SlideShare a Scribd company logo

Security Testing In Application Authentication

RapidValue
RapidValue

The document provides an overview of security testing for application authentication and summarizes various vulnerabilities that can be exploited. It describes 12 potential security threats such as bypassing authentication, parameter tampering, unauthorized access via direct URLs, brute force password guessing attacks, and weaknesses like long session times or a lack of password policies. For each threat, it provides steps to reproduce the issue and recommends solutions such as stronger authentication, session management, and input validation.

Technology
1 of 30
Download to read offline
Security Testing In Application Authentication SECURITY TESTING IN APPLICATION AUTHENTICATION A Whitepaper by RapidValue Solutions AN APPROACH TO IDENTIFY THE VULNERABILITIES IN AUTHENTICATION OF SOFTWARE APPLICATION.
Security Testing In Application Authentication index 01 ExecutiveSummary 02 Introduction 03 03 15 05 16 08 18 11 20 13 22 24 26 Security Threats An adversary obtains sensitive information by bypassing authentication description. No OTP functionality present on login page. An adversary can access the application posing as a different user by parameter. A local adversary can misuse authenticated sessions due to a high session-inactivity period. An adversary can access the application posing as a different user by parameter manipulation (horizontal escalation). An adversary can use IPC activity for unauthorized access to the application. An adversary can obtain sensitive data using a direct URL without authentication. Adversary hijacks sessions as the session is not invalidated on logging out. An adversary guesses passwords via automated password-guessing attacks. The application does not invalidate the session on closing the application. The application has a weak password policy. The application allows concurrent user logins. 27 Conclusion ©RapidValue Solutions 27 Authors 28 About RapidValue
Executive Summary Application security is no longer optional for applications; it has become an important and integral part of all the applications that are being developed. One of the major security threats that an application faces can come from its authentication functionality. Hence, it is of utmost importance to protect the application’s login functionality. Inthiswhitepaper,weareconsideringthepossiblethreatsthatonemightencounterduringtheauthentication of an application. It talks about how the threats can be reproduced in an application and also, provides solution to the same in a detailed manner. Security Testing In Application Authentication 1 ©RapidValue Solutions 1 SECURITY TESTING IN APPLICATION AUTHENTICATION
Security Testing In Application Authentication Introduction You come across testing of different web and mobile applications. It can either be a feature, automation testing or a blend of both. In the present scenario, where all business transactions and data transfer is done through internet, the data confidentiality, integrity and availability is of utmost importance. Hence, the application also, needs to be tested for security threats. Security testing is a branch of software testing that ensures proper and flawless working of an application. It focuses on various elements of security such as confidentiality, authenticity, integrity, vulnerability and continuity. The main areas that need to be focused upon in order to be considered for security testing are network security, system software security, client-side application security and server-side application security. In case of a scenario where a user logs out of the application, clicking on the back button and verifying whether the user is able to log in again, is a basic security test. During the development of Oracle business mobile and web application, we came across a couple of security issues which we have highlighted in this document. The threats include the data extraction during user log in and unauthorized data manipulation of the request and responses from the application. Manipulation of unauthorized access permissions in Android also, lead to attacks such as BEAST and SWEET32. Each topic mentioned in this document describes the problem in detail and also, mentions the corrective steps to reproduce the issue and the solution that needs to be applied in order to avoid the vulnerability. This document speaks about Burp Suite, APK tool, Wireshark and Postman. These are some of the tools which are used for security testing scenarios and one must possess strong knowledge about it. 2 ©RapidValue Solutions SECURITY TESTING IN APPLICATION AUTHENTICATION
Security Testing In Application Authentication Step - 1 Log in with an invalid password into the application and track response using Burp Suite tool. Step - 3 Edit the failure response with success response. Step - 2 Intercept using Burp Suite. User is able to see the failure error in the response (viewable once you click on the Forward button). Security Threats An adversary obtains sensitive information by bypassing authentication description. 01 Description Adversary converts the failure response into success response and tries to log into the application. Steps to Reproduce 3 ©RapidValue Solutions SECURITY TESTING IN APPLICATION AUTHENTICATION
Security Testing In Application Authentication Step - 4 Session invalidated as token expires and user gets logged out of the application. Solution This security breach is possible as the application does not implement proper mapping of the user to the corresponding accessibility privilege. The application should: 1. Implement server-side mapping of the user to the respective accessibility. 2. Implement strong session management. 3. Log the user out if parameters are tampered at any time. 4 ©RapidValue Solutions SECURITY TESTING IN APPLICATION AUTHENTICATION
Security Testing In Application Authentication Step - 1 Log into the application using the credential ’anooprv’. An adversary can access the application posing as a different user by parameter. 02 Description For an unsecure application, attackers can easily access/change the parameter exchange between client and server. By changing one of the parameters, for example, ‘username’ adversary will be able to access the application as a different user. Steps to Reproduce 5 ©RapidValue Solutions SECURITY TESTING IN APPLICATION AUTHENTICATION
Security Testing In Application Authentication Step - 3 Copy the details, send it to repeater and change the user name parameter to ‘sushil jain’. Step - 2 Turn on the intercept and catch the request using a tool (Burp Suite). 6 ©RapidValue Solutions SECURITY TESTING IN APPLICATION AUTHENTICATION
Security Testing In Application Authentication Step - 4 Tap on the ’Go’ button and check whether the response is returned. User is getting the response even after changing one of the parameters like ‘username’ for the same session and the application gets logged in. Solution 1. Implement proper mapping of user to their respective roles. 2. Hide all the sensitive information. 3. Session management should be implemented. 7 ©RapidValue Solutions SECURITY TESTING IN APPLICATION AUTHENTICATION
Security Testing In Application Authentication Step - 1 Install the Burp Suite tool in your machine and configure proxy for the browser in which you are opening the application. An adversary can access the application posing as a different user by parameter manipulation (horizontal escalation). 03 Description This vulnerability is categorized under privilege escalation. There are two types of privilege escalation: vertical and horizontal. This type of security exploit is possible when the proper mapping of users to their accessibility privilege is not done. Steps to Reproduce •• Vertical privilege escalation occurs when an attacker tries to gain higher privileges with regard to the resources that are protected at any specific level, for example, a user with normal privileges with an application trying to gain the admin access. •• Horizontal privilege escalation occurs when an attacker tries to gain same privileges which he already possesses, but takes the identity of another user with the same set of privileges. For example, someone gaining access to another person’s online bank account. Step - 2 Turn the intercept on Burp Suite and log into the application through browser using any valid user. The URL will be intercepted at Burp Suite. 8 ©RapidValue Solutions SECURITY TESTING IN APPLICATION AUTHENTICATION
Security Testing In Application Authentication Step - 3 Modify the parameter username from the ‘logged in’ user to any other valid user for application and then switch the intercept off as given below. If modified to any user at the same privilege level, it will be a horizontal privilege escalation. Below example depicts the same. 9 ©RapidValue Solutions SECURITY TESTING IN APPLICATION AUTHENTICATION
Security Testing In Application Authentication Step - 4 You are navigated to the modified user in browser as shown below. Solution 1. Implement server side mapping and the resources applicable to different privilege levels should be restricted to that level only. 2. Implement strong session management so that the user is forced to logout if any parameter manipulation or tampering occurs. 10 ©RapidValue Solutions SECURITY TESTING IN APPLICATION AUTHENTICATION
Security Testing In Application Authentication Step - 1 Log into the application with Username: ‘ANOOPRV’ and Password: ’1234’. Step - 2 Copy the login request URL and log out from the application. Step - 3 Launch Postman tool and enter the copied request URL in Postman tool. An adversary can obtain sensitive data using a direct URL without authentication. 04 Description Authentication is a process that ensures and confirms identity of a user. In some applications, authentication is not enabled and it is easy for the attacker to get the sensitive information. An adversary can directly type the URL in the address bar of the browser and sensitive information can be accessed without any authentication. A valid user login into the application is not necessary to get the sensitive information. Steps to Reproduce 11 ©RapidValue Solutions SECURITY TESTING IN APPLICATION AUTHENTICATION
Security Testing In Application Authentication Solution Solution URL should never contain sensitive or important information. Sensitive content should not be provided to the user without authentication and the following solutions can be implemented in the application. 1. Session management - The application should check for a valid user login and verify whether the user is authorized to access the document being requested. 2. File path protection - This method allows the documents to be located in a non-publicly accessible folder and the document path is not displayed to the end user. Step - 4 Enter the request parameters and send the request in Postman without authentication. Step - 5 Verify the response of the corresponding URL. The above screenshot shows that sensitive information is directly accessible without authentication. 12 ©RapidValue Solutions SECURITY TESTING IN APPLICATION AUTHENTICATION
