Monthly Archives: October 2014

  • 0
Halloween Offer

Halloween Special Offer: 10% Discount on Web and Mobile Applications Development Services

Tags : 

Are you guys ready to celebrate the festival of Halloween? So all your jack-o-lanterns might be ready and shopping of costumes might be going on. When all our clients are immersed in the festivity of this occasion of remembering the dead, Solution Analysts is all set to make this occasion unforgettable for you, as we are offering 10% discount on all our web & mobile applications development services this Halloween.

The discount is valid for a week from 30th Oct. You guys are our biggest support system and this is just a way to show how important you are to us.

By offering these amazing discounts, we are providing all our existing and prospective clients that are located in 10 countries, just another reason to smile. We believe in making life-long relations with our clients and this discount on Halloween in just a way to show our gratitude.

Those who are searching for efficient web & mobile applications development services this Halloween, our discounts are a bonus to save your money. Not only they would get best-in-class web and mobile applications, but also would be able to reduce the overall cost of development. Our slashed prices are an absolute treat for business people.

About Solution Analysts:

Solution Analysts is a leading web and mobile application development company with wide range of IT solutions located in United States and India.

We offer a range of services that includes website development, mobile apps development, content management system and much more.

To get in touch with our experts contact us at:

Email us: sales@solutionanalysts.com | Chat on Skype: solution.analysts


  • 0
banner_services App Sec

SECURITY TESTING

Tags : 

Introduction
As continues we are using web applications the size of useful data on the web increases, proper security testing of web applications is becoming very important. Security testing is the very much important process of testing life cycle, It is the process to confirm that confidential data stays confidential and users have access to perform only those tasks which are authorized to access.
The purpose of the security test is to discover the vulnerabilities of the web application so that the developers can then remove these vulnerabilities from the application and make the web application and data safe from unauthorized actions.
Key Terms Used in Security Testing
1. Vulnerability
It is like any type of weakness in the web application. The cause of it can be bugs in the application, an injection (SQL/ script code) or the presence of viruses.
Vulnerability can be as simple as weak passwords or as complex SQL injection vulnerabilities.
Example
  • http://www.testattack.com/index.php?page=http://www.vulnerabilityattack.com (This attack is for executing attack code on remote server)
2. URL Manipulation
Also known as URL rewriting, is the process of modifying parameters. Websites communicate with servers for sharing information to client (browser). Changing some information in the URL may sometimes lead to abnormal behaviour by the server.
The tester must check url if the application passes important information in the query string. This happens when the application uses the HTTP methods to pass information between the client and the server. The tester can modify a parameter value in the query string to check if the server accepts it.
Example
  • http://www.testattack.com/savepage.php?nr=147&status=del (Changed status code from add to del to delete)
  • http://www.testattack.com/customerdetails.php?cid=149 (Changed customer Id to view the details of customer id = 149)
3. SQL Injection
This is code injection technique through the web application. In this technique site parameters are passed to database in form of SQL query in order to access database or modify it. Special characters from user inputs should be handled/escaped properly.
Entering a single quote (‘) in any textbox should be rejected by the application. If the tester succeeds to generate a database error, it means that the user details inserted in some query which is then executed by the application. In such a case, the application is vulnerable to SQL injection.
Example
  • Write below query in input fields and submit page rather than write in url and post page on server.
  • “SELECT * FROM users WHERE username = ‘martin'”;
  • “SELECT * FROM users WHERE username = ” or ‘1=1′”;
4. XSS (Cross Site Scripting)
It is a type of injection which is typically found in web applications. Attacker can use this method to execute malicious script or URL on victim’s browser. Using cross-site scripting, attacker can use scripts like JavaScript to catch user cookies and information stored in the cookies.
The tester should additionally check the web application for XSS (Cross site scripting). Any HTML e.g. <HTML> or any script e.g. <SCRIPT> should not be accepted by the application.
Example
  • testattack.com/index.php?userid=123&query=xyz
  • <form action=”view.php” method=”GET” /> Welcome <p>Enter your name: <input type=”text” name=”myname” /><br /> <input type=”submit” value=”Find” /></p><br> </form> <?php echo “<p>Your Name <br />”; echo ($_GET[myname]); ?>
5. Password Cracking
In security testing of a web application Password cracking methods can be used to identify weak passwords. It can be start using guessing the common username and password or use of password cracking tool.
If username or password is stored in cookies without encrypting, attacker can use different methods to steal username and password.
Example
  • Try to get username and password details from cookie in browser.
  • Modify variables using view source and resubmit page.
6. Penetration
It is a type of security testing process to find out insecure areas in projects. The main purpose of this testing is to protect the secure/important data from unknown user who is not valid user of the system like hackers.
There are two types of penetration testing, White box testing & Black box testing. In White box testing tester is having all information of system like IP Address, Code & flow diagram & based on available information tester will perform the testing. In Black box testing, tester will perform testing without having any information of system. This will be more accurate testing method as testing done like real hackers.
Example 
  • Try to get password using reset feature.
  • Input validations must be validated server side also.
Conclusion

In this blog we’ve explained common terms which are used in web application vulnerabilities. Also we need to take care while security testing, the tester must be very careful and not to modify any of the following:

  • Configuration of the application or the server.
  • Services running on the server.
  • Existing user or customer data hosted by the application.
Additionally, a security test should be avoided on a production system.