Security testing involves evaluating a computing system’s security features. This ensures they function properly. It also protects the application’s users and data.
| Chapter 1 What is Security Testing |
| Chapter 2 What is Security Testing in API? |
| Chapter 3 Understanding SQL Injection: Types and Prevention |
MCQ
Security testing is crucial in software testing. It helps identify security threats early. Addressing these threats resolves potential problems for you and your users.
In this article, we will discuss the basics of security testing in software testing. We will cover what it is and why it is important.
Table of Content
Security testing is a critical process in the software development lifecycle. It aims at identifying vulnerabilities in software applications and systems. It also focuses on mitigating these threats. The goal of the process is to discover potential security breaches, misconfigurations, and malicious code which could compromise the system. Security testing methods include penetration testing, vulnerability scanning, and code reviews.
1.Identify Vulnerabilities: Security testing helps detect vulnerabilities in software applications. These include weaknesses like SQL injection, cross-site scripting (XSS), and buffer overflow. It evaluates how well the application or system can withstand potential attacks and unauthorized intrusions.
2. Maintain User Trust: Implementing robust security testing helps build trust between users and organizations. Users are more likely to engage with platforms that demonstrate a strong commitment to data security and privacy.
3. Compliance and Legal Requirements: Organizations often need to comply with regulatory standards such as GDPR, HIPAA, or PCI DSS. Security testing helps ensure that systems adhere to these requirements and avoid legal repercussions. Example includes
4. Ensure Data Protection: Testing confirms whether sensitive data is properly protected against unauthorized access and data breaches. This includes evaluating encryption methods, data transmission security, and access controls.
1.Vulnerability Scan – Vulnerability scanning is the process of scanning software for known vulnerabilities or weaknesses. This type of testing involves using automated testing tools like Burp Suite, Open VAS, Acunetix and so on to identify potential security flaws in your software. Examples of such flaws include outdated software components, weak passwords, or insecure network configurations.
2. Penetration Testing – It takes the proactive approach of simulating real-world cyber attacks. Ethical hackers are employed to mimic the tactics of malicious actors. This provides valuable insights into the software’s strengths and weaknesses.
Penetration testers look out for vulnerabilities associated with authentication and authorization flaws. It also looks out for security weaknesses related to network configurations, such as open ports or unencrypted network traffic.
3. Risk Assessment – Risk assessment involves identifying potential threats to your software. It also involves assessing the likelihood and negative impacts of those threats. This type of testing typically involves analyzing the software’s architecture, design, and implementation. The goal is to identify potential security risks. Examples of these risks include data breaches, denial of service (DOS) attacks, or malware and viruses.
4. Security Scanning – Security scanning involves using automated tools to scan software for potential security vulnerabilities. These tools may include software or hardware-based scanners that can detect a wide range of security issues.
Security scanning may include tests for common vulnerabilities such as SQL injection, cross-site scripting (XSS), and buffer overflow attacks.
5. Source Code Review – The primary aim of source code review is to detect security flaws. It also identifies logical errors and vulnerabilities. This is done by manually or automatically examining the source code of the application. The review process often involves more than one person. Independent security experts, rather than the development team, usually conduct it. This way, the specialists can identify and report potential security and functional issues. As a result, the quality of the product and its security is improved.
6. Fuzz Testing – Fuzz testing is used to identify vulnerabilities, bugs, and security loopholes in software applications by inputting a large volume of random, unexpected, or invalid data into the application. The focus is on testing the application’s robustness and error-handling capabilities, often without knowledge of the source code.
7. Ethical Hacking – Ethical hacking is a cybersecurity practice where an authorized individual, known as an ethical hacker or a white-hat hacker, simulates potential attacks on a computer system or network. The primary aim is to identify and fix security vulnerabilities before malicious hackers can exploit them. Some of these vulnerabilities include phishing attacks, social engineering attacks, or physical security breaches.