Security Testing In Application Authentication Step - 1 Open the application. Step - 3 Select the Login button. The application displays an error message, “The username or password you have entered is not correct.” Step - 2 Enter valid username and invalid password in the respective fields. An adversary guesses passwords via automated password- guessing attacks. 05 Description This is a Brute force attack which is tried against user accounts. In Brute force attack, the attacker systematically, checks all the combination of username and passwords with the intention of eventually, logging into the application. There are many tools available for Brute force password cracking attacks such as Aircrack-ng, John the Ripper, Rainbow Crack etc. Steps to Reproduce 13 ©RapidValue Solutions SECURITY TESTING IN APPLICATION AUTHENTICATION
Security Testing In Application Authentication Step - 4 Repeat step 2 and 3 for five times. Step - 6 Select the Login button. The verified user is able to log in. Step - 5 Enter valid username and password in the respective fields. The user should not be allowed to log into the application after a particular number of invalid login attempts. Solution 1. Lock the user account on a temporary basis for some time after approximately 5 invalid login attempts. 2. Implement CAPTCHA mechanism on the login screen. A CAPTCHA (an acronym for “Completely Automated Public Turing test to tell Computers and Humans Apart”) is a type of challenge-response test used in computing to determine whether the user is human or not. 14 ©RapidValue Solutions SECURITY TESTING IN APPLICATION AUTHENTICATION
Security Testing In Application Authentication No OTP functionality present on login page.06 Description At present strong passwords are not mandatory for various applications. This allows hackers to easily access the application by guessing or by other methods. In order to provide an additional layer of security, it is essential to use OTP or other login security mechanism. Solution Deploy multi-factor authentication mechanism like fingerprint scan, OTP generation, phys- ical token etc. 15 ©RapidValue Solutions SECURITY TESTING IN APPLICATION AUTHENTICATION
Security Testing In Application Authentication Step - 1 Launch the application with a valid user name and password. Step - 3 It was observed that if the session is not getting terminated, the attacker can easily get access to the application. Step - 2 Do not perform any changes on the application (after 30 minutes have passed). A local adversary can misuse authenticated sessions due to a high session-inactivity period. 07 Description If the application does not have a session expiration time or if the session timeout period is too long then the attacker can access the sessions and get the information. Steps to Reproduce 16 ©RapidValue Solutions SECURITY TESTING IN APPLICATION AUTHENTICATION
Security Testing In Application Authentication Solution Step 1 – Launch the app and log in with valid username and password. Step 2 – Do not perform any changes on the application (after 30 minutes have passed). Step 3 – User will get logged out. Add session expiration time for the inactive period. Normally 30 minutes is the session expiration period. 17 ©RapidValue Solutions SECURITY TESTING IN APPLICATION AUTHENTICATION
Security Testing In Application Authentication An adversary can use IPC activity for unauthorized access to the application. 08 Description The Inter Application Communication model (IAC) in Android is an inter-process communication or message passing system through which an app can utilize the functionalities of another app. For example, an app can send a message to a navigation app to display location. The below snippet from Android manifest shows that a broadcast receiver is exported explicitly leaving it accessible for any other applications. Decompile the Android manifest file using ‘apktool’ and then open in notepad++ editor. A broadcast receiver is found in the xml file as highlighted below. Steps to Reproduce 18 ©RapidValue Solutions SECURITY TESTING IN APPLICATION AUTHENTICATION
Security Testing In Application Authentication Solution Do not use IPC as it can be accessed by all third-party applications on the device. Set the attribute to [exported= “false”]. This implies that the receiver is intended only for application’s internal use or it defines signature protection level permission in Android manifest file as given below. 19 ©RapidValue Solutions SECURITY TESTING IN APPLICATION AUTHENTICATION
Security Testing In Application Authentication Step - 1 Launch and log into the application using valid credentials. Step - 3 Send the request to repeater. Step - 2 Access any page and capture the request using “Burp” tool. Adversary hijack sessions as the session is not invalidated on logging out. 09 Description A session token is assigned to the ‘logged in’ user, while logging into the application. Using this, session token user’s session is identified until logout. This session token should be properly invalidated when the user logs out from the application or else any adversary can hijack the user’s session using this session token. Steps to Reproduce 20 ©RapidValue Solutions SECURITY TESTING IN APPLICATION AUTHENTICATION
Security Testing In Application Authentication Step - 4 Log out from the application. Step - 5 Go to repeater and select “Go “button and verify server response with the requested page. Solution The session should be invalidated once the user logs out of the application. Also, the session should be invalidated after a certain period of time. 21 ©RapidValue Solutions SECURITY TESTING IN APPLICATION AUTHENTICATION
Security Testing In Application Authentication Step - 1 Log into application and navigate to any page. Step - 3 Try to open the same URL again in the browser (if it is a mobile application, after the application is put into background, bring it back to foreground). Step - 2 Close the application without logging out. Step - 4 The session remains active and user can see the information in page. The application does not invalidate the session on closing the application. 10 Description The session id is a way to track whether the authenticated user identities are specific to any applications and are maintained at server side. Sometimes, the session remains active if the application is closed without logging out or when a mobile application goes on in the background. Therefore, if any adversary gets unauthorized access to the phone, it can perform malicious operations. Steps to Reproduce 22 ©RapidValue Solutions SECURITY TESTING IN APPLICATION AUTHENTICATION
Security Testing In Application Authentication Solution Below is an Android code snippet example. 1. Ensure that the session is invalidated or made inactive as soon as the user logs out of the application at server side. 2. Explicitly inactivate the session and do not wait for garbage collector or cookie expiration. 3. If it is a mobile app, do not allow it to run in the background. Forcefully, log out of the application when moved to background. For iOS, this is done by including app delegate ‘applicationdidenterbackground ‘to forcefully, terminate the user session at server. 23 ©RapidValue Solutions SECURITY TESTING IN APPLICATION AUTHENTICATION
Security Testing In Application Authentication The application has a weak password policy.11 Description An application with weak password policy is susceptible to attack. The major form of attack that can occur is password guessing. Users will give their own name, username, address, phone number, hobbies, pet’s name etc. as their password so that can be easily remembered. If the intruder has access to the server and executes the Finger utility command then he/she would be able to retrieve all the information of the users in the server. This command can be executed from Command prompt. The below screenshot shows how the password is viewable in the request and you can arrive at the conclusion that the password is same as the username and is a weak one. 24 ©RapidValue Solutions SECURITY TESTING IN APPLICATION AUTHENTICATION
Security Testing In Application Authentication Solution 1. Password must have a minimum of 8 characters. 2. Password must not contain any personal information. 3. Must be different from the last passwords provided in the system. Enforce password history logic. 4. Words must not be spelled completely. 5. Password must contain characters from the four primary categories, including, uppercase and lowercase letters, numbers, and special characters. Only the admin must have access to execute the Finger command in the server and by default avoid executing the command. Implement a strong password which takes into account the below mentioned criteria. 25 ©RapidValue Solutions SECURITY TESTING IN APPLICATION AUTHENTICATION
Security Testing In Application Authentication Step - 1 Consider online SBI application, log in with proper username and password. Step - 2 Again, log into the account from a different browser or machine. The application allows concurrent user logins.12 Description Some Application allows the concurrent user logins for same account. The user can have the multiple session active at the same time from different browsers or machines. If the user needs to open the account in different browsers or different machines, you need to implement the concurrency in authentication. The concurrency in authentication has to be application specific. The issue with the concurrent authentication is that the logged in user is not aware of his /her account being accessed by others. Steps to Reproduce Solution Concurrent logins should not be allowed. 26 ©RapidValue Solutions SECURITY TESTING IN APPLICATION AUTHENTICATION
Security Testing In Application AuthenticationConclusion The application layer is always the hardest to defend against security threat. The vulnerabilities which are present here usually depend on the input that is being given by the user. This layer is also the most accessible one and the most exposed to the outside world. Hence we would always need to give utmost importance to the authentication part of an application and prevent malicious attacks. The case study covers only a part of the attacks that can happen to the applications authentication. Authors If you’d like to know more about Security Testing, please reach out to us at contactus@rapidvaluesolutions.com We’d be happy to hear from you! Bipin M Nair Soniya Varghese Rosu Antu Rahul RS Neena Elizabeth Varghese Senior Software Test Engineer RapidValue Solutions Senior Software Test Engineer RapidValue Solutions Software Test Engineer RapidValue Solutions Senior Software Test Engineer RapidValue Solutions Software Test Engineer RapidValue Solutions SECURITY TESTING IN APPLICATION AUTHENTICATION 27 ©RapidValue Solutions 27
Security Testing In Application Authentication Disclaimer: This document contains information that is confidential and proprietary to RapidValue Solutions Inc. No part of it may be used, circulated, quoted, or reproduced for distribution outside RapidValue. If you are not the intended recipient of this report, you are hereby notified that the use, circulation, quoting, or reproducing of this report is strictly prohibited and may be unlawful. A global leader in digital transformation for enterprise providing end-to-end mobility, omni-channel, IoT and cloud solutions. Armed with a large team of expertsinconsulting,UXdesign,applicationdevelopment,integrationandtesting, along with experience delivering projects worldwide, in mobility and cloud, we offer a wide range of services across industry verticals. We deliver services to the world’s top brands, fortune 1000 companies, Multinational companies and emerging start-ups. We have offices in the United States, the United Kingdom and India. www.rapidvaluesolutions.com +1 877.643.1850 www.rapidvaluesolutions.com/blog contactus@rapidvaluesolutions.com ©RapidValue Solutions July, 2018

