How to start web application security assessment

By -
Web application security forms the backbone of many business as it represents the web form of business review and conduct day to day business.

In today's scenario, many web forms and business sites, perform major transactions on websites and moving to mobile applications.

While security standards should be followed during coding phases, still there are major challenges when the application goes live.

The reason for vulnerable application can vary depending on business needs as business wants the production to go at a rapid pace and still working on budgets to propose the security requirements, old/legacy codes with reusable components are used to rush the code to production.

We will list down certain points which can be helpful to understand while starting web application security assessment.

 1. Understand the business applications 

    
  Before starting any assessment, it is very important to understand the business needs of the                 application. 

  • Start with interview and normal browsing of the application
  • Identify the entry points of the applications
  • Find the technologies used to develop the applications

2. Understand the api's used to develop applications
    
    It is important to understand the api's used to develop the applications. There may be third party         api's which are available on web and they can be used to develop different analytics and business       data. These api's on one hand provide flexibility and easy to use, but at the same time creates               different vulnerabilities in applications.

3. Infrastructure used to host applications
    
    Web servers used to host applications are the most important infrastructures. Vulnerable web               servers or outdated web servers pose a significant risks for the applications to be hacked. Technical     testing for these web servers is important as if these gets compromised, then entire application             security is finished.

4. Decide what type of assessment is required

   It is important to understand what type of application testing is required.  Grey Box, White Box,        Black Box testing all 3 types of testing should be performed at one go as it is important to                    understand how an attacker views your applications.

5. GO with Manual and Automated Security Testing

  It is important to go with at-least 3 different automated tools as Qualys, Accunetix, Netsparker, IBM   Appscan, HP Webinspect or any other tools of your choice or open source should also be used as    there are possibilities that open source gives some varying information's. While performing  automated testing, it is important to analyse the raw reports and check for any "errors" or "no  service" messages as that will help what points in applications are creating challenges.

 Manual testing should always be done along with automated testing as it can reveal major challenges  in identifying vulnerable areas.


 All the above mentioned steps will help create a vulnerability map which can help understand how  threats will be coming to applications and what can create challenges in applications. This in turn  creates parameters for closure of vulnerabilities across applications and infrastructures hosting the      apps.

Always good to follow OWASP top 10 standards for mapping application vulnerabilities however it is also a good practice to map SANS Top 25 errors that can lead to serious security vulnerabilities.
    

          


Comments

Post a Comment

Popular posts from this blog

Payment Gateway Security Testing Checklist

By -
Below given are some of the possible testing scenarios, which may prove to be useful in performing payment gateway testing. Whether all the types of payment options available through the payment gateway are selectable or not.  Whether each payment option is showing its specification and requirements after being selected by the user.What happens, after the failure of the payment process or if the session ends.  To check, if the payment gateway is allowing to enter data in the blank fields of the card number, card name, expiry date and CVV number.  To examine, how the payment gateway system behaves or responds, after leaving one or more fields, blank such as leaving CVV number field, blank, etc.  Whether the user is being redirected to the application page, after the successful completion of the payment process.  Applying language change, during the payment process. Checking successful integration of
Read more

Network Security VAPT Checklist

By -
Network Security VAPT Checklist Lets talk about the scope first. If you are given a 500 machines to perform VAPT, then here is your scope. Single machine can have 65535 ports open. Any single port can deploy any service software from the world. For example FTP can be run on smartftp, pureftpd etc. Any single FTP software version (for example pureftpd 1.3.3a) can have number of vulnerabilities available. So if you multiply all of these, then it is impossible for any auditor to go ahead and probe all ports manually and find services manually. Even if he/she is able to do it, it is impossible to check all vulnerabilities that are pertaining to a single port of a single machine. Hence we have to rely on scanners such as nexpose, nessus, openvas, coreimpact etc. Here are some quick tools and test cases that one can perform on commonly found ports in the network pentest. Ø   Identify live hosts ·          Ping ·          Hping ·          Nmap Ø   Identify OS type ·
Read more

How to dump Database using Sqlmap

By -
Image
Database Dump using SQLMap Find out the parameter of application that is vulnerable to SQL injection . Vulnerable Parameter  : “User ID” Enter ‘ and then click on Submit button. will get the SQL Error. Now Intercept the Request in burp. Copy the incepted request and save it in sqlmap installed directory. Open CMD and go to the directory where SQL map is installed (C:/sqlmap) and type sqlmap.py –r sqlinjection (filename) –-dbs and then enter. (dbs is used for dump database name). Then type Y and enter. Type N and enter, it display all the database . Now we have to find out the table in database. Type sqlmap.py –r sqlinjection –D dvwa(database name) –tables.     In the above snap we got the table name in dvwa database. Then we have find out the column name. type sqlmap.py –r sqlinjection –d dvwa –T users –column. Now we are going to dump the userid and password from column. Type sqlmap.py –r sqlinje
Read more