Skip to content

Testing objectives

links: WS TOC - Testing - Index


Introduction

This topic is about testing a website for attack points and potential vulnerabilities. The intended situation is that the tester is employed by a company to make a security analysis of their website.

Methodology (Randomly ordered)

  • Get overview of the system
  • List all the entry points
  • Make a check list of controls
  • Report
    • Describe the scope of testing
    • Write the list of tests done and their result
    • For each of the problems, state its "risk"
  • Gather intelligence on the site
    • Who, which technology, server, language, lib
  • Make a map of the site
    • Have a complete list of all features and entry points of an application
  • Find entry points
    • Where can user enter input?
    • Can the application be manipulated?
    • Spoofing(???)
  • Systematically check input validation / output encoding
  • Attack authentication / authorization mechanism
  • Test business logic

Testing techniques

  • Manual inspections and reviews
    • human-driven reviews
    • This approach is time consuming but powerful / effective
  • Threat modelling
    • Decomposing the application
    • Defining and classifying the assets
    • Exploring potential vulnerabilities / threats
  • Code review
    • Check code for completeness, effectiveness and accuracy
    • Requires highly skilled devs
    • Issues can be missed in compiled libraries
  • Penetration testing
    • “If you fail a penetration test you know you have a very bad problem indeed. If you pass a penetration test you do not know that you don’t have a very bad problem”

links: WS TOC - Testing - Index