Recommended

Get Ready for Web Application Security Testing
Get Ready for Web Application Security TestingGet Ready for Web Application Security Testing
Get Ready for Web Application Security TestingAlan Kan
 
Risk oriented testing of web-based applications
Risk oriented testing of web-based applicationsRisk oriented testing of web-based applications
Risk oriented testing of web-based applicationssarikagrov
 
Discovering the Value of Verifying Web Application Security Using IBM Rationa...
Discovering the Value of Verifying Web Application Security Using IBM Rationa...Discovering the Value of Verifying Web Application Security Using IBM Rationa...
Discovering the Value of Verifying Web Application Security Using IBM Rationa...Alan Kan
 
IBM AppScan Enterprise - The total software security solution
IBM AppScan Enterprise - The total software security solutionIBM AppScan Enterprise - The total software security solution
IBM AppScan Enterprise - The total software security solutionhearme limited company
 
IBM AppScan Standard - The Web Application Security Solution
IBM AppScan Standard - The Web Application Security SolutionIBM AppScan Standard - The Web Application Security Solution
IBM AppScan Standard - The Web Application Security Solutionhearme limited company
 
Mobile application security Guidelines
Mobile application security GuidelinesMobile application security Guidelines
Mobile application security GuidelinesEntersoft Security
 
Web applications security conference slides
Web applications security conference slidesWeb applications security conference slides
Web applications security conference slidesBassam Al-Khatib
 
The Complete Web Application Security Testing Checklist
The Complete Web Application Security Testing ChecklistThe Complete Web Application Security Testing Checklist
The Complete Web Application Security Testing ChecklistCigital
 

Recommended

Get Ready for Web Application Security Testing
Get Ready for Web Application Security TestingGet Ready for Web Application Security Testing
Get Ready for Web Application Security TestingAlan Kan
 
Risk oriented testing of web-based applications
Risk oriented testing of web-based applicationsRisk oriented testing of web-based applications
Risk oriented testing of web-based applicationssarikagrov
 
Discovering the Value of Verifying Web Application Security Using IBM Rationa...
Discovering the Value of Verifying Web Application Security Using IBM Rationa...Discovering the Value of Verifying Web Application Security Using IBM Rationa...
Discovering the Value of Verifying Web Application Security Using IBM Rationa...Alan Kan
 
IBM AppScan Enterprise - The total software security solution
IBM AppScan Enterprise - The total software security solutionIBM AppScan Enterprise - The total software security solution
IBM AppScan Enterprise - The total software security solutionhearme limited company
 
IBM AppScan Standard - The Web Application Security Solution
IBM AppScan Standard - The Web Application Security SolutionIBM AppScan Standard - The Web Application Security Solution
IBM AppScan Standard - The Web Application Security Solutionhearme limited company
 
Mobile application security Guidelines
Mobile application security GuidelinesMobile application security Guidelines
Mobile application security GuidelinesEntersoft Security
 
Web applications security conference slides
Web applications security conference slidesWeb applications security conference slides
Web applications security conference slidesBassam Al-Khatib
 
The Complete Web Application Security Testing Checklist
The Complete Web Application Security Testing ChecklistThe Complete Web Application Security Testing Checklist
The Complete Web Application Security Testing ChecklistCigital
 
Web Application Security Testing Tools
Web Application Security Testing ToolsWeb Application Security Testing Tools
Web Application Security Testing ToolsEric Lai
 
Testing Web Application Security
Testing Web Application SecurityTesting Web Application Security
Testing Web Application SecurityTed Husted
 
Step by step guide for web application security testing
Step by step guide for web application security testingStep by step guide for web application security testing
Step by step guide for web application security testingAvyaan, Web Security Company in India
 
Android Based Total Security for System Authentication
Android Based Total Security for System AuthenticationAndroid Based Total Security for System Authentication
Android Based Total Security for System AuthenticationIJERA Editor
 
Security testing
Security testingSecurity testing
Security testingKhizra Sammad
 
Security testing
Security testingSecurity testing
Security testingRihab Chebbah
 
vulnerability scanning and reporting tool
vulnerability scanning and reporting toolvulnerability scanning and reporting tool
vulnerability scanning and reporting toolBhagyashri Chalakh
 
Owasp web security
Owasp web securityOwasp web security
Owasp web securityPankaj Kumar Sharma
 
Top 10 Web App Security Risks
Top 10 Web App Security RisksTop 10 Web App Security Risks
Top 10 Web App Security RisksSperasoft
 
Web application testing
Web application testing Web application testing
Web application testing Nora Alriyes
 
C01461422
C01461422C01461422
C01461422IOSR Journals
 
Web and Mobile Application Security
Web and Mobile Application SecurityWeb and Mobile Application Security
Web and Mobile Application SecurityPrateek Jain
 
Security Testing
Security TestingSecurity Testing
Security TestingISsoft
 
Mobile application security – effective methodology, efficient testing! hem...
Mobile application security – effective methodology, efficient testing! hem...Mobile application security – effective methodology, efficient testing! hem...
Mobile application security – effective methodology, efficient testing! hem...owaspindia
 
Security by the numbers
Security by the numbersSecurity by the numbers
Security by the numbersEoin Keary
 
Introduction to Application Security Testing
Introduction to Application Security TestingIntroduction to Application Security Testing
Introduction to Application Security TestingMohamed Ridha CHEBBI, CISSP
 
The bare minimum that you should know about web application security testing ...
The bare minimum that you should know about web application security testing ...The bare minimum that you should know about web application security testing ...
The bare minimum that you should know about web application security testing ...Ken DeSouza
 
Vulnerability scanning project
Vulnerability scanning projectVulnerability scanning project
Vulnerability scanning projectChirag Dhamecha
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application SecurityColin English
 
Study of Web Application Attacks & Their Countermeasures
Study of Web Application Attacks & Their CountermeasuresStudy of Web Application Attacks & Their Countermeasures
Study of Web Application Attacks & Their Countermeasuresidescitation
 
Security Testing Training With Examples
Security Testing Training With ExamplesSecurity Testing Training With Examples
Security Testing Training With ExamplesAlwin Thayyil
 
Thick Client Penetration Testing Modern Approaches and Techniques.pdf
Thick Client Penetration Testing Modern Approaches and Techniques.pdfThick Client Penetration Testing Modern Approaches and Techniques.pdf
Thick Client Penetration Testing Modern Approaches and Techniques.pdfElanusTechnologies
 

