Web Application Testing
Virtually every person in the Western World has access to the internet, either at home, work, school or on their phones. Organisations have responded to this by creating web applications. The advantages of web applications are that they are universal, and don’t require specialist equipment, the end users computer is irrelevant. Organisations now use web applications to provide software to both internal users, remote users and customers. This means that access to some key systems and most importantly data is available to a large number of users and it is vital that it is security tested.
CNS tests a huge number of issues in application (broadly following the OWASP Guide Lines) it is not possible or appropriate to provide a full list or every issue tested but it will include (as examples) Cross Site Scripting, SQL Injection, Session ID Evaluation, Password Evaluation, Password Cracking, Information Leakage, Encryption Evaluation.
A web application test involves an automated scan, which highlights common configuration vulnerabilities. However, automated testing does not give a complete overview of issues affecting web
applications, so the tester will also visit the site manually and perform various functions. Testers will generally use the Firefox browser in conjunction with the OWASP ZAP tool, which analyses HTTP requests sent between the browser and the application, reporting on any interesting finds.
Testers will test the app according to the OWASP Top Ten vulnerabilities, which includes SQL Injection, Cross-site Scripting, and Unrestricted Access to certain files or directories. If certain known
vulnerabilities in a commercial application are discovered, the tester will try to exploit the vulnerability, unless the vulnerability is known to cause Denial of Service issues. Once OWASP Top 10 are covered,
testers will check for lesser known vulnerabilities which may still affect the application.
Generally, the tester will perform testing with different levels of credentials, preferably with access to two accounts at each level (e.g. unauthenticated, member access, admin access). As an unauthenticated
user, the tester will try to authenticate without credentials, or gain access to functionality that should only be available to authenticated users. With an authenticated account, the tester will attempt to access or modify the details of other users.
1. TOR - The Terms of Reference states what we will be doing, who exactly will be doing it, when, any exclusions, restrictions, etc. This must be in place before the review can commence. This is drawn up following communication between the test leader and the client. The function and complexity of the web application should be outlined in the TOR (e.g. simple app with no login, complex app that supports multiple users for managing financial details, etc.)
2. Port Scan - CNS will scan the application IP address for all possible TCP and UDP Ports. This scanning will be performed from our specialist servers in a secure data center.
3. Vulnerability Scanning - CNS will scan the application and active ports identified in the previous step with a number of automated tools, such as Nessus. This will quickly identify any simple vulnerabilities, e.g Default Passwords.
4. Unauthenticated Testing - CNS will perform unauthenticated testing of the web application, trying to find hidden directories or files, and attempting to guess credentials if a login page is found. Any functionality of the application accessible to unauthenticated users will be tested for weaknesses or security issues.
5. Authenticated Testing - If credentials are provided, CNS will authenticate with these credentials and perform testing on the application as it appears from an authenticated perspective. CNS will map out the functionality of the application, and attempt to gain access or modify data on other accounts.
6. Unauthenticated Re-testing - With the knowledge of the authenticated functionality, CNS will attempt to use the same functionality from an unauthenticated user again. For instance, trying to access the details of a user whilst unauthenticated.
7. Documentation - CNS will then document all results and issues identified, providing a detailed executive summary, results table, statistics page, and detailed technical explanation for each page.
8. Quality Assurance - The report will then be passed through our internal QA process where a second senior tester will review the report and the issues identified. The report will then be passed to the testing manager for a final review. The report will continue to go through this process until it is accepted by the team.
9. Report Release - The report will then be provided to the client using the chosen method, by default this will be on an encrypted CD sent via registered post.
10. Optional Retest - As an optional extra, CNS can conduct further testing to verify any fixes applied.
11. Post Testing Debriefing - CNS will then conduct a debriefing for the client.
Enterprise Application Testing
CNS tests a huge number of enterprise application such as SAP or Oracle too. We also test some very specialist applications such as SCADA with its own proprietary protocols.