Downloaded 17 times
Uploaded byAgile Testing Alliance
Web Application Security Testing
The document discusses web application security testing. It defines security testing as identifying vulnerabilities in software, databases, operating systems, and organizations to protect information from hackers. Effective security practices need to be implemented through security testing to avoid losses and protect organizations' reputations from data breaches. Security testing includes vulnerability assessments to find security issues and penetration tests to simulate hacker activities and evaluate vulnerabilities' impacts. The goals of security testing are to achieve confidentiality, integrity, and availability as defined in the CIA security triad.
In this document
Powered by AI
Introduction to the topic of Web Application Security Testing.
Security Testing aims to uncover vulnerabilities in software systems to protect information from hackers.
Highlights the need for effective security practices due to increasing cyber-attacks impacting organizations.
Differentiates between Security Testing, Vulnerability Assessment, and Penetration Testing.
The CIA Triad - Confidentiality, Integrity, and Availability are the key objectives of Security Testing.
Describes the function of cookies, their role in tracking activities, and risks if stolen.
Explains the differences and functions between Cookies, Session IDs, and Sessions.
Introduces Cryptography, its purpose, data encryption, decryption, and the use of HTTPS.
Explains Symmetric Key Encryption and lists common algorithms used, like AES and DES.
Details on key sizes in AES encryption and the necessity of key exchange for decryption.
Differences in Asymmetric Key Encryption with public/private key usage and algorithm examples.
Outlines the encoding and decoding process with examples for data transformation.
Discusses various encoding formats and their relevance to security in handling sensitive data.
Describes OWASP as a nonprofit promoting software security and their various contributions.
Lists the OWASP Top 10 Vulnerabilities impacting web applications, highlighting major security risks.
More Related Content
Similar to Web Application Security Testing
More from Agile Testing Alliance
Web Application Security Testing
- 1.
- 2. What is SecurityTesting Security Testing is to identify/uncover any Security Loopholes (i.e., Vulnerabilities or Security Bugs) in the given Software System (i.e., Applications, Databases, Machines, Operating Systems, Organizations etc.) and get them fixed, with an intention of protecting the Information in these Systems from Hackers.
- 3. Security Testing -Importance of Security Testing with Examples • Examples of data breaches and hacks that happened over a period of time • As the number of cyber-attacks are growing with the advancements in the technology, efficient and effective security practices needs to be implemented by all the organization in a timely and priority manner to avoid the losses and protecting the reputation. Hence Security Testing is very important to ensure the security of the systems and there by protecting the organizations from losing money and reputation.
- 4. Security Testing versus Vulnerability Assessmentversus Penetration Testing • Security Testing comprises of both Vulnerability Assessment and Penetration Testing • As part of Vulnerability Assessment, we simply assess the application and identify the security loopholes (i.e. Vulnerabilities) in the Application • As part of Penetration Testing, we simulate the hacker activities by hacking/breaching/utilizing the identified security loophole (i.e. vulnerability) to check or prove what kind of damage/risk that the vulnerability is causing • While performing Security Testing in our Job, we should not be doing Penetration Testing until the client insists to do it. • We may also have to educate the Client and take his approval before performing Penetration Testing.
- 5. High Level Objectives ofSecurity Testing • Basic or high level Goals and Objectives of Security Testing or Security Program is to achieve CIA Triad • CIA Traid stands for - Confidentiality, Integrity and Availability • Confidentiality - Information is private and secured • Integrity - Only Authorized people should be able to update (add,modify,delete) Information • Availability - Application/System is available all the time to the intended users.
- 6. Security Testing (Basics)- Cookie What is a Cookie? What a Cookie can do? Track your Activities Maintain Login Session Remember Login Remember other details for your convenience What will happen if Cookie is stolen?
- 7. Cookie versus SessionID versus Session WHAT IS A COOKIE? WHAT IS A SESSION ID? WHAT IS A SESSION? COOKIE VERSUS SESSION
- 8. Cryptography and differentTechniques Cryptography 1.Enables secret communication between two parties. 2.Encryption and Decryption of data during communication between two parties. 3.Algorithm and key are used for making this possible. 4.HTTPS = HTTP + SSL Cryptography Techniques Encryption • Symmetric Encryption • Asymmetric Encryption Hashing Encoding
- 9. Symmetric Key Encryption Examplesfor Symmetric Key Encryption AES (Advanced Encryption Standard) DES (Data Encryption Standard) IDEA (International Data Encryption Algorithm) Blowfish RC4 (Rivest Cipher 4) RC5 (Rivest Cipher 5) RC6 (Rivest Cipher 6) In Symmetric Key Encryption, the same key is used for both encryption and decryption of the data being transferred between two parties Symmetric Key Encryption is one of the techniques used for achieving Cryptography
- 10. Symmetric Key Encryption •AES-128 • AES-192 • AES-256 Most commonly used Symmetric Key Encryption • Key used for encryption need to be exchanged with the receiver before decryption Drawback
- 11. Asymmetric Key Encryption • InAsymmetric Key Encryption, the public key of receiver is used for encryption and the private key of receiver is used for decryption of the data being transferred between two parties • Examples for Asymmetric Key Encryption • RSA - Rivest Shamir Adleman Algorithm • DSA - Digital Signature Algorithm • ELGamal • ECC - Elliptic Curve Cryptography • And many more
- 12. Encoding and Decoding • Encodingand Decoding • Encoding: • Transforming data into other formats, so that the data can be consumed properly by the Systems • Example: btoa('arun motoori') in Chrome Browser Console, for converting a string text into base64 format • Decoding: • Converting back to original format from the encoded format • Example: atob('YXJ1biBtb3Rvb3Jp') in Chrome Browser Console, for converting the base64 encoded format to original String • Not for converting to secret language for transferring secretly between two parties • Purpose is for proper consumption by the receiver
- 13. Encoding and Decoding •ASCII • base64 • Unicode • URL Encoding • Show examples of URL Encoding Different Types of Encoding Formats used: • Network > Request > Accept-Encoding • Server uses this to send the response in the proper encoding format required by the Browser Finding the encoding standards accepted by the Browser • By having knowledge of different encoding formats, we can try to decode the stuff and see if the Hacker/Attacker can view any sensitive data anywhere • More about this will be explained in the upcoming sessions. How Encoding plays a role in Security
- 14. OWASP • OWASP standsfor Open Web Application Security Project • OWASP.org • Non-Profit Organization • Objective is to encourage all organizations in improving their Software security • OWASP is known for: • Publishing OWASP Top 10 Vulnerabilities • Guides • Free Tools • Open Application for practicing Security • Events • Community • And many more
- 15. OWASP Top 10Vulnerabilities Injection Broken Authentication Sensitive Data Exposure XML External Entities Broken Access Control Security Misconfiguration Cross Site Scripting Insecure Deserialisation Using Components with known vulnerabilities Insufficient Logging and Monitoring