Security Testing: Input validation & Access Control Techniques.

Security testing is not just limited to networks scanning now. This concern led me to pen down few concerns that may arise during security testing of any software, today’s industry is growing at fast pace and to keep a check on security threats is our responsibility. Most importantly in Internet’s era where people prefer to do most of the transactions online, by just sitting on our chairs we expect to shake hands with the people all around the world, then one must assure Security of the system. There are so many points to discuss in security testing, here I will cover some of the security threats like input validation and access control. As we all know basic security concepts but we should also cover these areas to make our testing foolproof.

Input Validation

• Look for “input type=”hidden””; If we find one, change the parameters following this key, observe the server response.
• If an application uses any 3rd party software or components, test if all inputs passed by 3rd party software is validated before use them.
• It’s possible to send tainted parameter or manipulated input by using tools like netcat (free), Achilles (free), WebScarab (free), WebClient (free, a component for .Net), tcpreplay (free), Vugen for Load Runner ($) or WinRuner ($), SPIKE Proxy ($), WebInspect ($).

Access Control

• Review the access rights assigned to all application users. Ensure “least privilege” rule is followed.
• In many place application uses some form of id, index or keys to refer users, function or content, we have to make sure that the application should not rely on the secrecy of any id’s for protection, because an attacker can easily guess these id’s.
• Take a look at what has been cached on the client computer after a web site testing. Users may access web applications from shared computers.  Browser caching should be turned off for sensitive information.
• Go through the server boxes to ensure samples and default files are cleaned up.
• Every attempt should be made to access every resource via every entry point.
• Take a look at all the open ports of the testing target box. Understand the purpose of each exe running behind each listening ports.
• Check that HTTPS is used when sending any none public information. When HTTP is used, everything go through the wire is in clear text.
• If your web application requires user login, you can run a remote brute-force authentication cracker to verify that strong password algorithm is used and account lockouts policy is implemented.

I have addressed some major security testing methods that we can use while testing input validation and access controls in our application. I would really appreciate your comments and inputs regarding this blog.