[Notes]: Web Application Security Testing

Being in the Web Application industry since 4+ yrs now, i have learnt quite a lot of things and this post is all about sharing some of my learnings on the Web Application Security Testing.

When talking abut Web Application Security Testing, there are two fundamental things to understand:

1.) Whitebox testing (a.k.a Code Review)
– The tester has access to source code, configuration files, and the actual
deployed application
2.) Blackbox testing (a.k.a Penetration Testing)
– The tester has access to the application’s end-user interface only and does all the testing based on what he/she sees as part of the interface.

In my honest opinion, out of these two methods of testing, Whitebox testing is always going to produce a more accurate result based on the fact that the source code is available. In this type of testing methodology, the testers are able to review data flows through the application from the presentation tier all the way through to the data access tier. Therefore, the results yielded from whitebox testing are going to be far more precise than the results gathered from blackbox testing.

Testing Web Application Security

Testing Web Application Security

For example lets take up a scenario, Assuming if there is a SQL injection vulnerability discovered in 50 different areas of a web application, a blackbox penetration-tester will identify 50 vulnerabilities ( based on different modules tested using the user interface) . However, in practise, there may be a single library that makes the database calls, which a whitebox tester can identify as one vulnerability.

In addition to the above, a whitebox review can reveal vulnerabilities in configuration and integration points.

For instance, an auction website might be communicating with a banking application to actually debit the winner’s bank account. A review of auction website application configuration files may uncover the location of the Bank’s web services endpoint, which you might explore for additional vulnerabilities.

Based on my experience with Web Application development i would suggest that anyone with a development background should perform a code review first, and then perform the blackbox penetration test. This will validate the earlier review.

For non-developers, the blackbox test is most appropriate.

Also read: Hacking Ruby on Rails.

Learn to Hack 🙂

You can follow me on Twitter at http://twitter.com/vaibhav1981

Do stay tuned to Technofriends for more, one of the best ways of doing so is by subscribing to our feeds. You can subscribe to Technofriends feed by clicking here.

Cheers

Vaibhav

Advertisements

5 Responses

  1. Hi,
    I agree with you but I think we cannot say that one method is more efficient than the other. Because the whitebox test lead you to think as a maker (I mean a programmer) and the second method lead you to think as a hacker. The results are not the same of course, but sometime things could be easier to see as a hacker, and sometimes it’s the contrary.

    As you said at the end, the best way is to test with both methods.

    regards,
    Tuan

  2. […] Black Box: You have NO knowledge of the system infrastructure. As a Ethical hacker, this should be the one that can help you see things from a hacker’s perspective as you like the hacker doesnt have any initial knowledge about the system. ( Also read: Notes on Web Application testing) […]

  3. […] Also read: [Notes]: Web Application Security Testing […]

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: