Security Testing On Web Applications

B/S System is very popular in our life. Such as e-banking system, securities trade system, tax claim system and so on. Users are very care the security of system, so the security testing becomes more and more important now.

As a good security tester, you must master hacker technology. Such Http protocol, XML, SQL injection, hacker directory…

Firstly, we discuss password problem. As we know, before we use the system need to log in the system. The user name and password is the first gate of the system. Crackers want to attack a system will use the hacker directory, which lists all common usernames and passwords. If the system does not enforce a complex password, the system would be attacked by hacker easily. And the username and password transport in internet or store in cookie with encrypting is important too.

Secondly, we focus on Http get methods. When the system uses HTTP GET method to pass information to get the information from servers, testers need to care the GET parameters. Such as URLhttp://xxx.com/abc.action=xxx&dd=yyy, tester can modify the xxx and yyy value to test the security of URL and ensure the URL can not used by crackers to get important information by modifying the GET Value.

Thirdly, we look for how to handle SQL injection. In many systems, quote(‘) is rejected by application, It’s means when you input (‘) in a text box and submit, the SQL error info maybe shows on the browser, so the cracker can inject SQL statements to get the information which they want. So the code review and security testing is very necessary to prevent the problem.

The purpose of security testing is to find the weakness of system, and clear those issues before production.