Security testing can be effectively incorporated into different stages of the Software Development Lifecycle (SDLC):
Requirement Analysis – At this stage, security requirements should be identified, documented, and integrated into the project scope. Use threat modeling to anticipate potential security threats and define security controls needed to mitigate them.
Design Phase – Conduct security reviews of the design and architecture. Evaluate the architecture for security best practices like secure communication protocols, authentication mechanisms, and data encryption.
Development – Educate developers on secure coding practices, and include guidelines for writing secure code. Integrate Static Application Security Testing (SAST) tools to scan the code for vulnerabilities as it is being written.
Testing – Perform Dynamic Application Security Testing (DAST) on the running application to identify vulnerabilities. Conduct penetration testing to simulate real-world attacks and explore the application’s resilience.
Deployment: Ensure that the deployment environment is securely configured. Conduct security scanning and audits to verify the security posture of the application and its environment.
Maintenance: Regularly monitor, update, and re-assess the application for security vulnerabilities as new threats emerge. Perform periodic security audits and compliance checks to confirm ongoing adherence to security standards.
SQL injection vulnerabilities may affect any website or application that uses an SQL database. These databases include MySQL, Oracle, and SQL Server. Malicious actors may use them to gain unauthorized access to sensitive information. This can include customer information, personal data, and trade secrets.
Understanding SQLi’s particular vulnerability is vital for protecting your systems, products, and security infrastructure.
Table of Contents
SQL injection is a security vulnerability. It allows an attacker to interfere with the queries an application makes to its database. Attackers can use SQL Injection vulnerabilities to bypass application security measures. They can go around authentication and authorization of a web page or web application and retrieve the content of the entire SQL database.
It usually occurs when untrusted data is improperly sanitized and then inserted into a SQL query. This can lead to unauthorized viewing of data, deletion of data, or other harmful activities.
SQL Injection attacks are one of the oldest, most prevalent, and most dangerous web application vulnerabilities. The OWASP organization (Open Web Application Security Project) lists injections in their OWASP Top 10 2017 document as the number one threat to web application security.
SQL injection typically occurs when user input is directly concatenated into a SQL query without proper validation or escaping.
1. Data Manipulation– Attackers can use SQL Injections to find the credentials of other users in the database. They can then impersonate these users. The impersonated user may be a database administrator with all database privileges.
2. Denial of Service (DoS) – Malicious queries can overload the database server. This results in a denial of service. It makes the application unresponsive to legitimate users.
3. Unauthorized Changes – SQL also lets you alter data in a database and add new data. For example, in a financial application, an attacker can use SQL Injection to alter balances. They void transactions or transfer money to their account.
4. Data Loss – You can use SQL to delete records from a database, even drop tables. Even if the administrator makes database backups, deletion of data could affect application availability until the database is restored.
5. Backup Corruption – Attackers may also tamper with backups, making data recovery extremely difficult after an attack.
6. Access to Operating System – Advanced SQL injection attacks can provide access to the underlying operating system, allowing attackers to execute system commands.
7. Regulatory Fines – Non-compliance with data protection regulations like GDPR, HIPAA, or CCPA due to data breaches can result in hefty fines.
Below is a script in Java that tries to authenticate a user by querying the database:
String username = request.getParameter("username");
String forename = request.getParameter("forename");
String sql = "SELECT * FROM users WHERE username = '" + username + "' AND forename = '" + forename + "'";
Connection conn = DriverManager.getConnection(url, username, forename);
Statement stmt = conn.createStatement();
ResultSet result = stmt.executeQuery(sql);
if (result.next()) {
// User is authenticated
String status = result.getString("success");
System.out.println("Login to the application");
} else {
// Authentication failed
System.out.println("Unable to Login");
}
Original SQL
SELECT * FROM users WHERE username = 'admin' AND forename = 'admin';
If a malicious user inputs the username as ‘admin’ — AND forename as ‘admin’ fields:
SELECT * FROM users WHERE username = 'admin' -- AND forename = 'admin';
The `—` is a comment marker in SQL, causing the rest of the query to be ignored. This effectively becomes:
SELECT * FROM users WHERE username = 'admin'
If there is a user with the username `admin`, the attacker would be logged in without providing the correct forename.
