“86% of websites contain at least one ‘serious’ vulnerability.”
“The most wide spread vulnerabilities are Cross-site Scripting, different types of Information Leakage, SQL Injection, HTTP Response Splitting”
“There are risks and costs to a program of action–but they are far less than the long range cost of comfortable inaction.”
We security is often neglected area.
What we are going to discuss is, few systematic techniques to find the problems fast.
Few times developers and testers conduct regression tests to check the most common problems and bottlenecks.
Multistep tests are required for exceptional suspects.
Obtaining and installing correct set of testing tools also play the key role sometimes.
Target Audience
Technical individuals as well as non-IT users.
No programming experience is required.
You should be well-versed with computer and internet.
Software testing veterans or developers may find article content rudimentary level as they have already delved deeper into subjectmatter.
Let us start techniques one by one. While reading, you can experiment these on your PC, on your website.
View webpage’s HTML source
Despite simplicity of this work, it is quite worthwhile to look at it.
This forms the baseline for future tests.
First browse the website, navigate to the webpage in your application that you are interested in.
Right click
→
select View Page Source option
Accessing HTML source is very useful.
Comparing the source before and after an attack discovers many things.
View webpage’s source with advance method
Webpages tend to generate complex source code now-a-days.
Newer platforms, like eCommerce packages create a single page after complex proceedings of template-structure to yield final outcome.
Source of webpage also includes auto-generated code.
To cope with this increased complexity, manual analysis of source code is necessary.
Open your favourite browser program, or better use Firefox.
Install View Source Chart plugin.
Right click
→
select View Source chart
It is JavaScript-based tool.
It allows better visualization of webpage and its organization, like
- DOM elements
- Hierarchy of HTML tags
etc.
It showcases clean look of page source.
“Administration issues are 20% more frequent cause of a vulnerability than system development errors.”
Observe HTTP headers of live request
HTTP is the protocol of browser. Browsers communicate, i.e. requests and releases datasets that are packed in HTTP manner.
By observing live HTTP request headers, you can know which
- pages
- servers and
- actions
the web-based client(browser) is accessing.
Open Firefox. Install Firebug plugin if it is not there until yet.
Navigate to desired page and click on Firebug symbol in browser toolbar.
Now, In the Firebug console which is opened at the bottom side, go to
All
→
Net
You will see details like
- HOST
- User Agent
- Accept
- Cookie
- Charset
etc
“Spear-Phishing Campaigns Targeting Employees Increased 55 Percent.” – Symentec
Observe live POST data
When making webpages, submission of large web forms are required.
They carry huge amount of information.
For transfer of these information, POST type HTTP requests are preferred.
Unlike HTTP GET request, we can not see values in POST page request, by looking at the parameters that are passed in URL.
To see parameters that are passed over the connection from our browser to the web server, we need a tool that can precisely interpret HTTP.
Open Firefox and install WebScarab plugin if it is not installed.
You may have to adjust WebScarab settings before it can allow observation of POST data.
Open any page and fill in the form.
Click on submit.
Launch WebScarab.
It will show several entries revealing near past page requests.
To look into exact variables and values, go to any page request entry with method set as POST.
Double-click.
You will be presented with the most granular level details.
“Banking and Financial Services — 41% of web applications are always vulnerable.
Healthcare — 47% of web applications are always vulnerable.”
Watch hidden form fields in a webpage
Almost every website uses hidden form fields to store session specific data points.
Visitors and users of website can not see these values straightaway.
Hidden fields are first places that developers and testers should catch for sanity check in case some suspect occurs.
Hacking entities do modify them for any purpose.
Reopen Firefox browser and WebScarab plugin console.
WebScarab is a multipurpose toolset.
Go to the Proxy tab and navigate to the Miscellaneous pane of that tab.
Check the check box with title “Reveal hidden fields in HTML pages”.
Now open any webpage that contains hidden form fields.
They should appear in plain textboxes.
WebScarab automatically picks up these hidden form fields along other webpage stuff.
Continue exploring more at..
http://www.blisswebsolution.com
Simply to read more articles on
- web application development
- eCommerce related ideas or
- to get practical inputs or techniques to enhance your own mobile application navigate to
http://www.blisswebsolution.com/blog/
Bliss Web Solution Pvt. Ltd. is a top-notch web development company specializing in optimization of high traffic websites.
To delve deeper into technicality or optimize your large scale Magento web portal, just drop an e-mail to us at enquiry@blisswebsolution.com
and we will reply you within 24 working hours.
You can freely attend weekend discussions held at our office in Ahmedabad.
Just call us on +91 98256 77818 to raise a ticket or to input new project in our system to complete it within tight deadlines of time.