Securing web apps and servers
Many web applications use a collection of technologies whose evolution has outpaced industry regulation, many third party security countermeasures and most importantly, the ability of many internal IT departments to keep up with the growing number of web application related security threats.
The web application may also include transactions with back-end data systems such as databases, CRM, and ERP software. Examples of web Applications include, among others, web sites that allow online shopping, banking & investing, and business to business transactions.
Specific goals of web application testing include:
- Identify incorrectly configured Web Server Software
- Identify flaws in the User Authentication system
- Analyze the Web Application for flaws in logic and flow
- Identify weaknesses that enable circumventing the designed path to information
- Identify issues that enable unauthorized data access
- Identify issues that enable transaction manipulation
- Identify issues that permit denial of service attacks
Determine if the host operating system can be compromised from the application Weaknesses (vulnerabilities) in web applications and their host systems typically include: Unnecessary active, exposed services (increasing the attack surface area)
- Missing security patches
- Misconfigured server or application software
- Programming errors that enable buffer overflows and other code-based attacks
- Input validation vulnerabilities
- Session state management vulnerabilities
- Authentication vulnerabilities
- Information leakage
More specifically, the testing includes discovery and identification of the following minimum set of vulnerabilities:
- Parameter manipulation
- Input validation and bounds checking
- Cookie manipulation
- Cross site scripting
- Directory traversal
- Insecure sample applications
- Insecure administrative applications
- Insecure session management
- SQL injection and other input validation flaws
- Buffer overflows
- Insecure data storage mechanisms in cookies
- Authentication bypass flaws
- All known vulnerabilities in the host and application software
While many automated scanning tools are helpful, they are no substitute for a thorough, hands-on review by application security experts.