To prevent SQL injection, it is essential to use parameterized queries or prepared statements, which safely handle user input and separate SQL code from data.
String username = request.getParameter("username");
String forename = request.getParameter("forename");
String sql = "SELECT * FROM users WHERE username = ? AND forename = ?";
Connection conn = DriverManager.getConnection(url, username, forename);
PreparedStatement preparedStatement = conn.prepareStatement(sql);
preparedStatement.setString(1, username);
preparedStatement.setString(2, forename);
ResultSet result = preparedStatement.executeQuery();
if (result.next()) {
// User is authenticated
String status = result.getString("success");
System.out.println("Login to the application");
} else {
// Authentication failed
System.out.println("Unable to Login");
}
In this example, the `?` placeholders are used in the SQL query, and setString safely assigns the user input to the query parameters, ensuring that special characters are correctly escaped and handled.
SELECT ProductName, ProductDescription, ProductCost
FROM Products
WHERE ProductId = '100' UNION SELECT Username, Password FROM Users;
Using the UNION SELECT statement, this query combines the request for item 100’s name and description and cost with another that pulls names and passwords for every user in the database.
SQL injections typically fall under three categories: In-band SQLi (Classic), Inferential SQLi (Blind) and Out-of-band SQLi.
In-band SQL injection is the most common type of attack. With this type of SQL injection attack, a malicious user uses the same communication channel for the attack. The same channel is used to gather results.
Error-based SQL Injection: This technique allows attackers to gain information about the database structure. They achieve this by using a SQL command to generate an error message from the database server. Error messages are useful during the development of a web application or web page. However, they can be a vulnerability later. This is because they expose information about the database. Attackers intentionally force the application to generate errors through malformed queries.
Union-based SQL injection: This technique involves attackers using the UNION SQL operator. They combine multiple select statements to return a single HTTP response. An attacker can use this technique to extract information from the database.
Inferential SQL injection is also called blind SQL injection because the website database doesn’t transfer data to the attacker like with in-band SQL injection. Instead, a malicious user can learn about the structure of the server by sending data payloads and observing the response.
Boolean injection: With this technique, attackers send a SQL query to the database and observe the result. Using true/false statements to infer database information based on the application’s behavior.
Time-based injection: With this technique, attackers send a SQL query to the database. The query makes the database wait a specific number of seconds before responding. Attackers can determine if the result is true or false. They analyze how many seconds elapse before a response. For example, a hacker could use a SQL query. It commands a delay if the first letter of the first database’s name is A. Then, if the response is delayed, the attacker knows the query is true.
This type is less common but can be effective when other methods are not feasible. In this type of SQL injection attack, malicious users employ different communication channels. They use one channel for the attack and another to gather results. Attackers use this method if a server is too slow or unstable to use inferential SQL injection or in-band SQL injection.
Table of Contents
Security Testing is a type of software testing that aims to identify and address vulnerabilities and threats in an application to ensure that its data and resources are protected against potential intrusions, misuses, and breaches. The primary goal of security testing is to ensure that the software is robust and secure from external and internal threats.
API security testing is a process of evaluating API endpoints to identify and remediate vulnerabilities such as fuzzy input, parameter tampering, or injection attacks. Historically, this was done through penetration testing or manual scanning of the APIs by an enterprise security team. However, teams are shifting to running API security tests as part of the DevOps pipeline, ensuring that security issues are caught early in the development lifecycle.
1. Protection of Sensitive Data – APIs often handle sensitive data, including personal information, financial data, and proprietary business information. Security testing helps ensure that this data is protected from unauthorized access, breaches, and leaks.
