Tips for Security Testing

With increasing vulnerability of cyber attacks, security is something which should not be compromised. Security must be considered and tested throughout the project life cycle of any application. Under any scenario the application should not disclose the confidential information to anyone except the intended recipient. Compromising confidentiality leads to direct negative impact on customer and hence business. It can lead to loss of customer confidence, negative impact on your brand, unexpected downtime on website, loss of revenue collection and in worst case legal fees and implications.

Many small-to-medium sized businesses  have hurriedly built websites that enable their customers to order products and services without taking security in consideration and hence are more vulnerable to cyber attacks.

SecurityTesting

Here are some of tips that can help making your websites more secure to handle customer information and avoid any vulnerabilities:

 Authentication Management

Deals with verifying digital identity of user or sender of a communication like logon process.

Password Guessing

  1. Passwords should be of required length and with combination of lower and upper cases and special keywords.
  2. Password should not belong to dictionary words like system, website, password etc.
  3. User can not bypassed the authentication by typing the URL to a page inside directly in the browser

Brute-force Attack

  1. Lock user account after few unsuccessful attempts.
  2. Login error messages displayed should not disclose which part of authentication credentials are incorrect.

Password Recovery

  1. Change password screen should have old password field as mandatory.
  2. Ensure that the password fields does not have auto complete feature “ON”
  3. Password should not displayed on the screen but is sent to the registered email Id when user retrieves password.
  4. Account gets locked if the user  tried to enter old password incorrect for more than limited attempts (say 3).
  5. Application should generate generic statements when authentication fails due to incorrect User ID, Password, or security question etc.

Session Management

Session expiration

  1.  Application should logs off or session is expired after some time.
  2. Based on business scenario, control whether concurrent logins are permitted on the site.

Session Hijacking

  1. Session ids should not be predictable.
  2. Important data is transferred using HTTPS protocol.
  3. Cookies does not store the personal or sensitive data.
  4. If cookie stores the sensitive data then it should be stored in encrypted format.
  5. User should be allowed to manually delete the cookies to avoid the misuse.
  6. When the site uses cookies to maintain the logging state of any user then it should not allow other user to login by changing the parameters directly in browser address bar

 Error Handling

Directory Path traversal

  1. The error message does not reveal the technical information (like root directory structure etc.) rather generic statements should be used.
  2. Each directory should have an default page like index.html or default.aspx or index.php page so that the directory listing does not appear.
  3. Historical pages should be removed from directories.
  4. Folder and files on root directory does not have generic naming structure

Cross-Site scripting (XSS)

  1. Input fields on the form does not accept the special characters like ‘<‘, ‘>’, etc.
  2. Persistent Cross Site Scripting attack through the input form fields.

SQL Injection

  1. Form field validation should be implemented at page level and it does not allow user to enter SQL commands, or SQL reserve keyword (characters like ‘, –, , = e.t.c which have specific meaning in SQL)
  2. Application should never build Transact-SQL statements directly from user input.

Controlled Access

  1. Registration process should not be automated, CAPTCHA is used and is mandatory on registration form.
  2. Personal information like information of children or date of birth/Passport Number etc should be acquired through secure pages with warning information.
  3. site should be accessible successfully using browsers with 40/128/256 bit encryption?

Design & Configuration

  1. Digital certificates configured correctly (both on server & client end).
  2. Application should include time-outs due to inactivity.
  3. Bookmarking should be disabled for secured pages. Re-accessing the bookmarked link should land user on login page.
  4. Is Right Click, View, Source disabled?
  5. Check Digital Certificate security information is not accessible from the Cache. You can check this by hitting “Backspace” key.

Recommended Tools:

  • GAURAV SINGH

    Nice post !!
    Will like to learn more on “Cross-Site scripting (XSS)” & “SQL Injection” in the future releases.
    Thanks