The online community for software testing & quality assurance professionals
Calendar   Today's Topics

Lost Password?


Software Testing >> Security Testing

Pages: 1

Reged: 08/06/07
Posts: 2
How to do Security Testing
      #670515 - 05/05/11 07:44 AM

One of our community members focuses on security testing. After a recent visit to a security conference she came up with her own approach on how to test whether secret information (usernames, passwords, ...) are written to logfiles: How to do Security Testing with Business Transactions

Post Extras: Print Post   Remind Me!   Notify Moderator  

Reged: 07/16/11
Posts: 3
Re: How to do Security Testing [Re: grabnerandi]
      #682677 - 08/20/11 05:15 AM

Security Testing

Limit should be defined for the number of tries: Is there a maximum number of failed logins allowed before the server locks out the current user?

Verify rules for password selection.

Is there a timeout limit?

Test by pasting internal url directly into browser address bar without login. Internal pages should not open.

Test the CAPTCHA for automates scripts logins.

Test if SSL is used for security measures. If used proper message should get displayed when user switch from non-secure http:// pages to secure https:// pages and vice versa.

All transactions, error messages, security breach attempts should get logged in log files somewhere on web server.

Clear your Cache: Be sure to clear the browser cache, including cookies, before each test.

SQL injection: To test for SQL injection bugs, find places where users can enter text, such as where the text is used to perform a lookup function, according to Breach. Then type a single quote character and some text. If the application shows an error message from your database, then you're likely housing an SQL injection bug.
(SQL injection is an attack in which malicious code is inserted into strings that are later passed to an instance of SQL Server for parsing and execution.)

Cross-site scripting (XSS):Find areas in your application that accept user input, such as a page where users can send in their feedback or reviews of a product,
(Cross-site scripting attacks occur when a malicious person, the attacker, can force an unknowing user, the victim, to run client-side script of the attackers choice. The term cross-site scripting is sort of a misnomer, because its not just about scripting and it doesnt even have to be cross-site. Its a name that was branded upon its discovery and it has just stuck.)

Session hijacking: If your application has a session identifier number in the URL decrease that number by one and reload the page. The app has a session hijacking vulnerability if the app then "sees" you as a different user.
(Session hijacking, also known as TCP session hijacking, is a method of taking over a Web user session by surreptitiously obtaining the session ID and masquerading as the authorized user. Once the user's session ID has been accessed (through session prediction), the attacker can masquerade as that user and do anything the user is authorized to do on the network.)

Pawan Kumar

Post Extras: Print Post   Remind Me!   Notify Moderator  
Super Member

Reged: 09/15/10
Posts: 1887
Re: How to do Security Testing [Re: pawan1080]
      #682947 - 08/23/11 06:47 PM

Wow!!As Pawan here mentioned, these are fairly the many ways to test for security for a web app. You could also check for data sent across the network!!

<< Why are you so obsessed at finding bugs >>

Post Extras: Print Post   Remind Me!   Notify Moderator  
Super Member

Reged: 05/09/01
Posts: 1254
Re: How to do Security Testing [Re: pawan1080]
      #682993 - 08/24/11 04:39 AM


Is also your site?

P. Walen

My Blog:

Post Extras: Print Post   Remind Me!   Notify Moderator  
Joe Strazzere

Reged: 05/15/00
Posts: 12344
Loc: Massachusetts, USA
Re: How to do Security Testing [Re: pawan1080]
      #683007 - 08/24/11 06:15 AM


Security Testing...

Copied and pasted from ?

- Joe
Visit to learn more about quality, testing, and QA!

I speak only for me. I do not speak for my employer, nor for anyone else.

Post Extras: Print Post   Remind Me!   Notify Moderator  

Reged: 09/27/11
Posts: 4
Loc: India
Re: How to do Security Testing [Re: Joe Strazzere]
      #688312 - 10/12/11 12:51 PM

Web application testing

some features we concentrated for a web application testing

1)Checking for password strength(brute force password crackers and dictionary attacks to check strength)
2)Check if password is hashed and stored(manually check db use MD5 hash crackers)
3)Authentication should always be via SSL (wireshark to check https)
4)Forget password feature should send you a link to reset passowrd and link should be valid for 24 hrs(never send password in an email)
5)Authentication and session tokens should be random (webscarab can be used to check sessions over a period)
6)Timeout of session after specifed time
7)Captcha if password is entered for three times and lock the account for 5 minutes after 10 failed login attempts)
8)XSS and CSFR validation on text fields where user can enter text that is displayed back on client side
9)its good practice to encrypt URL's never show something like .htm&flag=true or .jsp?token=valid etc encrypt tem.
10)avid client side validation they can be bypassed by proxy or tools like tamper data etc
11)SQL injections attacks and verify all imp files and logs are placed in secured folders(web-inf)
12)verify if any hidden fields are displaying key parameters like userID primarykey during api calls (web scarab will reveal hidden fields on a page).
13)owasp top10 and sans 25 checks which are applicable to application and database layer

Tools:Acunetix,webscarab,tamperdata, XSSme ,sqlpowerinjector, hackbar,firebug,cookie editor

This is wat we have chedk till now will keep you updated wen I come across something new

Prasanth Ratakonda

Post Extras: Print Post   Remind Me!   Notify Moderator  
Junior Member

Reged: 05/02/06
Posts: 1041
Loc: CA, USA
Re: How to do Security Testing [Re: prasanth_ratakonda]
      #705151 - 04/25/12 08:53 AM

My opinion is there are too many security vulnerabilities and attack types to even list. It will take forever to list them all. Even a simple XSS attack there are over 100 variations that can be done.

It's best to use some sort of all encompassing scan tool. Then on top of that, perform a full security threat assessment on application based on technologies and interfaces used. Then perform specific tests based on risk levels. Look up technologies used, and check sites like owasp and other security sites to find high risk vulnerabilities you should specifically test for. Also, have some code review procedure set in place. All input should be verified before being used. A good practice is to use some sort of framework for handling external inputs that'll throw some sort of exception if input has not been sanitized before usage.

David Lai
Sr. QA / Test Lead
LinkedIn profile

Post Extras: Print Post   Remind Me!   Notify Moderator  
Pages: 1

Extra information
0 registered and 4 anonymous users are browsing this forum.

Moderator:  icruiser, AJ, Walen 

Print Topic

Forum Permissions
      You cannot start new topics
      You cannot reply to topics
      HTML is disabled
      UBBCode is enabled

Topic views: 10580

Rate this topic

Jump to

Contact Us | Privacy statement SQAForums

Powered by UBB.threads™ 6.5.5