Examples: Ensure data in transit is encrypted; prevent exposure of Personally Identifiable Information (PII)
2. Prevent Unauthorized Access: APIs typically serve as the gateway to an application’s backend and other critical infrastructure. Security testing helps to identify and mitigate flaws in authentication and authorization mechanisms, preventing unauthorized access.
Examples: Ensuring proper use of API keys, tokens, and OAuth; verifying role-based access control (RBAC).
3. Ensuring Service Availability: Malicious actors can exploit vulnerabilities to launch Denial-of-Service (DoS) attacks, overwhelming your APIs and making them unavailable to legitimate users. Robust API penetration testing tools help uncover these weaknesses, allowing you to implement measures that prevent such attacks and ensure reliable service for your users.
4. Maintaining Compliance: Industrial regulations, such as HIPAA, GDPR, ISO, and SOX, mandate specific security controls during data handling. Failure to comply with such regulations due to API vulnerabilities can lead to hefty fines and legal liabilities. Security testing ensures that APIs comply with these regulatory requirements and avoid legal penalties.
Examples: Encrypting sensitive data, maintaining proper access logs, and ensuring data integrity.
5. Prevent Injection Attacks: Injection attacks, such as SQL injection and command injection, can compromise the security of API endpoints and underlying systems. Security testing helps identify and remediate these vulnerabilities by validating input handling and data sanitization processes.
Examples: Testing for SQL injection flaws; ensuring proper input validation.
6. Improving Stakeholder Trust: Customers and partners entrust the company with their data when they interact with their APIs. Regular security testing demonstrates your commitment to data protection, strengthening business relationships, and fostering customer confidence in your services.
REST APIs or RESTful APIs are stateless APIs that use simple HTTP requests to access and use data. It is one of the most used types of API due to its simplicity and flexibility of implementation in any language.
Common Vulnerabilities in REST APIs
1. Broken Authentication and Session Management: Weak authentication mechanisms can lead to unauthorized access. Use of tokens and proper handling of sessions is crucial.
2. Broken Access Control: Insufficient enforcement of user permissions can lead to unauthorized access to endpoints. Implement role-based access control (RBAC) and least privilege principle.
3. Sensitive Data Exposure: Failure to encrypt sensitive data both in transit and at rest. Use HTTPS, encrypt sensitive data and avoid exposing unnecessary data in API responses.
4. Lack of Rate Limiting: Failure to implement request throttling can result in Denial of Service (DoS) attacks. Implement rate limiting and quotas to control abuse.
5. Injection Attacks: Attackers insert malicious code into the requests to manipulate the APIs’ intended behavior. SQL Injection, Host-Header Injection, and Command Injection are some of the most common attacks.
6. Insufficient Logging and Monitoring: Lack of proper logging mechanisms can lead to undetected security incidents. Enforce comprehensive logging and monitoring for suspicious activities.
SOAP, or Simple Object Access Protocol, uses XML-based messaging to transfer data between the client and server.
Common Vulnerabilities in SOAP APIs
1. XML External Entity (XXE) Attacks: An attacker can manipulate XML data to exploit vulnerabilities in the XML parsers. Disable DTDs (Document Type Definitions) and external entity references.
2. Inadequate Input Validation: SOAP messages may not be thoroughly checked for integrity. Validate and sanitize all incoming XML content.
3. WS-Security Misconfigurations: Weak or improperly configured WS-Security policies can lead to security lapses. Ensure robust WS-Security configurations including encryption and digital signatures.
4. Token Replay Attacks: Reuse of tokens for unauthorized API requests. Implement mechanisms to detect and prevent token reuse, such as timestamps and nonces.
5. WSDL Exposure: If the WSDL file is exposed to the attackers, they can view detailed information about the API structure and operations, allowing them to craft more targeted attacks.
JSON-RPC and XML-RPC are remote call protocols that use JSON and XML, respectively, to communicate between the client and the server. They send an HTTP request to a server that implements RPC and receives an HTTP response.