More Related Content

What's hot

Web Application Security Testing Tools
Web Application Security Testing ToolsWeb Application Security Testing Tools
Web Application Security Testing ToolsEric Lai
 
Testing Web Application Security
Testing Web Application SecurityTesting Web Application Security
Testing Web Application SecurityTed Husted
 
Android Based Total Security for System Authentication
Android Based Total Security for System AuthenticationAndroid Based Total Security for System Authentication
Android Based Total Security for System AuthenticationIJERA Editor
 
vulnerability scanning and reporting tool
vulnerability scanning and reporting toolvulnerability scanning and reporting tool
vulnerability scanning and reporting toolBhagyashri Chalakh
 
Top 10 Web App Security Risks
Top 10 Web App Security RisksTop 10 Web App Security Risks
Top 10 Web App Security RisksSperasoft
 
Web application testing
Web application testing Web application testing
Web application testing Nora Alriyes
 
Web and Mobile Application Security
Web and Mobile Application SecurityWeb and Mobile Application Security
Web and Mobile Application SecurityPrateek Jain
 
Security Testing
Security TestingSecurity Testing
Security TestingISsoft
 
Mobile application security – effective methodology, efficient testing! hem...
Mobile application security – effective methodology, efficient testing! hem...Mobile application security – effective methodology, efficient testing! hem...
Mobile application security – effective methodology, efficient testing! hem...owaspindia
 
Security by the numbers
Security by the numbersSecurity by the numbers
Security by the numbersEoin Keary
 
The bare minimum that you should know about web application security testing ...
The bare minimum that you should know about web application security testing ...The bare minimum that you should know about web application security testing ...
The bare minimum that you should know about web application security testing ...Ken DeSouza
 
Vulnerability scanning project
Vulnerability scanning projectVulnerability scanning project
Vulnerability scanning projectChirag Dhamecha
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application SecurityColin English
 
Study of Web Application Attacks & Their Countermeasures
Study of Web Application Attacks & Their CountermeasuresStudy of Web Application Attacks & Their Countermeasures
Study of Web Application Attacks & Their Countermeasuresidescitation
 

What's hot (20)

Web Application Security Testing Tools
Web Application Security Testing ToolsWeb Application Security Testing Tools
Web Application Security Testing Tools
 
Testing Web Application Security
Testing Web Application SecurityTesting Web Application Security
Testing Web Application Security
 
Step by step guide for web application security testing
Step by step guide for web application security testingStep by step guide for web application security testing
Step by step guide for web application security testing
 
Android Based Total Security for System Authentication
Android Based Total Security for System AuthenticationAndroid Based Total Security for System Authentication
Android Based Total Security for System Authentication
 
Security testing
Security testingSecurity testing
Security testing
 
Security testing
Security testingSecurity testing
Security testing
 
vulnerability scanning and reporting tool
vulnerability scanning and reporting toolvulnerability scanning and reporting tool
vulnerability scanning and reporting tool
 
Owasp web security
Owasp web securityOwasp web security
Owasp web security
 
Top 10 Web App Security Risks
Top 10 Web App Security RisksTop 10 Web App Security Risks
Top 10 Web App Security Risks
 
Web application testing
Web application testing Web application testing
Web application testing
 
C01461422
C01461422C01461422
C01461422
 
Web and Mobile Application Security
Web and Mobile Application SecurityWeb and Mobile Application Security
Web and Mobile Application Security
 
Security Testing
Security TestingSecurity Testing
Security Testing
 
Mobile application security – effective methodology, efficient testing! hem...
Mobile application security – effective methodology, efficient testing! hem...Mobile application security – effective methodology, efficient testing! hem...
Mobile application security – effective methodology, efficient testing! hem...
 
Security by the numbers
Security by the numbersSecurity by the numbers
Security by the numbers
 
Introduction to Application Security Testing
Introduction to Application Security TestingIntroduction to Application Security Testing
Introduction to Application Security Testing
 
The bare minimum that you should know about web application security testing ...
The bare minimum that you should know about web application security testing ...The bare minimum that you should know about web application security testing ...
The bare minimum that you should know about web application security testing ...
 
Vulnerability scanning project
Vulnerability scanning projectVulnerability scanning project
Vulnerability scanning project
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application Security
 
Study of Web Application Attacks & Their Countermeasures
Study of Web Application Attacks & Their CountermeasuresStudy of Web Application Attacks & Their Countermeasures
Study of Web Application Attacks & Their Countermeasures
 

Similar to Security Testing In Application Authentication

Security Testing Training With Examples
Security Testing Training With ExamplesSecurity Testing Training With Examples
Security Testing Training With ExamplesAlwin Thayyil
 
Thick Client Penetration Testing Modern Approaches and Techniques.pdf
Thick Client Penetration Testing Modern Approaches and Techniques.pdfThick Client Penetration Testing Modern Approaches and Techniques.pdf
Thick Client Penetration Testing Modern Approaches and Techniques.pdfElanusTechnologies
 
Risk Oriented Testing of Web-Based Applications
Risk Oriented Testing of Web-Based ApplicationsRisk Oriented Testing of Web-Based Applications
Risk Oriented Testing of Web-Based ApplicationsPaxcel Technologies
 
IRJET-A Review of Testing Technology in Web Application System
IRJET-A Review of Testing Technology in Web Application SystemIRJET-A Review of Testing Technology in Web Application System
IRJET-A Review of Testing Technology in Web Application SystemIRJET Journal
 
Application Security Testing for Software Engineers: An approach to build sof...
Application Security Testing for Software Engineers: An approach to build sof...Application Security Testing for Software Engineers: An approach to build sof...
Application Security Testing for Software Engineers: An approach to build sof...Michael Hidalgo
 
Un enfoque práctico para implementar confianza cero en el trabajo híbrido
Un enfoque práctico para implementar confianza cero en el trabajo híbridoUn enfoque práctico para implementar confianza cero en el trabajo híbrido
Un enfoque práctico para implementar confianza cero en el trabajo híbridoCristian Garcia G.
 
Demand for Penetration Testing Services.docx
Demand for Penetration Testing Services.docxDemand for Penetration Testing Services.docx
Demand for Penetration Testing Services.docxAardwolf Security
 
ByteCode pentest report example
ByteCode pentest report exampleByteCode pentest report example
ByteCode pentest report exampleIhor Uzhvenko
 
Security Testing Approach for Web Application Testing.pdf
Security Testing Approach for Web Application Testing.pdfSecurity Testing Approach for Web Application Testing.pdf
Security Testing Approach for Web Application Testing.pdfAmeliaJonas2
 
Application security testing an integrated approach
Application security testing an integrated approachApplication security testing an integrated approach
Application security testing an integrated approachIdexcel Technologies
 
Unisys_AppDefender_Symantec_CFD_0_1_final
Unisys_AppDefender_Symantec_CFD_0_1_finalUnisys_AppDefender_Symantec_CFD_0_1_final
Unisys_AppDefender_Symantec_CFD_0_1_finalKoko Fontana
 
Web Component Development Using Servlet & JSP Technologies (EE6) - Chapter 1...
Web Component Development Using Servlet & JSP Technologies (EE6) - Chapter 1... Web Component Development Using Servlet & JSP Technologies (EE6) - Chapter 1...
Web Component Development Using Servlet & JSP Technologies (EE6) - Chapter 1...WebStackAcademy
 
Core defense mechanisms against security attacks on web applications
Core defense mechanisms against security attacks on web applicationsCore defense mechanisms against security attacks on web applications
Core defense mechanisms against security attacks on web applicationsKaran Nagrecha
 
Engineering Software Products: 7. security and privacy
Engineering Software Products: 7. security and privacyEngineering Software Products: 7. security and privacy
Engineering Software Products: 7. security and privacysoftware-engineering-book
 
Security Testing of Online Stores and Banking Applications
Security Testing of Online Stores and Banking ApplicationsSecurity Testing of Online Stores and Banking Applications
Security Testing of Online Stores and Banking ApplicationsQATestLab
 
ADAPTIVE AUTHENTICATION: A CASE STUDY FOR UNIFIED AUTHENTICATION PLATFORM
ADAPTIVE AUTHENTICATION: A CASE STUDY FOR UNIFIED AUTHENTICATION PLATFORM ADAPTIVE AUTHENTICATION: A CASE STUDY FOR UNIFIED AUTHENTICATION PLATFORM
ADAPTIVE AUTHENTICATION: A CASE STUDY FOR UNIFIED AUTHENTICATION PLATFORM csandit
 
