This post is in continuation of my earlier post on security testing. Before I move into details of security testing here are few tips for beginners and some browser add-on that can help in security testing.
Security testing tips:-
- Directory listing is enabled or disabled – You can see if it is enabled or disabled by browsing into some directory, Example: http://example.com/images/ — If this directory lists all the image files in the directory then the directory listing is enabled. If it gives a message like “Directory listing denied” or there are no results even though there are files in it then it means it is disabled. If it is enabled then there might be a problem.
- HTML tags execution – You can check this on any of the text fields. Example: type <h1>Rakesh</h1> in the First Name text field and save the page. If you see that my name is appearing in <h1> font size in “Welcome, Rakesh” text which means there is no validation being done which is security vulnerability as even the <script> tag could be executed resulting in XSS (Cross-site scripting) attack.
- Bypassing the mandatory fields – You can use Firebug add-on for Firefox to use this technique.
- Install Firebug add-on
- Press F12 (Windows) key to invoke Firebug
- Use Inspect Element feature to highlight the mandatory field
- The code gets highlighted when you inspect the UI element
- Just delete the code for that mandatory field
- Submit the form
If the form gets submitted, then it means that there is no validation on the server end or database end for the mandatory data. If it does not and gives you an error message then it means it does validation on both the ends.
- Token generation – When you initiate Forgot Password you will receive an e-mail with token, this token should not always be the same but, should randomly be generated every time and the length of the token should not be too short that it could be cracked. The token should expire once used and also there should be maximum hours when the token gets expired even when it’s not used. This applies even for registration token and any other modules where tokens are used.
- Robots.txt –When a website is asking the bots to not index specific pages, then robots.txt is used. Sometimes this might help you getting to know the URL of admin page or any confidential information pages.
- Account Lockout Policy – This is important for any login function. Different products have different account lockout policies. Example: Bank account might have 3 attempts. Most of the products do not have this policy but in my opinion it is required for any login function. Forgot Password can get a user the password in case if they forgot it, so why not have an account lockout policy to ensure brute force attacks cannot be employed by any attacker.
Some of the Firefox add-on is depicted in the following mind map.