Application security testing — A business approach
Lets say you have a client who gives you a web application for security testing. You will ask for credentials and start testing. Here are some additional things you can do to impress the top management.
- Detailed walk-through:
Take a detailed walkthrough of the application. Know the business flows. Many a times there are pages that are not visible without certain condition fulfilment. In those cases, if you don’t understand the flow of application you will miss important parts.
2. Roles clarity.
Don’t ever write give me two user roles and two credentials. Ask for two credentials for all user roles. There is something called Role Matrix. Ask them officially on safe side. Also don’t miss to check admin panel and admin role.
3. Testing scenarios.
Depending upon the application decide on where to start with. For example if its a medical and health care application, IDOR and SQl injection should be on priority. If it is a bank, then all the areas must be covered in depth irrespective of the time alloted to you. If its a internet facing application, use multiple scanners and tools to test the infrastructure.
4. Production
In general, UAT is never replica of the production. Hence it is highly recommended to test in production environment. Never test in the UAT unless and until application owner does not agree. In case you need to test in UAT, make it a practice to validate all journey and pages in production.
5. Back-end checks — Direct checks. Don’t waste time enumerating.
Some of the important aspects should be checked from the backend.
- File upload management.
- Payments reconciliation
- File download management.
- Database management.
6. Report demonstrating
IDOR. “Sir, this application is vulnerable to parameter manipulation/IODR”! Don’t brief this to your senior management. Just tell, “Sir, it is possible to view details and data of other users without their authorization leading to privacy and data breach”. And see the difference!.
Make them understand what you understand and you succeed
