Being in the Web Application industry since 4+ yrs now, i have learnt quite a lot of things and this post is all about sharing some of my learnings on the Web Application Security Testing.
When talking abut Web Application Security Testing, there are two fundamental things to understand:
1.) Whitebox testing (a.k.a Code Review)
– The tester has access to source code, configuration files, and the actual
2.) Blackbox testing (a.k.a Penetration Testing)
– The tester has access to the application’s end-user interface only and does all the testing based on what he/she sees as part of the interface.
In my honest opinion, out of these two methods of testing, Whitebox testing is always going to produce a more accurate result based on the fact that the source code is available. In this type of testing methodology, the testers are able to review data flows through the application from the presentation tier all the way through to the data access tier. Therefore, the results yielded from whitebox testing are going to be far more precise than the results gathered from blackbox testing.
For example lets take up a scenario, Assuming if there is a SQL injection vulnerability discovered in 50 different areas of a web application, a blackbox penetration-tester will identify 50 vulnerabilities ( based on different modules tested using the user interface) . However, in practise, there may be a single library that makes the database calls, which a whitebox tester can identify as one vulnerability.
In addition to the above, a whitebox review can reveal vulnerabilities in configuration and integration points.
For instance, an auction website might be communicating with a banking application to actually debit the winner’s bank account. A review of auction website application configuration files may uncover the location of the Bank’s web services endpoint, which you might explore for additional vulnerabilities.
Based on my experience with Web Application development i would suggest that anyone with a development background should perform a code review first, and then perform the blackbox penetration test. This will validate the earlier review.
For non-developers, the blackbox test is most appropriate.
Also read: Hacking Ruby on Rails.
Do stay tuned to Technofriends for more, one of the best ways of doing so is by subscribing to our feeds. You can subscribe to Technofriends feed by clicking here.