Five Aspects Must Be Noticed in web Security Testing

  Automated testing, safety test

With the rapid development of the Internet, the role of web applications in software development has become more and more important. At the same time, web applications are subject to extra security attacks. The reason is that the current website and the applications running on the website are, in a sense, the virtual front door of all companies or organizations, so they are more vulnerable to attacks and have security risks.

Today, I’d like to share with you some knowledge points and precautions about safety testing.

I. Verification Points for Safety Tests

The security verification points of a system include upload function, registration function/login function, verification code function, password, sensitive information disclosure, ultra vires test, error information, session, etc.

1. Upload function

  • Upload is interrupted. Does the program judge whether upload is successful or not
  • After uploading files with the same extension as the server-side language (jsp/asp/php) or executable files such as exe, confirm whether they can run directly on the server side.

2. Registration function/login function

  • Is the request securely transmitted
  • Repeat registration/login
  • Is the key cookie httponly
  • Session fixation: use the session’s invariable mechanism to obtain others’ authentication and authorization, and then pretend to be

3. Verification Code Function

  • Text message bombing
  • Verification code once

4, forget the password

  • Retrieve via mobile phone number/email
  • The program design is not reasonable, resulting in that the SMS verification code can be bypassed and modified (using burpsuite to grab the package and modify the response value of true)

5. Sensitive Information Leakage

  • Database/Log/Prompt

6, ultra vires test

  • Without logging in to the system, directly enter whether the URL of the downloaded file can be downloaded/directly enter whether the URL of the page after logging in can be accessed
  • Can you manually change the parameter value in the URL to access a page that you do not have permission to access
  • Session sharing between different users can illegally manipulate each other’s data.

7. Error Information

  • The release in the error message contains sql statements, error messages, and the absolute path of the web server

8、 Session

  • After logging out, can you access the previous page by clicking the back button?

It mainly comes down to the following points: (It can be optimized into a framework structure for safety testing in the later period)

  • Deployment and infrastructure
  • Input validation
  • Authentication
  • Authorization
  • configuration management
  • Sensitive data
  • Session management
  • Encryption
  • Parameter operation
  • Exception management
  • Audit and log security,

Two, combined with the actual situation (existing system) found problems

1. Log/Prompt

In the early days of the system, it is generally easy to find the problem that when some errors or reverse tests are carried out, a table or field with obvious database will be printed in the prompt of the page, or some sensitive words will appear, the log is similar to password, card number and ID card number, and there is no corresponding plain ciphertext conversion. However, the existence of these sensitive words/plain ciphertext without mutual conversion will lead to the attacker being able to obtain them, thus carrying out simple and crude attacks and attacking the server or database easily, which will endanger the whole system!

2. Repeatability

Most web sites will have registration function, and similar to the one where we are responsible for payment, we will also have account opening. for registration and account opening, basically there will be uniqueness verification and interception at the front end. however, if jmter is used to add parameters and parameter values, the addition may be successful, which will lead to the same data in the page system and may lead to errors in the whole function.

3, the number of restrictions

Similar to sending a bill, logging in or texting, if there is no corresponding restriction, such as texting, and there is no restriction on the number of times, the attacker will attack the system through texting bombing, causing the system to be paralyzed, and other customers will not be able to use the system.

4, ultra vires test

(Most systems basically do not explicitly write out the requirements for exceeding the authority.) For a web system, the address bar will usually have parameters brought in, such as user number, order number or other parameters. On this basis, a system will have many users, or many levels, such as: A is greater than B is greater than C, then I use C user to log in, check the order to which C user belongs, and there will be parameter brought in with order number in the address bar. If the system does not have corresponding restrictions, then user c can modify the order number so that the data of users b and even a can be seen, which may lead to data leakage. furthermore, if the user number of the user can be modified without processing, then all data can be operated, and the whole system is chaotic and has great influence.

5. SQL Injection /XSS Attack

It is mainly about checking/intercepting and escaping the input box. if there is no system that does not process the input, the attacker can enter a SQL statement or a code and enter the corresponding function in the background, which will cause the whole function to be disordered. the data submitted by other normal users can’t be checked or the submitted code is a dead loop (“>), which will not be closed, so this is very important.

Basically, the above five points are all under test. The system is real, there are problems, and there are other problems, among which ultra vires, SQL injection and XSS attack are the most important!

Iii. minor difficulties overcome

All of the above mentioned need manual participation, and the manual operation is not so full and comprehensive, so this is a small problem encountered. At present, there is a tool for vulnerability scanning of web systems: AWVS, which tests the security of your website through web crawlers and detects popular security vulnerabilities. aiming at vulnerabilities, it is mainly divided into four levels: high-risk, medium-risk, low-risk and optimization. it will carry out the security of internal and external links, whether files exist and whether transmission is safe. it also includes SQL injection and XSS attack. after entering the address, user name and password, the scanning will display corresponding data: number of vulnerabilities, description of vulnerabilities and recommended repair. The length of scanning the website, the amount of file data, environmental information, etc., are more comprehensive!

Four, safety testing ideas and framework

According to the following six main points to achieve a more complete security testing ideas, the framework is based on semi-manual, semi-automatic to achieve the verification of the entire system.

  • Deployment and infrastructure
  • Input validation
  • /authentication (permission authentication)
  • Sensitive data
  • Parameter operation
  • Audit and log security;

Five, the current problems/need to be optimized

Most of the current security tests are semi-manual and semi-automatic, but they are not professional, so they are still in the exploratory stage and can only find the loopholes in the system as much as possible, and the testing theory is difficult to apply to the security field.

The basic theory of safety testing is weak, and the current testing methods lack theoretical guidance and more technical product tools.

Security testing needs to analyze the technology and architecture of the system, which is also a weak link!

Author: Wang Pengfei

Source: Yixin Institute of Technology

At 8: 00 p.m. on July 25, live online, click “AI China-intelligent chat robot platform” to learn more.