Abstraction and Automation: A Software Design Approach for Developing Secure ...
Abstraction and Automation: A Software Design Approach for Developing Secure ...Abstraction and Automation: A Software Design Approach for Developing Secure ...
Abstraction and Automation: A Software Design Approach for Developing Secure ...iosrjce
 

Similar to Security Testing In Application Authentication (20)

Security Testing Training With Examples
Security Testing Training With ExamplesSecurity Testing Training With Examples
Security Testing Training With Examples
 
Thick Client Penetration Testing Modern Approaches and Techniques.pdf
Thick Client Penetration Testing Modern Approaches and Techniques.pdfThick Client Penetration Testing Modern Approaches and Techniques.pdf
Thick Client Penetration Testing Modern Approaches and Techniques.pdf
 
Risk Oriented Testing of Web-Based Applications
Risk Oriented Testing of Web-Based ApplicationsRisk Oriented Testing of Web-Based Applications
Risk Oriented Testing of Web-Based Applications
 
IRJET-A Review of Testing Technology in Web Application System
IRJET-A Review of Testing Technology in Web Application SystemIRJET-A Review of Testing Technology in Web Application System
IRJET-A Review of Testing Technology in Web Application System
 
Application Security Testing for Software Engineers: An approach to build sof...
Application Security Testing for Software Engineers: An approach to build sof...Application Security Testing for Software Engineers: An approach to build sof...
Application Security Testing for Software Engineers: An approach to build sof...
 
Un enfoque práctico para implementar confianza cero en el trabajo híbrido
Un enfoque práctico para implementar confianza cero en el trabajo híbridoUn enfoque práctico para implementar confianza cero en el trabajo híbrido
Un enfoque práctico para implementar confianza cero en el trabajo híbrido
 
Mobile Apps Security Testing -1
Mobile Apps Security Testing -1Mobile Apps Security Testing -1
Mobile Apps Security Testing -1
 
Demand for Penetration Testing Services.docx
Demand for Penetration Testing Services.docxDemand for Penetration Testing Services.docx
Demand for Penetration Testing Services.docx
 
ByteCode pentest report example
ByteCode pentest report exampleByteCode pentest report example
ByteCode pentest report example
 
AbedElilahElmahmoumP1.pptx
AbedElilahElmahmoumP1.pptxAbedElilahElmahmoumP1.pptx
AbedElilahElmahmoumP1.pptx
 
Security Testing Approach for Web Application Testing.pdf
Security Testing Approach for Web Application Testing.pdfSecurity Testing Approach for Web Application Testing.pdf
Security Testing Approach for Web Application Testing.pdf
 
Application security testing an integrated approach
Application security testing an integrated approachApplication security testing an integrated approach
Application security testing an integrated approach
 
Unisys_AppDefender_Symantec_CFD_0_1_final
Unisys_AppDefender_Symantec_CFD_0_1_finalUnisys_AppDefender_Symantec_CFD_0_1_final
Unisys_AppDefender_Symantec_CFD_0_1_final
 
Web Component Development Using Servlet & JSP Technologies (EE6) - Chapter 1...
Web Component Development Using Servlet & JSP Technologies (EE6) - Chapter 1... Web Component Development Using Servlet & JSP Technologies (EE6) - Chapter 1...
Web Component Development Using Servlet & JSP Technologies (EE6) - Chapter 1...
 
Core defense mechanisms against security attacks on web applications
Core defense mechanisms against security attacks on web applicationsCore defense mechanisms against security attacks on web applications
Core defense mechanisms against security attacks on web applications
 
Engineering Software Products: 7. security and privacy
Engineering Software Products: 7. security and privacyEngineering Software Products: 7. security and privacy
Engineering Software Products: 7. security and privacy
 
Security Testing of Online Stores and Banking Applications
Security Testing of Online Stores and Banking ApplicationsSecurity Testing of Online Stores and Banking Applications
Security Testing of Online Stores and Banking Applications
 
ADAPTIVE AUTHENTICATION: A CASE STUDY FOR UNIFIED AUTHENTICATION PLATFORM
ADAPTIVE AUTHENTICATION: A CASE STUDY FOR UNIFIED AUTHENTICATION PLATFORM ADAPTIVE AUTHENTICATION: A CASE STUDY FOR UNIFIED AUTHENTICATION PLATFORM
ADAPTIVE AUTHENTICATION: A CASE STUDY FOR UNIFIED AUTHENTICATION PLATFORM
 
Ownux global July 2023.pdf
Ownux global July 2023.pdfOwnux global July 2023.pdf
Ownux global July 2023.pdf
 
Abstraction and Automation: A Software Design Approach for Developing Secure ...
Abstraction and Automation: A Software Design Approach for Developing Secure ...Abstraction and Automation: A Software Design Approach for Developing Secure ...
Abstraction and Automation: A Software Design Approach for Developing Secure ...
 

More from RapidValue

How to Build a Micro-Application using Single-Spa
How to Build a Micro-Application using Single-SpaHow to Build a Micro-Application using Single-Spa
How to Build a Micro-Application using Single-SpaRapidValue
 
Play with Jenkins Pipeline
Play with Jenkins PipelinePlay with Jenkins Pipeline
Play with Jenkins PipelineRapidValue
 
Accessibility Testing using Axe
Accessibility Testing using AxeAccessibility Testing using Axe
Accessibility Testing using AxeRapidValue
 
Guide to Generate Extent Report in Kotlin
Guide to Generate Extent Report in KotlinGuide to Generate Extent Report in Kotlin
Guide to Generate Extent Report in KotlinRapidValue
 
Automation in Digital Cloud Labs
Automation in Digital Cloud LabsAutomation in Digital Cloud Labs
Automation in Digital Cloud LabsRapidValue
 
Microservices Architecture - Top Trends & Key Business Benefits
Microservices Architecture - Top Trends & Key Business BenefitsMicroservices Architecture - Top Trends & Key Business Benefits
Microservices Architecture - Top Trends & Key Business BenefitsRapidValue
 
Uploading Data Using Oracle Web ADI
Uploading Data Using Oracle Web ADIUploading Data Using Oracle Web ADI
Uploading Data Using Oracle Web ADIRapidValue
 
Appium Automation with Kotlin
Appium Automation with KotlinAppium Automation with Kotlin
Appium Automation with KotlinRapidValue
 
Build UI of the Future with React 360
Build UI of the Future with React 360Build UI of the Future with React 360
Build UI of the Future with React 360RapidValue
 
Python Google Cloud Function with CORS
Python Google Cloud Function with CORSPython Google Cloud Function with CORS
Python Google Cloud Function with CORSRapidValue
 
Real-time Automation Result in Slack Channel
Real-time Automation Result in Slack ChannelReal-time Automation Result in Slack Channel
Real-time Automation Result in Slack ChannelRapidValue
 
Automation Testing with KATALON Cucumber BDD
Automation Testing with KATALON Cucumber BDDAutomation Testing with KATALON Cucumber BDD
Automation Testing with KATALON Cucumber BDDRapidValue
 
How to Implement Micro Frontend Architecture using Angular Framework
How to Implement Micro Frontend Architecture using Angular FrameworkHow to Implement Micro Frontend Architecture using Angular Framework
How to Implement Micro Frontend Architecture using Angular FrameworkRapidValue
 
Video Recording of Selenium Automation Flows
Video Recording of Selenium Automation FlowsVideo Recording of Selenium Automation Flows
Video Recording of Selenium Automation FlowsRapidValue
 
JMeter JMX Script Creation via BlazeMeter
JMeter JMX Script Creation via BlazeMeterJMeter JMX Script Creation via BlazeMeter
JMeter JMX Script Creation via BlazeMeterRapidValue
 
Migration to Extent Report 4
Migration to Extent Report 4Migration to Extent Report 4
Migration to Extent Report 4RapidValue
 
The Definitive Guide to Implementing Shift Left Testing in QA
The Definitive Guide to Implementing Shift Left Testing in QAThe Definitive Guide to Implementing Shift Left Testing in QA
The Definitive Guide to Implementing Shift Left Testing in QARapidValue
 
