There are many common applications that are written using web technologies that users can access from anywhere at any time with just an internet connection. Web security is essential to protect a user’s confidential information and is also an important part of web application testing. Even for the experienced tester, web application security can seem daunting. How do you start building up these skills?
Here are some tips for building up team skills in security testing.
What is Web Application Security Testing?
“A security test is a method of evaluating the security of a computer system or network by methodically validating and verifying the effectiveness of application security controls. A web application security test focuses only on evaluating the security of a web application. The process involves an active analysis of the application for any weaknesses, technical flaws, or vulnerabilities. Any security issues that are found will be presented to the system owner, together with an assessment of the impact, a proposal for mitigation or a technical solution.”
How to become a Web-Security Tester (Web penetration tester)?
Basic IT knowledge
You need a foundation of basic knowledge in networks, web applications, client-server architecture, databases, etc…
You also need to know how to use both the command line and Linux. Think about the hackers in movies that always have a black box on their screen with text scrolling. It may be just a movie but it’s based on reality. Hackers and penetration testers commonly use the command line and there are many tools that support pen-testing available in Linux (Ex: Kali Linux – a Debian-derived Linux distribution designed for digital forensics and penetration testing)
Lastly, you need to know TCP/IP at the packet level. This can be learned in a day or so to understand and analyze the packet’s information. You can use a packet sniffing tool called Wireshark to capture, analyze, and see what’s really going on when a request is sent to a server instead of blindly accepting documented behavior without understanding what’s happening.
Understand security vulnerability terms and concepts and ways to exploit them
It is strongly recommended that you read books and blogs on the topics. OWASP Testing Guild v4 is a great book for beginners and the OWASP website is a great source for learning web penetration testing.
There are many terms and concepts you could learn but if you try to learn them all if may become stressful and overwhelming. It is best to focus on understanding a few key terms that are most likely to apply to your application. You can by learning the OWASP Top 10 Vulnerabilities first.
Using online training tools or set up lab to practice
“Study must be accompanied by practice.” A great way to start learning web penetration testing is to start testing an application which has known vulnerabilities. Some vulnerable web applications you can use to practice are: Altoro Mutual, Hackazon, Acuart, Web Scanner Test Site, Google’s Gruyere. These applications demonstrate common web security problems such as cross site scripting, SQL injections, Session management issues and more.
On the other hand, you can set up a Vulnerable Web App by yourself to practice. My preference is OWASP Broken Web Applications Project, which is a collection of purposefully vulnerable applications to safely practice penetration testing. The Broken Web Applications (BWA) Project produces a Virtual Machine running a variety of applications with known vulnerabilities for those interested in:
- Learning about web application security
- Testing manual assessment techniques
- Testing automated tools
- Testing source code analysis tools
- Observing web attacks
- Testing WAFs and similar code technologies
Learn from others
You can pair up developers on work to investigate application behavior, which they should be able to demonstrate. For example, if you have a SQL injection checklist, try to input and see if it can execute on the database server or not. If not, figure out why not? If it can, then it would have been an educational exercise for both of you. They can also explain to you the design of the application and how it is intended to protect from attacks.
Learn to use an automated vulnerability scanner
There are many open source tools and my preference is OWASP’s ZAP, if you want to use a commercial tool, Burp Suite is the good one. These tools work by routing the HTTP traffic to and from an application through a proxy, and then re-sending the requests with various attack attempts replacing the original values. This can be an effective way of finding certain classes of vulnerability in a short amount of time.
However, please note that the tool is just a machine, and has no knowledge of the applications business logic – it is simply replaying requests and checking the responses. There are many types of vulnerability that cannot and will not be found with this strategy, and use of a scanning tool absolutely does not replace the need for manual security testing.
Automated tools, even expensive ones, only find relatively simple vulnerabilities and they usually come up with a lot of “noise”, or false positives. You need to know enough about security vulnerabilities to be able to evaluate each finding of the automated tool. Taking a scanner report and sending it unverified to the developers is the worst possible thing one could do.
Practice, practice and practice
Like any skill, you will get better with practice. When you find more and more vulnerabilities, you’ll start to get a feel and know where you should test first in the future. Try to test internal projects in your company (live website) to find any security issues and help fix them.
Conduct sharing sessions
In an organization. When you take the time start to building up new knowledge, make sure that others also benefit from it. Remember to learn to share and share to learn. Sharing is also a good way to learn and improve your knowledge. Conduct sharing sessions and invite people who care about Security Testing to discuss and show them how to prevent vulnerabilities.
Continue to build your knowledge
There are many good books about web penetration testing that I recommend reading: