Testing Type
Testing Tool
Testometer
Case Studies
Research & Patents
Testing Articles
Question & Conversation
Testing Challenges
More On Testing
Testing Measurement
Video Tutorials
Advertise With Us
Our Team
Comments & Feedback
Enter Your Email Address:


Delivered by FeedBurner
 
Web Application Security
In the Network security testing section we have presented different techniques to make sure that your network is safe from the intruders. Intruders will always have more than one way to harm you. Network security testing is only one part of the security measurements that you need to take. Intruders can take benefit of vulnerabilities present in your application as well. 

In this section we will give information on the vulnerabilities that might invite intruders to your web application 

  • SQL Injection
  • Cross-site scripting
Among all the vulnerabilities, SQL injection and Cross-site scripting exists in many web applications.

SQL Injection

Web applications often use data read from a client to construct database queries. If this user data is not processed prior to constructing SQL queries, malicious user can send any arbitrary SQL to the system and harm application.

For example, if a web application accepts user name and password on the login screen and construct query from the user input for authentication, it might look something like this

" SELECT * FROM Users_Table WHERE (UserName = "'+ Login_Name + '") AND (Password = "' + Login_Password + '");"  If GetQueryResult(SQL) = 0 Then Authenticated = false else Authentication = True.

If user data is directly used in the SQL query without any pre processing, it could be a potential SQL injection vulnerability. For example, if in the above case if user gives ABC' OR 'T'=T' for both user name and password field constructed query will be something like 

SELECT * FROM Users_Table WHERE (UserName = 'ABC' OR 'T'='T') AND (Password = 'ABC' OR 'T'='T');"

Note that, this query will return all the records from the User_Table and is a major risk to the security of application.

Cross-Site Scripting

Any method or technique, which can allow other people to carry out undesired data flow is a potential vulnerability for the system. Cross-Site scripting is very effective technique to distribute malicious code to lots of people without their knowledge. 

Consider this scenario, There is an online forum to discuss any topic under the earth. User typically post their messages which are stored in the database. When user request for a particular message, it is retrieved from the database and delivered to the client's browser. In this scenario, a hacker can post message containing malicious scripts in the forum database. When other people request for the message, it gets delivered on behalf of the Web Application. In this scenario, hacker can successfully use public forum to distribute their malicious code.
Recent Updates
Flash Objects and Selenium
Continuous Integration
Selenium Workshop
Delicious Testing
Pattern for automated testing of web applications
Exploratory Testing
 
Read More
Accessibility API Testing Article Backword BigBang Blackbox Blog Bottomup Boundary CaseStudies Certification DefectReport DistanceTest Equivalence FitNesse Geeks Graybox Guerrilla Testing Tips GUI HTA Humor Hybrid Internationalization Installation Integration Is it done? JUnit Measurement Mercury Quality Centre News One CPU better than two Patent PatternForAutomation Performace Checklist Rational Test Suite Regression Requirement Verification Research Rational Functional Tester Security Selenium Selenium Workshop SilkTest System Testing Templates TestComplete Tools Testing Types Testing Tools In News Testing Terms In News Testometer Test Plan TG Tips For Automation Top Down Integration Trait UAT UI Testing CheckList Unit Testing Usability VMWare Web Application Security Web Application Testing Checklist Whitebox Testing
Disclaimer  |  Privacy Policy  |  g e e k AT T e s t i n g G e e k DOT c o m
© Copyright 2008, www.TestingGeek.com
s