Data Seeding via Parameterized API Requests
Data Seeding via Parameterized API RequestsData Seeding via Parameterized API Requests
Data Seeding via Parameterized API RequestsRapidValue
 
Test Case Creation in Katalon Studio
Test Case Creation in Katalon StudioTest Case Creation in Katalon Studio
Test Case Creation in Katalon StudioRapidValue
 
How to Perform Memory Leak Test Using Valgrind
How to Perform Memory Leak Test Using ValgrindHow to Perform Memory Leak Test Using Valgrind
How to Perform Memory Leak Test Using ValgrindRapidValue
 

More from RapidValue (20)

How to Build a Micro-Application using Single-Spa
How to Build a Micro-Application using Single-SpaHow to Build a Micro-Application using Single-Spa
How to Build a Micro-Application using Single-Spa
 
Play with Jenkins Pipeline
Play with Jenkins PipelinePlay with Jenkins Pipeline
Play with Jenkins Pipeline
 
Accessibility Testing using Axe
Accessibility Testing using AxeAccessibility Testing using Axe
Accessibility Testing using Axe
 
Guide to Generate Extent Report in Kotlin
Guide to Generate Extent Report in KotlinGuide to Generate Extent Report in Kotlin
Guide to Generate Extent Report in Kotlin
 
Automation in Digital Cloud Labs
Automation in Digital Cloud LabsAutomation in Digital Cloud Labs
Automation in Digital Cloud Labs
 
Microservices Architecture - Top Trends & Key Business Benefits
Microservices Architecture - Top Trends & Key Business BenefitsMicroservices Architecture - Top Trends & Key Business Benefits
Microservices Architecture - Top Trends & Key Business Benefits
 
Uploading Data Using Oracle Web ADI
Uploading Data Using Oracle Web ADIUploading Data Using Oracle Web ADI
Uploading Data Using Oracle Web ADI
 
Appium Automation with Kotlin
Appium Automation with KotlinAppium Automation with Kotlin
Appium Automation with Kotlin
 
Build UI of the Future with React 360
Build UI of the Future with React 360Build UI of the Future with React 360
Build UI of the Future with React 360
 
Python Google Cloud Function with CORS
Python Google Cloud Function with CORSPython Google Cloud Function with CORS
Python Google Cloud Function with CORS
 
Real-time Automation Result in Slack Channel
Real-time Automation Result in Slack ChannelReal-time Automation Result in Slack Channel
Real-time Automation Result in Slack Channel
 
Automation Testing with KATALON Cucumber BDD
Automation Testing with KATALON Cucumber BDDAutomation Testing with KATALON Cucumber BDD
Automation Testing with KATALON Cucumber BDD
 
How to Implement Micro Frontend Architecture using Angular Framework
How to Implement Micro Frontend Architecture using Angular FrameworkHow to Implement Micro Frontend Architecture using Angular Framework
How to Implement Micro Frontend Architecture using Angular Framework
 
Video Recording of Selenium Automation Flows
Video Recording of Selenium Automation FlowsVideo Recording of Selenium Automation Flows
Video Recording of Selenium Automation Flows
 
JMeter JMX Script Creation via BlazeMeter
JMeter JMX Script Creation via BlazeMeterJMeter JMX Script Creation via BlazeMeter
JMeter JMX Script Creation via BlazeMeter
 
Migration to Extent Report 4
Migration to Extent Report 4Migration to Extent Report 4
Migration to Extent Report 4
 
The Definitive Guide to Implementing Shift Left Testing in QA
The Definitive Guide to Implementing Shift Left Testing in QAThe Definitive Guide to Implementing Shift Left Testing in QA
The Definitive Guide to Implementing Shift Left Testing in QA
 
Data Seeding via Parameterized API Requests
Data Seeding via Parameterized API RequestsData Seeding via Parameterized API Requests
Data Seeding via Parameterized API Requests
 
Test Case Creation in Katalon Studio
Test Case Creation in Katalon StudioTest Case Creation in Katalon Studio
Test Case Creation in Katalon Studio
 
How to Perform Memory Leak Test Using Valgrind
How to Perform Memory Leak Test Using ValgrindHow to Perform Memory Leak Test Using Valgrind
How to Perform Memory Leak Test Using Valgrind
 

Recently uploaded

Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Jeffrey Haguewood
 
JMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and GrafanaJMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and GrafanaRTTS
 
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...Sri Ambati
 
UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3DianaGray10
 
The Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and SalesThe Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
 
Essentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with ParametersEssentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with ParametersSafe Software
 
How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...Product School
 
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...Product School
 
Knowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and backKnowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and backElena Simperl
 
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...BookNet Canada
 
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...UiPathCommunity
 
When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...Elena Simperl
 
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...Product School
 
Elevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object CalisthenicsElevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object CalisthenicsDorra BARTAGUIZ
 
Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........Alison B. Lowndes
 
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualitySoftware Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualityInflectra
 
ODC, Data Fabric and Architecture User Group
ODC, Data Fabric and Architecture User GroupODC, Data Fabric and Architecture User Group
ODC, Data Fabric and Architecture User GroupCatarinaPereira64715
 
Connector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a buttonConnector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a buttonDianaGray10
 
"Impact of front-end architecture on development cost", Viktor Turskyi
"Impact of front-end architecture on development cost", Viktor Turskyi"Impact of front-end architecture on development cost", Viktor Turskyi
"Impact of front-end architecture on development cost", Viktor TurskyiFwdays
 

Recently uploaded (20)

Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
 
JMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and GrafanaJMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and Grafana
 
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
 
UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3
 
The Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and SalesThe Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and Sales
 
Essentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with ParametersEssentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with Parameters
 
How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...
 
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
 
Knowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and backKnowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and back
 
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
 
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
 
When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...
 
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
 
Elevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object CalisthenicsElevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object Calisthenics
 
Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........
 
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualitySoftware Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
 
ODC, Data Fabric and Architecture User Group
ODC, Data Fabric and Architecture User GroupODC, Data Fabric and Architecture User Group
ODC, Data Fabric and Architecture User Group
 
Connector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a buttonConnector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a button
 
Ransomware Mallox [EN].pdf
Ransomware Mallox [EN].pdfRansomware Mallox [EN].pdf
Ransomware Mallox [EN].pdf
 
"Impact of front-end architecture on development cost", Viktor Turskyi
"Impact of front-end architecture on development cost", Viktor Turskyi"Impact of front-end architecture on development cost", Viktor Turskyi
"Impact of front-end architecture on development cost", Viktor Turskyi
 

