In best practices
Web app security testing.
The study of a web resource security is a complex and meticulous work that requires attentiveness, imagination, and a creative approach. A security researcher needs a deep understanding of the technical side of the web application and the web server.
The study of a web resource security is a complex and meticulous work that requires attentiveness, imagination, and a creative approach.

A security researcher needs a deep understanding of the technical side of the web application and the web server.
The study of a web resource security is a complex and meticulous work that requires attentiveness, imagination, and a creative approach.

A security researcher needs a deep understanding of the technical side of the web application and the web server.
The study of a web resource security is a complex and meticulous work that requires attentiveness, imagination, and a creative approach. A security researcher needs a deep understanding of the technical side of the web application and the web server.

We all know that the number of network attacks is steadily growing. Indeed, according to a report by the Center for Strategic and International Studies, the global economy loses about $ 600 billion annually due to cybercrime. Everyday attacks are subjected to a variety of network resources. Practically everything is at risk: a small site of a local gas station chain, and a huge trading online platform that operates on several continents.

Therefore, all existing web applications for business can be divided into two categories: those that have already been hacked, and those that have not yet been hacked. In practice, it is only a matter of time.
The study of a web resource security is a complex and meticulous work that requires attentiveness, imagination, and a creative approach. A security researcher needs a deep understanding of the technical side of the web application and the web server.

We all know that the number of network attacks is steadily growing. Indeed, according to a report by the Center for Strategic and International Studies, the global economy loses about $ 600 billion annually due to cybercrime. Everyday attacks are subjected to a variety of network resources. Practically everything is at risk: a small site of a local gas station chain, and a huge trading online platform that operates on several continents.

Therefore, all existing web applications for business can be divided into two categories: those that have already been hacked, and those that have not yet been hacked. In practice, it is only a matter of time.
You may be surprised, but according to statistics, 92% of malware is still sent via email (if you don't believe it, ask Josh Fruhlinger). Just how cool is that? People still continue to click "random virus.exe" attached to the letter, which says "click it and you'll be happy." All this is happening in the technological era when the neuralnet can already write poetry and draw pictures. Sad but true.
Everyone is vulnerable. And everyone is aware of this risk. However, we tend to think that we'll not face a threat. This leads to undesirable consequences. Let's talk about how to reduce these risks and describe the process of a web app security testing.
Everyone is vulnerable. And everyone is aware of this risk. However, we tend to think that we'll not face a threat. This leads to undesirable consequences. Let's talk about how to reduce these risks and describe the process of a web app security testing.
So what is a web app security testing?
So what is a web app security testing?
Testing is the process of achieving excellence. And security testing is an attempt to achieve excellence in outer space when there is something wrong with your spacesuit. But let's return to Earth. Testing web application security is an attempt to find parts of the functionality that can be intentionally attacked or damaged.
The web application is closely related to the web server. By testing one without the other the tester will not make a complete disaster's profile. In a web application, the tester is looking for vulnerabilities through which a trespasser can attack users. In a web server, the tester is looking for vulnerabilities through which a trespasser can attack the server or its infrastructure.
Testing is the process of achieving excellence. And security testing is an attempt to achieve excellence in outer space when there is something wrong with your spacesuit. But let's return to Earth. Testing web application security is an attempt to find parts of the functionality that can be intentionally attacked or damaged.
The web application is closely related to the web server. By testing one without the other the tester will not make a complete disaster's profile. In a web application, the tester is looking for vulnerabilities through which a trespasser can attack users. In a web server, the tester is looking for vulnerabilities through which a trespasser can attack the server or its infrastructure.
When might security testing be needed?

We've got a lot of options here:
  • after a cyber attack or its attempts;
  • if a web application security testing has been conducted a long time ago or has not been conducted at all;
  • after adding new functionality to an existing product;
  • when an app is going to production;
  • if required by industry standards (PCI DSS, HIPAA), etc.
When might security testing be needed?

We've got a lot of options here:
  • after a cyber attack or its attempts;
  • if a web application security testing has been conducted a long time ago or has not been conducted at all;
  • after adding new functionality to an existing product;
  • when an app is going to production;
  • if required by industry standards (PCI DSS, HIPAA), etc.
Simply put, security testing is necessary when you have "something" that stores or processes important data and is accessible from the Internet. Which is almost always.

By important data, we mean any information that has value. These are users' personal data, payment cards data, information on company bank accounts, etc. Even if the web application does not store or process any important data, you cannot dismiss the reputation losses.

Of course, if the site is hacked and the competitor's logo is placed on the main page instead of the company's logo, this will never affect the business positively.
The main thing is the number of unique visitors. In total, there may be more money in their pockets than a company makes over a long period of time.
Company's customers, just some regular folks ordering, for example, pizza, also need protection and security. After all, they just want to pay for pizza online, and not send their data to the attackers. If you are the owner of a pizzeria, make sure that no one has learned how to order your pizza for free. And, of course, security testing is very necessary for the developers themselves, since no one likes to edit their code at three o'clock in the morning when an angry PM cries something incomprehensible into the phone.

