – They break into the system to steal or destroy data.
  • Ethical Hacker – Performs activities like a hacker but with authorization from the owner.
  • Script Kiddies/Packet monkeys – Hackers with less experience and a programming language skillset.

Security Testing Tools

The List of open-source security testing tools are as follows:

  • Netsparker
  • Immuniweb
  • Vega
  • Wapiti
  • Nogotofail
  • Acunetix
  • W3af
  • SQLMap
  • ZED Attack Proxy (ZAP)
  • BeEF (Browser Exploitation Framework)

Let us find out what is unique about each of these tools and how it can help you keep your software system secure-

Netsparker:

  • One-stop shop for all web security needs.
  • Integrated with any type of test and development environment.
  • It uses a proof-based Scanning technology. It has a unique automation feature to identify vulnerabilities, verify false positives and finally reducing huge man-hours.

ImmuniWeb

  • A Next-gen platform as it employs Artificial Intelligence to enable security testing.
  • Security Teams, Developers, CISOs, and CIOs benefited.
  • This security testing tool has a one-click virtual patching system that assists continuous compliance monitoring.
  • Multilayer Application Security testing is an attraction and checks website for compliance, server strengthening, and privacy.

Vega

  • The Vulnerability testing tool is written in Java.
  • Its automated scanner powered by a website crawler facilitates quick tests.
  • Intercepting Proxy aids tactical inspection by observing and monitoring client-server communication.
  • Detects vulnerabilities like Blind SQL injection, shell injection, etc.
  • Detection modules written in JavaScript helps to create new attack modules as and when required with APIs.

Wapiti

  • This is a command-line application. Crawls through web pages and thus identifies the scripts and forms where data injected.
  • Detects vulnerabilities like file disclosure, database injection, file inclusion, cross Site Scripting, weak .htaccess configuration.
  • On finding an anomaly, it raises warnings.

Google Nogotofail

  • Network traffic security testing tool.
  • Checks application for known TLS/SSL vulnerabilities and misconfigurations.
  • Checks if they are vulnerable to man-in-the-middle (MiTM)attacks.

Acunetix

  • Its vulnerability scanner pioneered automated web application security testing.
  • Black box scanning and SPA crawling techniques performed by AcuSensor and DeepScan.
  • Its in-built vulnerability management system helps with the generation of various technical compliance reports in addition to the vulnerability scanning.

W3af

  • It’s a web application audit and attack framework effective against over 200 vulnerabilities.
  • Assists in limiting total exposure of a website to malicious elements.
  • Used to send HTTP requests and cluster HTTP responses.
  • Has both a graphical and console-based interface. So, we can protect the website in less than five clicks. Output logged into a console, file, or via email.

SQLMap

  • It is a Penetration testing tool, powered by a detection engine to identify SQL injecting flaws.
  • Seven levels of verbosity support offer ETA support for each query.
  • Fingerprint and enumeration features are valuable in streamlining.

ZED Attack Proxy (ZAP)

  • One more open-source penetration testing tool – developed and maintained under OWASP.
  • Suited for both manual and automated testing.
  • Available for all OS – Windows, Linux, Macintosh.
  • Stands as a middle-man proxy between the tester’s browser and web application. Used to intercept and moderate the transmitted messages.
  • Key features include – AJAX spiders, Fuzzer, Websocket support, and REST-based API.

BeEF (Browser Exploitation Framework)

  • Helps in detecting application’s weakness using browser vulnerabilities.
  • Uses client-side attack attributes to verify the security of an application and issue browser commands like redirection, changing URLs, generating dialogue boxes, etc.
  • Expands scan circumference beyond usual network perimeter and client system to analyze security system standards.

Intruder

  • An Enterprise-grade vulnerability scanner, easy to use.
  • Runs over 10,000 high-quality security checks across your IT infrastructure including – Configuration weaknesses, application weaknesses, and missing patches.
  • Proactive scans for the latest threats, save time and keeps businesses of all sizes safe from hackers.
  • AWS, Azure, and Google Cloud connectors enabled. High- Quality reporting and API integration with your CI/CD pipeline.

Wireshark

  • Network analysis tool formerly known as Ethereal.
  • Provides minute details about network protocols, decryption, and also packet information
  • We can see the retrieved information through a GUI or the TTY mode TShark Utility.
Final Words

There is a prevailing myth that Security policies are only applicable to bigger organizations. But the fact is – Security-first approach is critical for an organization of any size to make a highly vulnerable place like the internet safe for your customers. QAonCloud has rich expertise in Web security testing catering to your diversified needs and also have vast experience in serving clients across industry verticals and Organization sizes by using various security testing tools based on client requirement. Reach out to us to get a free consultation. Let us together keep the system and our clients safe. 

Leave a Comment