Security Testing In Application Authentication

  • 1. Security Testing In Application Authentication SECURITY TESTING IN APPLICATION AUTHENTICATION A Whitepaper by RapidValue Solutions AN APPROACH TO IDENTIFY THE VULNERABILITIES IN AUTHENTICATION OF SOFTWARE APPLICATION.
  • 2. Security Testing In Application Authentication index 01 ExecutiveSummary 02 Introduction 03 03 15 05 16 08 18 11 20 13 22 24 26 Security Threats An adversary obtains sensitive information by bypassing authentication description. No OTP functionality present on login page. An adversary can access the application posing as a different user by parameter. A local adversary can misuse authenticated sessions due to a high session-inactivity period. An adversary can access the application posing as a different user by parameter manipulation (horizontal escalation). An adversary can use IPC activity for unauthorized access to the application. An adversary can obtain sensitive data using a direct URL without authentication. Adversary hijacks sessions as the session is not invalidated on logging out. An adversary guesses passwords via automated password-guessing attacks. The application does not invalidate the session on closing the application. The application has a weak password policy. The application allows concurrent user logins. 27 Conclusion ©RapidValue Solutions 27 Authors 28 About RapidValue
  • 3. Executive Summary Application security is no longer optional for applications; it has become an important and integral part of all the applications that are being developed. One of the major security threats that an application faces can come from its authentication functionality. Hence, it is of utmost importance to protect the application’s login functionality. Inthiswhitepaper,weareconsideringthepossiblethreatsthatonemightencounterduringtheauthentication of an application. It talks about how the threats can be reproduced in an application and also, provides solution to the same in a detailed manner. Security Testing In Application Authentication 1 ©RapidValue Solutions 1 SECURITY TESTING IN APPLICATION AUTHENTICATION
  • 4. Security Testing In Application Authentication Introduction You come across testing of different web and mobile applications. It can either be a feature, automation testing or a blend of both. In the present scenario, where all business transactions and data transfer is done through internet, the data confidentiality, integrity and availability is of utmost importance. Hence, the application also, needs to be tested for security threats. Security testing is a branch of software testing that ensures proper and flawless working of an application. It focuses on various elements of security such as confidentiality, authenticity, integrity, vulnerability and continuity. The main areas that need to be focused upon in order to be considered for security testing are network security, system software security, client-side application security and server-side application security. In case of a scenario where a user logs out of the application, clicking on the back button and verifying whether the user is able to log in again, is a basic security test. During the development of Oracle business mobile and web application, we came across a couple of security issues which we have highlighted in this document. The threats include the data extraction during user log in and unauthorized data manipulation of the request and responses from the application. Manipulation of unauthorized access permissions in Android also, lead to attacks such as BEAST and SWEET32. Each topic mentioned in this document describes the problem in detail and also, mentions the corrective steps to reproduce the issue and the solution that needs to be applied in order to avoid the vulnerability. This document speaks about Burp Suite, APK tool, Wireshark and Postman. These are some of the tools which are used for security testing scenarios and one must possess strong knowledge about it. 2 ©RapidValue Solutions SECURITY TESTING IN APPLICATION AUTHENTICATION
  • 5. Security Testing In Application Authentication Step - 1 Log in with an invalid password into the application and track response using Burp Suite tool. Step - 3 Edit the failure response with success response. Step - 2 Intercept using Burp Suite. User is able to see the failure error in the response (viewable once you click on the Forward button). Security Threats An adversary obtains sensitive information by bypassing authentication description. 01 Description Adversary converts the failure response into success response and tries to log into the application. Steps to Reproduce 3 ©RapidValue Solutions SECURITY TESTING IN APPLICATION AUTHENTICATION
  • 6. Security Testing In Application Authentication Step - 4 Session invalidated as token expires and user gets logged out of the application. Solution This security breach is possible as the application does not implement proper mapping of the user to the corresponding accessibility privilege. The application should: 1. Implement server-side mapping of the user to the respective accessibility. 2. Implement strong session management. 3. Log the user out if parameters are tampered at any time. 4 ©RapidValue Solutions SECURITY TESTING IN APPLICATION AUTHENTICATION
  • 7. Security Testing In Application Authentication Step - 1 Log into the application using the credential ’anooprv’. An adversary can access the application posing as a different user by parameter. 02 Description For an unsecure application, attackers can easily access/change the parameter exchange between client and server. By changing one of the parameters, for example, ‘username’ adversary will be able to access the application as a different user. Steps to Reproduce 5 ©RapidValue Solutions SECURITY TESTING IN APPLICATION AUTHENTICATION
  • 8. Security Testing In Application Authentication Step - 3 Copy the details, send it to repeater and change the user name parameter to ‘sushil jain’. Step - 2 Turn on the intercept and catch the request using a tool (Burp Suite). 6 ©RapidValue Solutions SECURITY TESTING IN APPLICATION AUTHENTICATION
  • 9. Security Testing In Application Authentication Step - 4 Tap on the ’Go’ button and check whether the response is returned. User is getting the response even after changing one of the parameters like ‘username’ for the same session and the application gets logged in. Solution 1. Implement proper mapping of user to their respective roles. 2. Hide all the sensitive information. 3. Session management should be implemented. 7 ©RapidValue Solutions SECURITY TESTING IN APPLICATION AUTHENTICATION
  • 10. Security Testing In Application Authentication Step - 1 Install the Burp Suite tool in your machine and configure proxy for the browser in which you are opening the application. An adversary can access the application posing as a different user by parameter manipulation (horizontal escalation). 03 Description This vulnerability is categorized under privilege escalation. There are two types of privilege escalation: vertical and horizontal. This type of security exploit is possible when the proper mapping of users to their accessibility privilege is not done. Steps to Reproduce •• Vertical privilege escalation occurs when an attacker tries to gain higher privileges with regard to the resources that are protected at any specific level, for example, a user with normal privileges with an application trying to gain the admin access. •• Horizontal privilege escalation occurs when an attacker tries to gain same privileges which he already possesses, but takes the identity of another user with the same set of privileges. For example, someone gaining access to another person’s online bank account. Step - 2 Turn the intercept on Burp Suite and log into the application through browser using any valid user. The URL will be intercepted at Burp Suite. 8 ©RapidValue Solutions SECURITY TESTING IN APPLICATION AUTHENTICATION
  • 11. Security Testing In Application Authentication Step - 3 Modify the parameter username from the ‘logged in’ user to any other valid user for application and then switch the intercept off as given below. If modified to any user at the same privilege level, it will be a horizontal privilege escalation. Below example depicts the same. 9 ©RapidValue Solutions SECURITY TESTING IN APPLICATION AUTHENTICATION
  • 12. Security Testing In Application Authentication Step - 4 You are navigated to the modified user in browser as shown below. Solution 1. Implement server side mapping and the resources applicable to different privilege levels should be restricted to that level only. 2. Implement strong session management so that the user is forced to logout if any parameter manipulation or tampering occurs. 10 ©RapidValue Solutions SECURITY TESTING IN APPLICATION AUTHENTICATION
  • 13. Security Testing In Application Authentication Step - 1 Log into the application with Username: ‘ANOOPRV’ and Password: ’1234’. Step - 2 Copy the login request URL and log out from the application. Step - 3 Launch Postman tool and enter the copied request URL in Postman tool. An adversary can obtain sensitive data using a direct URL without authentication. 04 Description Authentication is a process that ensures and confirms identity of a user. In some applications, authentication is not enabled and it is easy for the attacker to get the sensitive information. An adversary can directly type the URL in the address bar of the browser and sensitive information can be accessed without any authentication. A valid user login into the application is not necessary to get the sensitive information. Steps to Reproduce 11 ©RapidValue Solutions SECURITY TESTING IN APPLICATION AUTHENTICATION
  • 14. Security Testing In Application Authentication Solution Solution URL should never contain sensitive or important information. Sensitive content should not be provided to the user without authentication and the following solutions can be implemented in the application. 1. Session management - The application should check for a valid user login and verify whether the user is authorized to access the document being requested. 2. File path protection - This method allows the documents to be located in a non-publicly accessible folder and the document path is not displayed to the end user. Step - 4 Enter the request parameters and send the request in Postman without authentication. Step - 5 Verify the response of the corresponding URL. The above screenshot shows that sensitive information is directly accessible without authentication. 12 ©RapidValue Solutions SECURITY TESTING IN APPLICATION AUTHENTICATION
  • 15. Security Testing In Application Authentication Step - 1 Open the application. Step - 3 Select the Login button. The application displays an error message, “The username or password you have entered is not correct.” Step - 2 Enter valid username and invalid password in the respective fields. An adversary guesses passwords via automated password- guessing attacks. 05 Description This is a Brute force attack which is tried against user accounts. In Brute force attack, the attacker systematically, checks all the combination of username and passwords with the intention of eventually, logging into the application. There are many tools available for Brute force password cracking attacks such as Aircrack-ng, John the Ripper, Rainbow Crack etc. Steps to Reproduce 13 ©RapidValue Solutions SECURITY TESTING IN APPLICATION AUTHENTICATION
