Security Testing Tips From a Bug Battle Winner – Part1

This is a post I originally posted for uTest here

Posted on May 14th, 2009 in Guest Posts, QA for Web Apps, Tester Community by Guest Blogger

In the second installment of our guest blogger series,  Bug Battle winner and expert tester Bernard Lelchukexamines the basics of security testing:

Although it’s a broad term, security testing can be broken down into six basic concepts:  Availability, Authentication, Authorization, Confidentiality, Integrity and Non-repudiation. I’ll define each concept briefly, however, I encourage you to research each concept for a better understanding.

• Availability: Assuring that information & communications services are available and maintained for authorized persons when needed.
• Authentication: Assuring the validity of any type of originator, transmission or message.  This also gives confidence that information is received by a known and validated source.
• Authorization: Assuring that an individual can allow/deny access to a system/service/operation (e.g. Access control).
• Confidentiality: Ensuring information is accessible only for those with authorized access and to prevent information disclosure to any party other than the intended recipients. Often ensured by encoding information using algorithms (cryptography).
• Integrity: Ensuring received information is preserved successfully with no alteration.
• Non-repudiation: Ensuring action/communication cannot later be denied (usually used by form of authentication and time stamping).

Security Testing Methods:

There are 3 types of testing methods which involve various sets of attacks: Information/system gathering, logical, and injection attacks. Each are used for specific testing results, however various attacks share the same security concepts, and are therefore quite similar to one another.

Information gathering (i.e. system-related) attacks

• Client-side source code analysis
• Application reconnaissance
• Error messages analysis
• Directory traversal

These methods include various types of information gathering from a web application/server by means of source code and error message analysis, exposure of directory structure or other attacks which results in information exposure. Here they are in no particular order:

Logical Attacks

• Cookie poisoning
• Parameter tampering
• Flow bypassing
• Direct access of components files
• Session hijacking
• Penetration testing
• Buffer overflow

These methods relate to various logical attacks which may be executed both manually or via specific tools/scripts. Logical attacks are more sophisticated, and thus, more interesting & challenging to the tester, who needs to have a good understanding of information technology and specific knowledge of cookies, POST/GET requests & parameters, etc.

Injection Attacks

• SQL injection
• Cross Site Scripting (XSS)
• Scripts injection

These methods relate to various scripts & SQL commands injections into web application forms. These are the most common attacks, yet they are both serious and dangerous. Detecting such vulnerabilities in the early stages of development can prevent unnecessary flaws.

In my next blog post, I will address some common (and some not-so-common) tools that can make security testing easier and more productive for testing engineers of all experience levels.

In the meantime, happy testing!