Web applications offer a range of benefits for developers. Web apps don’t need to be installed, they work across platforms, and there’s no burden on the user to update. However, native apps afford developers far tighter control over the experience, and they’re also generally easier to secure. The native apps versus web apps argument continues, but hybrid apps, which combine elements of the two, are growing ever more popular.
A lot of sensitive data passes through web apps every day. If you want to make sure that data doesn’t fall into the wrong hands, then you have to take security testing seriously. To do that effectively, you’ll need to take a different approach than you normally would with software testing. Hopefully, these tips will help you secure your web apps.
Channeling an attacker
Try to get into the mindset of a potential attacker. Just as you try to emulate the end user when software testing, with security testing you want to emulate an attacker. It’s fair to assume that they’ll seek entry via the path of least resistance. Start with the most common methods and attack scenarios. But it’s important to remember that nothing’s off the table, because an attacker will do anything that will get them the data they want.
Assessing your app
Analyze your app as an attacker might. What are all the different technologies that have been employed to make it work? What are the different levels of access that users can be granted? How is data accessed and stored? You want to identify potential weak points and cross reference them with common types of attack.
The easiest way for any attacker to gain access is probably going to be by cracking a password. Is there any prospect of them guessing username and password combinations, or using a tool to do it for them? Is your app enforcing strong passwords and encrypting cookies? Passwords should always be encrypted, wherever they are stored.
Can attackers input nefarious SQL statements into a text entry field and extract the contents of your database? Sometimes they can access the data they want via error codes in the browser. If you don’t take the right precautions they’ll be able to add, modify, or delete records in your SQL-based database using this common web app vulnerability.
It’s very easy to edit the URL string in a browser. If your security is lacking, this simple method could be used to expose sensitive data or redirect your users. One of the biggest dangers online is fake websites which look like the real thing, but are in fact designed to install malware on the user’s machine or to trick them into handing over personal information. Test to make sure that attackers can’t manipulate URLs to gain access to restricted areas and data, or to redirect users from your legitimate website to their fake version.
Cross site scripting
If an attacker can inject malicious scripts into your website or web app, then they can potentially use your app as a delivery method. You may be unwittingly helping them to get that malicious script onto your customer’s computers. If your web app utilizes user input that’s not encoded or validated, then the attacker can insert a string that will be executed by your user’s browser. Many different types of cross site scripting (XSS) attacks can be used to embed malicious scripts.
You could be giving attackers an easy way in by using out of date software or providing informative error messages. When unnecessary features and default accounts enabled, they can be exploited. In the rush to develop new web apps, unfamiliarity with the technology being used can lead to unpatched flaws and misconfigurations. This easily remedied problem makes it very easy for attackers to gain access. If, for example, default accounts are still accessible an attacker could get into your data without you spotting it.
These are just a few of the things you have to consider when security testing web apps. A good resource to find more common attacks is OWASP. Start with the OWASP top 10, but bear in mind that security is an ongoing battle and new dangers emerge all the time. It’s important to keep up to date. OWASP is currently in the process of updating the top 10 for 2016. There are many other free resources and tools online that can help you test your web app’s security.