  • 16. Security Testing In Application Authentication Step - 4 Repeat step 2 and 3 for five times. Step - 6 Select the Login button. The verified user is able to log in. Step - 5 Enter valid username and password in the respective fields. The user should not be allowed to log into the application after a particular number of invalid login attempts. Solution 1. Lock the user account on a temporary basis for some time after approximately 5 invalid login attempts. 2. Implement CAPTCHA mechanism on the login screen. A CAPTCHA (an acronym for “Completely Automated Public Turing test to tell Computers and Humans Apart”) is a type of challenge-response test used in computing to determine whether the user is human or not. 14 ©RapidValue Solutions SECURITY TESTING IN APPLICATION AUTHENTICATION
  • 17. Security Testing In Application Authentication No OTP functionality present on login page.06 Description At present strong passwords are not mandatory for various applications. This allows hackers to easily access the application by guessing or by other methods. In order to provide an additional layer of security, it is essential to use OTP or other login security mechanism. Solution Deploy multi-factor authentication mechanism like fingerprint scan, OTP generation, phys- ical token etc. 15 ©RapidValue Solutions SECURITY TESTING IN APPLICATION AUTHENTICATION
  • 18. Security Testing In Application Authentication Step - 1 Launch the application with a valid user name and password. Step - 3 It was observed that if the session is not getting terminated, the attacker can easily get access to the application. Step - 2 Do not perform any changes on the application (after 30 minutes have passed). A local adversary can misuse authenticated sessions due to a high session-inactivity period. 07 Description If the application does not have a session expiration time or if the session timeout period is too long then the attacker can access the sessions and get the information. Steps to Reproduce 16 ©RapidValue Solutions SECURITY TESTING IN APPLICATION AUTHENTICATION
  • 19. Security Testing In Application Authentication Solution Step 1 – Launch the app and log in with valid username and password. Step 2 – Do not perform any changes on the application (after 30 minutes have passed). Step 3 – User will get logged out. Add session expiration time for the inactive period. Normally 30 minutes is the session expiration period. 17 ©RapidValue Solutions SECURITY TESTING IN APPLICATION AUTHENTICATION
  • 20. Security Testing In Application Authentication An adversary can use IPC activity for unauthorized access to the application. 08 Description The Inter Application Communication model (IAC) in Android is an inter-process communication or message passing system through which an app can utilize the functionalities of another app. For example, an app can send a message to a navigation app to display location. The below snippet from Android manifest shows that a broadcast receiver is exported explicitly leaving it accessible for any other applications. Decompile the Android manifest file using ‘apktool’ and then open in notepad++ editor. A broadcast receiver is found in the xml file as highlighted below. Steps to Reproduce 18 ©RapidValue Solutions SECURITY TESTING IN APPLICATION AUTHENTICATION
  • 21. Security Testing In Application Authentication Solution Do not use IPC as it can be accessed by all third-party applications on the device. Set the attribute to [exported= “false”]. This implies that the receiver is intended only for application’s internal use or it defines signature protection level permission in Android manifest file as given below. 19 ©RapidValue Solutions SECURITY TESTING IN APPLICATION AUTHENTICATION
  • 22. Security Testing In Application Authentication Step - 1 Launch and log into the application using valid credentials. Step - 3 Send the request to repeater. Step - 2 Access any page and capture the request using “Burp” tool. Adversary hijack sessions as the session is not invalidated on logging out. 09 Description A session token is assigned to the ‘logged in’ user, while logging into the application. Using this, session token user’s session is identified until logout. This session token should be properly invalidated when the user logs out from the application or else any adversary can hijack the user’s session using this session token. Steps to Reproduce 20 ©RapidValue Solutions SECURITY TESTING IN APPLICATION AUTHENTICATION
  • 23. Security Testing In Application Authentication Step - 4 Log out from the application. Step - 5 Go to repeater and select “Go “button and verify server response with the requested page. Solution The session should be invalidated once the user logs out of the application. Also, the session should be invalidated after a certain period of time. 21 ©RapidValue Solutions SECURITY TESTING IN APPLICATION AUTHENTICATION
  • 24. Security Testing In Application Authentication Step - 1 Log into application and navigate to any page. Step - 3 Try to open the same URL again in the browser (if it is a mobile application, after the application is put into background, bring it back to foreground). Step - 2 Close the application without logging out. Step - 4 The session remains active and user can see the information in page. The application does not invalidate the session on closing the application. 10 Description The session id is a way to track whether the authenticated user identities are specific to any applications and are maintained at server side. Sometimes, the session remains active if the application is closed without logging out or when a mobile application goes on in the background. Therefore, if any adversary gets unauthorized access to the phone, it can perform malicious operations. Steps to Reproduce 22 ©RapidValue Solutions SECURITY TESTING IN APPLICATION AUTHENTICATION
  • 25. Security Testing In Application Authentication Solution Below is an Android code snippet example. 1. Ensure that the session is invalidated or made inactive as soon as the user logs out of the application at server side. 2. Explicitly inactivate the session and do not wait for garbage collector or cookie expiration. 3. If it is a mobile app, do not allow it to run in the background. Forcefully, log out of the application when moved to background. For iOS, this is done by including app delegate ‘applicationdidenterbackground ‘to forcefully, terminate the user session at server. 23 ©RapidValue Solutions SECURITY TESTING IN APPLICATION AUTHENTICATION
  • 26. Security Testing In Application Authentication The application has a weak password policy.11 Description An application with weak password policy is susceptible to attack. The major form of attack that can occur is password guessing. Users will give their own name, username, address, phone number, hobbies, pet’s name etc. as their password so that can be easily remembered. If the intruder has access to the server and executes the Finger utility command then he/she would be able to retrieve all the information of the users in the server. This command can be executed from Command prompt. The below screenshot shows how the password is viewable in the request and you can arrive at the conclusion that the password is same as the username and is a weak one. 24 ©RapidValue Solutions SECURITY TESTING IN APPLICATION AUTHENTICATION
  • 27. Security Testing In Application Authentication Solution 1. Password must have a minimum of 8 characters. 2. Password must not contain any personal information. 3. Must be different from the last passwords provided in the system. Enforce password history logic. 4. Words must not be spelled completely. 5. Password must contain characters from the four primary categories, including, uppercase and lowercase letters, numbers, and special characters. Only the admin must have access to execute the Finger command in the server and by default avoid executing the command. Implement a strong password which takes into account the below mentioned criteria. 25 ©RapidValue Solutions SECURITY TESTING IN APPLICATION AUTHENTICATION
  • 28. Security Testing In Application Authentication Step - 1 Consider online SBI application, log in with proper username and password. Step - 2 Again, log into the account from a different browser or machine. The application allows concurrent user logins.12 Description Some Application allows the concurrent user logins for same account. The user can have the multiple session active at the same time from different browsers or machines. If the user needs to open the account in different browsers or different machines, you need to implement the concurrency in authentication. The concurrency in authentication has to be application specific. The issue with the concurrent authentication is that the logged in user is not aware of his /her account being accessed by others. Steps to Reproduce Solution Concurrent logins should not be allowed. 26 ©RapidValue Solutions SECURITY TESTING IN APPLICATION AUTHENTICATION
  • 29. Security Testing In Application AuthenticationConclusion The application layer is always the hardest to defend against security threat. The vulnerabilities which are present here usually depend on the input that is being given by the user. This layer is also the most accessible one and the most exposed to the outside world. Hence we would always need to give utmost importance to the authentication part of an application and prevent malicious attacks. The case study covers only a part of the attacks that can happen to the applications authentication. Authors If you’d like to know more about Security Testing, please reach out to us at contactus@rapidvaluesolutions.com We’d be happy to hear from you! Bipin M Nair Soniya Varghese Rosu Antu Rahul RS Neena Elizabeth Varghese Senior Software Test Engineer RapidValue Solutions Senior Software Test Engineer RapidValue Solutions Software Test Engineer RapidValue Solutions Senior Software Test Engineer RapidValue Solutions Software Test Engineer RapidValue Solutions SECURITY TESTING IN APPLICATION AUTHENTICATION 27 ©RapidValue Solutions 27
  • 30. Security Testing In Application Authentication Disclaimer: This document contains information that is confidential and proprietary to RapidValue Solutions Inc. No part of it may be used, circulated, quoted, or reproduced for distribution outside RapidValue. If you are not the intended recipient of this report, you are hereby notified that the use, circulation, quoting, or reproducing of this report is strictly prohibited and may be unlawful. A global leader in digital transformation for enterprise providing end-to-end mobility, omni-channel, IoT and cloud solutions. Armed with a large team of expertsinconsulting,UXdesign,applicationdevelopment,integrationandtesting, along with experience delivering projects worldwide, in mobility and cloud, we offer a wide range of services across industry verticals. We deliver services to the world’s top brands, fortune 1000 companies, Multinational companies and emerging start-ups. We have offices in the United States, the United Kingdom and India. www.rapidvaluesolutions.com +1 877.643.1850 www.rapidvaluesolutions.com/blog contactus@rapidvaluesolutions.com ©RapidValue Solutions July, 2018