+1 866 537 8234 | +91 265 6133021

Get a free application, infrastructure and malware scan report - Scan Your Website Now

Subscribe to our Newsletter
Try AppTrana WAAP (WAF)
Blog Home  »  Application Security Testing   »   3 Web Application Security Testing Best Practices

Managed WAF

Starts at $99

Guided onboarding, monitoring of latency, false positives, and DDoS attacks, custom rules, and more

Try Free For 14 Days

3 Web Application Security Testing Best Practices

Posted DateJune 26, 2015
Author Bio
Posted Time 5   min Read
The way businesses look at web applications has changed dramatically over the decade. What was limited to develop-and-forget, is now the powerhouse that runs businesses across the world. Web applications account for multiple changes, especially in sectors that are largely dependent on online transactions. So, does it change anything in the overall security outlook? As a matter of fact, it does.
So what are the best ways to deal with both? Should you look into automated web application scanning or manual penetration testing? What are the testing best practices?

Businesses must thrive to stay ahead of the competition, a large part of which includes enhancing user experience and interface with frequent changes. Problems start to surface when there is not enough time and resources to test these applications, especially for vulnerabilities that lead to potential breaches into the server. Additionally, there are business-specific flaws that get trapped into logic paradoxes and offer unintentional breach opportunities to hackers.

Web Application Testing Issues

Before you can look into web application scanning, it is important to understand why it is so important to secure applications. With a constant rise in the number of applications being developed and used for critical business processes, they have also become primary targets for hackers. In fact, it has been estimated that over 75% of the breaches today happen at the application layer. Here are some of the top threats that you might want to look into.

1. Known Vulnerabilities

With decades of work and knowledge, a pool of information security experts from OWASP and WASC layout multiple known application vulnerabilities yearly that can be exploited to breach security. Although these vulnerability lists are not exhaustive, they are often referred to as the foundation to start securing applications.

Currently, according to various application security experts, Injection Flaws tops the list of vulnerabilities. In fact, 91% of the websites detected with ‘Critical’ level vulnerabilities tested by our IndusGuard Web had SQL Injection vulnerability. Hackers often look for this vulnerability on the website and then use input mediums like forms and URLs to make the server execute certain commands. You can read more about it on “All You Need to Know about SQL Injection

Recently, the user database from a leading song portal was breached reportedly through SQL Injection. The database showed records for millions of users of the website users, but the hacker didn’t compromise them.

Similarly, websites for major online taxi-for-hire services were also hacked exposing credit card transactions and vouchers codes.

Following is a list of some of the web application vulnerabilities listed by the Open Web Application Security Project.

Blog Web Application Testing

2. Business Logic Flaws

As web applications get complex and multi-dimensional in nature, vulnerabilities are not just limited to universally known factors. At times, there are issues that result from multiple logic flaws and end up loosening security.

A business logic flaw is an application vulnerability, which arises by circumstantial security weakness. As a one-of-a-kind problem, it does not have a universal solution and cannot be detected by automated web application scanning either. Here is a simple way to understand this.

“Only those who understand your business will be able to detect your business logic flaws.”

Here’s an example to understand business logic flaws.

A renowned stockbroking firm wanted its customers to trade online. Their dummy online trading platform focused on increasing participation and making transactions faster in a two-step process.

Step 1: Users could pick stocks of their choice, number of shares, and click on ‘BUY’. The application then calculated the total value of the transaction and asked users to ‘PLACE ORDER’.

Blog Web Application Testing

Step 2: After step 1, users can choose to either proceed with the order or cancel the transaction.

The Problem:

The web application scanning session showed that the application was clean of any OWASP or WASC vulnerability, but problems existed. An attacker could actually make informed decisions and make huge profits without administrators knowing about it. The attacker had to select stock at a current price and freeze the process at the confirmation dialog box. If the next day, prices for that particular stock shoot up, he could confirm the frozen trade and get the stocks at older value.

