| |
WEB APPLICATION SECURITY METHODOLOGY
SPI’s Web Application Security Testing comprises of methods aimed at discovering the flaws at the web application layer. Some of these methods are mentioned below.
- Parameter Tampering
Modify parameters and submit them via the web application. Used for changing application attributes.
- Manipulation of hidden fields
Manipulation of program logic where Requests are fed to the web server using hidden fields in the HTML documents.
- Directory Harvesting
Through the discovery of the directory structure of the website, attacks are launched to gain full control over the web server.
- SQL Injections
Sabotaging the database via SQL commands which are injected in regular input fields.
- Backdoor Access
These tests are aimed at gaining access to sensitive files and defacing the site.
- Buffer Overflow Attacks
Execution of arbitrary code to crash the site, gain full control and initiate other attacks.
- Improper Error Handling
Details of internal errors can lead to disclosure of vital backend information. This test is carried out to discover all such information.
- Data Encoding
Send requests using different encoding standards with the aim of gaining full control of the backend servers.
- Component Misconfiguration
Component Misconfiguration is a common issue in a web application environment. The servers in this environment hold critical information.
- Cross Scripting Attacks
Cross scripting vulnerabilities occur when an attacker uses a web application to send malicious code to a different end user.
- Report and Documentation
In the last phase a consolidated report is generated, detailing the results obtained during the tests. This phase involves recording the identified security vulnerabilities, their solutions and workarounds to completely eliminate the discovered vulnerabilities.
Sample report
Sample XSS script attack on a web portal
|
|