As a rule, small organizations that have a website and a small server think that they are too small to become a target for attack, but it's a common mistake. Of course, small businesses are subject to cyber attacks far less often than large corporations. Now, when the total automation is kicking into high gear, no one is going to find out whether the company has a large cash flow.
The main thing is the number of unique visitors. In total, there may be more money in their pockets than a company makes over a long period of time.
Company's customers, just some regular folks ordering, for example, pizza, also need protection and security. After all, they just want to pay for pizza online, and not send their data to the attackers. If you are the owner of a pizzeria, make sure that no one has learned how to order your pizza for free. And, of course, security testing is very necessary for the developers themselves, since no one likes to edit their code at three o'clock in the morning when an angry PM cries something incomprehensible into the phone.

As a rule, small organizations that have a website and a small server think that they are too small to become a target for attack, but it's a common mistake. Of course, small businesses are subject to cyber attacks far less often than large corporations. Now, when the total automation is kicking into high gear, no one is going to find out whether the company has a large cash flow.
Thus, ensuring security (namely, spending the budget on security testing) is a normal order of things for the entire civilized world. However, not all company executives hold this opinion. Some of them, for example, prohibit access to internal resources with the help of one undergraduate student and believe that this will be enough. After all, not everyone is accustomed to spending money on their safety.
On the other hand, there are companies where a department of information security is created or outsourced security specialists are hired. Large companies launch special bug-bounty programs, where anyone can try to find a vulnerability in the system under test. Sure, they all want to save their income and reputation.
Thus, ensuring security (namely, spending the budget on security testing) is a normal order of things for the entire civilized world. However, not all company executives hold this opinion. Some of them, for example, prohibit access to internal resources with the help of one undergraduate student and believe that this will be enough. After all, not everyone is accustomed to spending money on their safety.
On the other hand, there are companies where a department of information security is created or outsourced security specialists are hired. Large companies launch special bug-bounty programs, where anyone can try to find a vulnerability in the system under test. Sure, they all want to save their income and reputation.
Who benefits from security?
First of all – the user. If there is no need to worry that your personal data can leak to the wild web, then you will trust the site (and its owner) more. And if the user is happy, then the owner of the company is also happy.
First of all – the user. If there is no need to worry that your personal data can leak to the wild web, then you will trust the site (and its owner) more. And if the user is happy, then the owner of the company is also happy.
Security is primarily focused on money. Do not believe those who say the opposite
Security is primarily focused on money. Do not believe those who say the opposite
How does security testing look like from the inside?
How does security testing look like from the inside?
Each new project requires using new tools, studying new technologies and galloping over a multitude of books and articles. The security testing process itself consists mainly of a vulnerability search, its localization, reproducing and report. Priorities mainly depend on the purpose of testing.

On the Internet, you can find a lot of information on security testing / security analysis / security audit. Unfortunately, this information mainly consists of tips to analyze your web application with some kind of security scanner. As a result, you will receive a full report on the detected vulnerabilities in your system. At this point you may think – hey, this is it! What else do we need?

Do not be so naive.
Most vulnerabilities are best searched by hand, while carefully examining the system. They can be quite simple, but automated scanners are not yet able to detect them.
Each new project requires using new tools, studying new technologies and galloping over a multitude of books and articles. The security testing process itself consists mainly of a vulnerability search, its localization, reproducing and report. Priorities mainly depend on the purpose of testing.

On the Internet, you can find a lot of information on security testing / security analysis / security audit. Unfortunately, this information mainly consists of tips to analyze your web application with some kind of security scanner. As a result, you will receive a full report on the detected vulnerabilities in your system. At this point you may think – hey, this is it! What else do we need?

Do not be so naive.
Most vulnerabilities are best searched by hand, while carefully examining the system. They can be quite simple, but automated scanners are not yet able to detect them.
OWASP
Top 10 Application Security Risks

OWASP
Top 10 Application Security Risks

The OWASP (Open Web Application Security Project) community deals with the classification of attack vectors and vulnerabilities. It is an international non-profit organization focused on analyzing and improving software security.

OWASP has compiled a list of the 10 most dangerous vulnerabilities that Internet resources can be exposed to. The community updates and revises this list every three years, so it contains up-to-date information. The last update was made in 2017. So, the risks are as follows:
1
Code injection
2
Broken authentication and incorrect user session control
3
Sensitive data exposure
4
XML external entities (XXE)
5
Broken access control
6
Security misconfiguration
7
Cross-site scripting (XSS)
8
Insecure deserialization
9
Using components with known vulnerabilities
10
Insufficient logging & monitoring
10
Insufficient logging & monitoring
OWASP testing guidelines
What does the testing process consist of? Security testing consists of two stages.
OWASP testing guidelines
What does the testing process consist of? Security testing consists of two stages.
1. «Passive» stage
During the passive stage, the tester tries to understand the logic of the application and gathers some information. For example, using HTTP proxies, all HTTP requests and responses are examined. At the end of this stage, the tester should find all available application in-points (HTTP headers, settings, cookies, etc.).
2. «Active» stage
During the active stage, the specialist conducts tests in accordance with the methodology.