3. Zero-day Threats

Zero-day threats come from vulnerabilities that came into public recently and remain unpatched. There are also ‘less than zero-day vulnerabilities’ that are passed onto hackers ranks for exploitations and are unknown to the world. Over the years, the number these unknown vulnerabilities have increased with the likes of Heartbleed, POODLE, and FREAK wreaking havoc all across the world.

In fact, just a couple of months ago, WordPress was dealing with a dual zero-day vulnerability that allowed Cross-Site Scripting (XSS) on thousands of websites globally. This attack targeted the then-latest version of WordPress. Attackers could exploit the vulnerability by sending injected HTML messages to site admins. From there attackers could create accounts and changes passwords, or pretty much everything that the targeted admin could do.

Blog Web Application Testing

Although WordPress released patches for these vulnerabilities soon after, it gave plenty of time to the underground world to target several multiple websites at a time. In fact, a number of zero-day vulnerabilities have repeatedly rocked the boat for Adobe and Java. Transport Layer Security (TLS) and Secure Sockets Layer (SSL) have also suffered encryption breaches in recent months.

Integrated Web Application Testing

As more and more companies are shifting their business processes and data storage online, they spend a lot of time and energy looking for vulnerability assessment programs too. Inevitably, the choice comes down to automated and manual testing with their unique features.

On one hand, it is impossible to allocate dedicated time and personnel to testing after every little web application change, a task at which automated web application scanning is good at. On the other hand, business logic flaw detection requires human thinking and manipulation to penetrate in rather unconventional ways. This leaves companies at the helm of what decision-makers find feasible.

Our question is: Why can’t you get the benefits of both in one integrated web application scanner? Why can’t it offer both automated testing for OWASP Top 10 and manual penetration testing for business logic flaws?

Indusface Scanning does it with managed web application scanning. It audits app security by detecting OWASP vulnerabilities and malware while security experts perform penetration testing to find out business logic vulnerabilities. It also provides additional features like malware and blacklisting detection, defacement protection, and unlimited attack demonstrations. And for zero-day vulnerabilities, there’s proactive support and remediation guidance from experts.

Stay tuned for more relevant and interesting security articles. Follow Indusface on FacebookTwitter, and LinkedIn.

web application security banner

Venkatesh Sundar

Venky is an Application Security technologist who built the new age Web application Scanner and Cloud WAF - AppTrana at Indusface as a Founding CTO. Currently, he spends his time on driving Product Roadmap, Customer Success, Growth, and technology adoption for US businesses.

Share Article:

Tags:

Join 47000+ Security Leaders

Get weekly tips on blocking ransomware, DDoS and bot attacks and Zero-day threats.

We're committed to your privacy. indusface uses the information you provide to us to contact you about our relevant content, products, and services. You may unsubscribe from these communications at any time. For more information, check out our Privacy Policy.

Related Posts

How Penetration Testing is Different from Ethical Hacking
How Penetration Testing is Different from Ethical Hacking?

Explore the difference between pentesting and ethical hacking, where one evaluates security controls & the other delves deeper into vulnerabilities’ root causes

Read More
Web application penetration testing checklist
Web Application Penetration Testing Checklist

Identify the essential parameters and components to include in your web app penetration testing checklist and learn the steps for conducting pen testing.

Read More
What is penetration testing?
Penetration Testing: A Complete Guide

Penetration Testing, also called pen testing, is a process to identify, exploit, and report vulnerabilities in applications, services, or operating systems.

Read More

AppTrana

Fully Managed SaaS-Based Web Application Security Solution

Get free access to Integrated Application Scanner, Web Application Firewall, DDoS & Bot Mitigation, and CDN for 14 days

Get Started for Free Request a Demo

Gartner

Indusface is the only cloud WAAP (WAF) vendor with 100% Customer Recommendation for 3 consecutive years.

A Customers’ Choice for 2022 and 2023 - Gartner® Peer Insights™

The reviews and ratings are in!