1) URL manipulation through HTTP GET methods:
-
The tester should check if the application passes important information in the query-string. This happens when the application uses the HTTP GET method to pass information between the client and the server.
-
The information is passed in parameters in the query-string. The tester can modify a parameter value in the query-string to check if the server accepts it.
-
Via HTTP GET request user information is passed to server for authentication or fetching data.
-
Attacker can manipulate every input variable passed from this GET request to server in order to get the required information or to corrupt the data.
-
In such conditions any unusual behavior by application or web server is the doorway for the attacker to get into the application.
2) SQL Injection:
-
The next thing that should be checked is SQL injection. Entering a single quote (‘) in any textbox should be rejected by the application.
-
Instead, if the tester encounters a database error, it means that the user input is inserted in some query which is then executed by the application. In such a case, the application is vulnerable to SQL injection.
-
SQL injection attacks are very critical as attacker can get vital information from server database.
-
To check SQL injection entry points into your web application, find out code from your code base where direct SQL queries are executed on database by accepting some user inputs.
-
If user input data is crafted in SQL queries to query the database, attacker can inject SQL statements or part of SQL statements as user inputs to extract vital information from database.
-
Even if attacker is successful to crash the application, from the SQL query error shown on browser, attacker can get the information they are looking for. Special characters from user inputs should be handled/ escaped properly in such cases.
3) Cross Site Scripting (XSS):
-
The tester should additionally check the web application for XSS (Cross site scripting). Any HTML or any script tag should not be accepted by the application. If it is, the application can be prone to an attack by Cross Site Scripting.
-
Attacker can use this method to execute malicious script or URL on victim’s browser. Using cross-site scripting, attacker can use scripts like JavaScript to steal user cookies and information stored in the cookies.
-
Many web applications get some user information and pass this information in some variables from different pages.
E.g.: http://www.examplesite.com/index.php?userid=123&query=xyz
Attacker can easily pass some malicious input or script as a ‘&query’ parameter which can explore important user/server data on browser.
Important Note:
During security testing, the tester should be very careful not to modify any of the following:
• Configuration of the application or the server.
• Services running on the server.
• Existing user or customer data hosted by the application.
• Additionally, a security test should be avoided on a production system.
The purpose of the security test is to discover the vulnerabilities of the web application so that the developers can then remove these vulnerabilities from the application and make the web application and data safe from unauthorized actions.