All tests are divided into eleven subsections:

  • information gathering
  • configuration testing
  • user security policy testing
  • authentication testing
  • authorization testing
  • user session control testing
  • testing the processing of user input
  • error processing
  • cryptography
  • business logic testing
  • on-premises vulnerabilities testing
1. «Passive» stage
During the passive stage, the tester tries to understand the logic of the application and gathers some information. For example, using HTTP proxies, all HTTP requests and responses are examined. At the end of this stage, the tester should find all available application in-points (HTTP headers, settings, cookies, etc.).
2. «Active» stage
During the active stage, the specialist conducts tests in accordance with the methodology.

All tests are divided into eleven subsections:

  • information gathering
  • configuration testing
  • user security policy testing
  • authentication testing
  • authorization testing
  • user session control testing
  • testing the processing of user input
  • error processing
  • cryptography
  • business logic testing
  • on-premises vulnerabilities testing
What kinds of tools are used for security analysis?
What kinds of tools are used for security analysis?
There are a lot of different tools. These are small scripts developed for one specific purpose, and huge multifunctional utilities that can get the maximum result from a minimum of input. However, this is often a false response result.

As a rule, when selecting tools, the testing engineer relies on priorities: which is more important – time or coverage area?

Well, modern automation has hit an all-time high. Therefore, you can safely follow the Pareto principle: give 80% of the work to automated analyzers, and do the remaining 20% manually.
But, frankly speaking, the results of automated tools still have to be studied and verified.

Here is a short list of categories of tools:
  • web vulnerability scanners
  • tools for exploiting vulnerabilities
  • forensics tools
  • port scanners
  • traffic monitoring tools
  • debuggers
  • rootkit detectors
  • encryption tools
  • brute force tools
There are a lot of different tools. These are small scripts developed for one specific purpose, and huge multifunctional utilities that can get the maximum result from a minimum of input. However, this is often a false response result.

As a rule, when selecting tools, the testing engineer relies on priorities: which is more important – time or coverage area?

Well, modern automation has hit an all-time high. Therefore, you can safely follow the Pareto principle: give 80% of the work to automated analyzers, and do the remaining 20% manually.
But, frankly speaking, the results of automated tools still have to be studied and verified.

Here is a short list of categories of tools:
  • web vulnerability scanners
  • tools for exploiting vulnerabilities
  • forensics tools
  • port scanners
  • traffic monitoring tools
  • debuggers
  • rootkit detectors
  • encryption tools
  • brute force tools
By the way, where do all these vulnerabilities come from?

Sloppiness / Inattention / Cruftmanship / Laziness (underline as necessary)
In general, most often the developer makes a mistake due to lack of experience. Not all of them can imagine how an attacker can make any damage to their product. Some developers believe that it is enough to escape quotes in user input or simply use «magic_quotes» to make an SQL-injection harmless. However, these measures are only preventive.
In general, most often the developer makes a mistake due to lack of experience. Not all of them can imagine how an attacker can make any damage to their product. Some developers believe that it is enough to escape quotes in user input or simply use «magic_quotes» to make an SQL-injection harmless. However, these measures are only preventive.
Sometimes even WAF is not going to save us.
So what are we going to do?
Sometimes even WAF is not going to save us.
So what are we going to do?
We're going to learn and be the best. That's what a true security master does. "Even if the sky is falling down, I know that we'll be safe and sound" ©. If it isn't a security tester's motto. We actually think that a security tester is one tough cookie with some paranoid overtones (no offense).

Man is an imperfect being. To err is human (so does any developer). So a tester is to forgive and PM is to divine. But every mistake is a reason to move forward. People develop information systems, and these systems, like creators, are just as imperfect. Therefore, every mistake, every vulnerability is a little step forward on the long way to perfection.
We're going to learn and be the best. That's what a true security master does. "Even if the sky is falling down, I know that we'll be safe and sound" ©. If it isn't a security tester's motto. We actually think that a security tester is one tough cookie with some paranoid overtones (no offense).

Man is an imperfect being. To err is human (so does any developer). So a tester is to forgive and PM is to divine. But every mistake is a reason to move forward. People develop information systems, and these systems, like creators, are just as imperfect. Therefore, every mistake, every vulnerability is a little step forward on the long way to perfection.
Walk with us!

We love what we do and do it with pleasure.
QAcamp team

You may also like: