Thursday, September 07, 2006

Security Testing (Application Layer)

There are different layers at which we can test for security - Physical, Hardware, OS, Network, and Application. In this blog, I am only addressing application layer security testing. Therefore, you'll not find items like testing of firewall policy rules, hardened OS, checking for all open ports on every system in the data center, testing of dialup & VPN access to systems, system interconnection vulnerabilities , or Intrusion Detection System (IDS). This blog is just a starting point and does not gaurantee end-to-end security test plan.
  • Authorization: Act of identifying an individual, i.e. it is determining whether they are who they claim to be. This testing includes:
    • Password based authentication
    • Checking against Denied Parties Restriction List (DRPL)
    • Test for unauthorized countries using Reverse DNS (rDNS)
    • Test for Login leakage: Test to make sure that user is not revealed whether the userID was wrong or password was incorrect, in case of authentication failures.
  • Authentication: Act of determining whether a given user is allowed to access a given resource under given circumstances (Role Based Access Privilege).
    • Test that only authorized administrators with the appropriate privilege are allowed to access each administrative function.
    • Spoof testing by logging with one role and trying to access non-privileged administrative function (use URL bookmarking)
    • Test by accessing restricted URLs without logging in.
  • Password Strength. Test for password length and strength, password history, rollover and expiry. Make sure dictionary words are not allowed.
  • Passwords in clear text.
    • Check for hard-coded passwords into the software bits or scripts. Run strings on binary code and look for password tags and strings
    • Check for password in log files (at all log levels),
    • Check for password in client side cookies and hidden form fields.
  • Encryption. Tests to make sure that all form submissions use encryption to ensure that information such as passwords do not transit on network in clear text form.
    • Use snoop to capture network packets and make sure no data is transmitted in clear text
    • Check for SSL Certificates - HTTPS and TLS (for LDAP)
  • Session Management. Act of maintaining a transaction or a set of transactions from a given user. This involves maintaining the context(some sort of GUID) of an original authentication so that a user does not have to provide a password for every submission.
    • Test for automatic password protected locking feature on time out.
    • Logout action must terminate the active session
    • If multiple servers are used, make sure session transfers are secure and work as designed.
    • Make sure when a session is destroyed, it is destroyed across all systems.
    • Test for maximum session limit per user (if there is any limit imposed).
  • User Profile and Privacy. Make sure that company's privacy policy is communicated to the end-users. Any forms which collect personal information must include a privacy purpose statement explaining why the information is being collected and how it will be used.
  • Cookies: Cookies are stored in the browser cache generally to manage session state. These can be permanent or session specific, with the difference that session cookies get destroyed when browser is closed. Since these are plain files, they can be edited by any hacker.
    • Tests for permanent cookies to make sure no user specific information (ID or username or password!!) is saved.
  • Auditing and Logging: Act of checking a set of actions to ensure that they comply with a given set of expectations.
    • Check for information protection regulations, such as Sarbanes Oxley, Graham-Leach-Bliley, Data Protection Act, or HIPAA.
    • Test to make sure security relevant events are getting logged. Events that are logged must include sufficient information, including: Date/Time; System/Subsystem identifier; User/Process ID (if relevant).
    • Logging events include:
      • Number of password guessing attempts,
      • Attempts to use privileges that have not been authorized,
      • Denial Of Service attacks
      • Login Logs.Test to make sure information logged includes the user name, date and time of login, and any privilege escalations that are requested and are granted or denied.
      • Last Login. Test to make sure that at login time, every user is given information reflecting their last login time and date.
  • Web Security Threats
    • HTTP Get vs. Post. Make sure portal submit form data using HTTP Post. If HTTP Get is used, add data is visible under URL, irrespective of whether HTTP or HTTPS is used.
    • Check for password and other customer sensitive data in hidden form fields.
    • Test to make sure that web server is not configured to show directory listing.
    • XSS security threats. Refer to for more details
    • Make sure that hidden form fields don't carry sensitive user information.
    • URL redirections. Test to make sure all form submissions go through HTTPS
Useful Links:
Trackback URL: Security Testing (Application Layer)

1 comment:

justincarlos said...

Software testing services may be effectively used to guide software development. Following the statistical models and methods for software testing services like usability testing, software development can move to defocus a structured discipline. application testing services