Web application testing

Web applications range from the simple to the complex, from full websites to partial components within other technologies. Certain mobile native applications rely almost entirely on public or semi-public web based interfaces for their functionality. Other less visible instances of web applications are full scale APIs that bind different items to services in the shape of web services.

More complex web applications can be made up of a variety of technologies e.g. operating systems, web server software, programming languages and interpreters or frameworks used for dynamic content, database connectors, etc. These are those server-side technologies:

Operating systems: Microsoft Windows 2003/2008 / Linux distributions / Sun Solaris
Web server software: Microsoft IIS / Apache http server / nginx
Dynamic web content implementation languages: PHP / .NET / Ruby on Rails / Plone / Django
Database interaction: Microsoft SQL Server / Oracle database / MySQL / sqlite;
These are client-side ones:

Target browser code: HTML 5 / XML+XSLT
Data formats: JSON / XML;
Client-side interpreted languages: JavaScript / Flash / Silverlight / Java / ActiveX
It is this variety and variability of technologies that makes web applications so interesting to hackers- they allow for a wide range of attack vectors, each against a specific technology or a combination of them.

What kind of attacks?

Web applications are susceptible to server-side and client-side attacks.

Server-side attacks try to compromise the web server, and/or any downstream hosts, or gain access to the backend database. Client-side attacks attempt to exploit the trust relationship between users and their browser, to subvert the application’s data flow.

Most server-side attacks are made possible because of poor configuration, bad patching or poor coding. These can allow the attacker to modify the application’s behaviour or access files containing sensitive information. The worst case scenario is that an attacker can execute malicious code directly on the server and compromise the host. Also input validation issues can be exploited into executing SQL injection attacks can also lead to compromise of the database host or all the information it contains.

Client-side attacks range from taking control of the browser session (by injecting malicious code), to luring victims into unintentionally executing specific tasks. Most vectors come from input validation issues, and the exploitation of persistent or non-persistent Cross Site Scripting attacks aided by third party malicious websites or phishing attacks. Session management and access control issues can also allow an attacker to gain access to admin functionality, or to get information belonging to other users.

How to tackle web application security issues

The environment: Defence in depth will help, and should be used when deploying the web application infrastructure.

Internet facing hosts should be setup with host based firewalls, located in network segments, and firewalled from other infrastructure. A solid patch management policy should be used as well as ensuring that the configuration of hosts and services is reviewed and hardened.

The application: Producing a secure web application can be achieved when coders have a solid understanding of secure coding practices, and of access control and session management mechanisms. All user input should be sanitised by sieving it through a white list of allowed characters. All SQL queries should be parameterised consistently, using custom or supplied database interaction libraries.