Common Vulnerabilities in JSON and XML RPC:
1. Brute Force Attacks: These attacks involve attempting various combinations of user credentials to gain unauthorized access. XML-RPC can be easily leveraged as an entry point for attacks and can execute multiple login attempts rapidly, leading to brute-force attacks.
2. Remote Code Execution: In this attack, attackers can execute malicious code on the server from a remote connection.
GraphQL is a flexible and efficient query language for APIs. It allows the client side to request the exact amount of data required to reduce data over- and underfetching.
Common Vulnerabilities Found in GraphQL APIs
1. Injection Attacks: Attackers insert malicious code into the requests to manipulate the APIs’ intended behavior. SQL Injection, Host-Header Injection, and Command Injection are some of the most common attacks.
2. Introspection Attack: It exploits an API’s introspection endpoint to gather information about access tokens, exposing sensitive details that attackers can use to compromise security. Introspection endpoints are designed to validate and retrieve metadata about tokens, such as their scopes, expiration, and the user they represent. If improperly secured, attackers can leverage them to gain unauthorized access or manipulate token data.
Dynamic API Security Testing involves testing the security of APIs during runtime. It dynamically interacts with the API, sends various requests with different payloads, and observes how the API behaves under different conditions to identify security vulnerabilities.
Running a dynamic API security test simulates an actual API-based attack and surfaces vulnerabilities introduced from both open-source dependencies and the code your team wrote.
OWASP ZAP (Zed Attack Proxy) – It is an open-source web application security scanner designed to find vulnerabilities in web applications and APIs.
Burp Suite – It is a comprehensive web vulnerability scanner that supports both automated and manual testing. It is used for the advanced scanning for API vulnerabilities and support for GraphQL, SOAP, and REST APIs.
SQLMap – It is an open-source penetration testing tool for automating SQL injection detection and exploitation. It supports various types of SQL injection attacks.
Static analysis security testing tools look at the source code of the application to identify potential vulnerabilities. This form of testing looks for patterns in the code that represent potential security concerns. These tools are language-dependent, meaning you have to use a static tool that matches the language your API is written in.
SonarQube – It is an open-source platform that inspects code quality and security.
Checkmarx – It is a comprehensive static application security testing tool that focuses on security vulnerabilities.
Fortify Static Code Analyzer (SCA) – It is a static analysis tool by Micro Focus that identifies security vulnerabilities in source code.
Software Composition Analysis (SCA) tools look at the dependency tree of your application and match this against a database of known vulnerabilities. Using these tools, you would be alerted if your application or API uses a library or framework with a known vulnerability. With the ever-increasing use of open source in API development, these tools are essential to include in security testing. The limitations of SCA tools are that (1) they generally do not surface if the vulnerability is actually exploitable within your API, and (2) they only capture open-source vulnerabilities, not security bugs your team may have introduced.
Black Duck by Synopsys – Comprehensive SCA tool that identifies open-source components, assesses vulnerabilities, and manages license compliance.
Snyk – Developer-friendly tool that integrates with CI/CD pipelines to detect and fix open-source vulnerabilities in dependencies.
WhiteSource – Tool focused on managing open-source components, identifying vulnerabilities, and ensuring license compliance.
The previous tutorial has explained the creation of a new Security Test. This tutorial explains the process to create a Security test from the existing Functional Test.
Steps to be followed to create a security test from a functional test case:
Create the Security Test from Functional Test
Step 1 – Right-click the test case present under Functional Tests in the Navigator and select Create Security Test.
Step 2 – Click Select Test Target. Select the test case you want to apply the security scan to. All the applicable scans are selected by default
Leave the scans you want to have in your test checked and uncheck the other scans.
There is a list of Scans, you can select either one scan or multiple scans. I have selected all the scans.
Click the OK button.
Step 3 – This screen shows all the scans added to the Security Test.
Run the Security Test
Step 4 – Click the Green arrow “Run” to start the test.
Step 5 – ReadyAPI will start sending modified requests and checking responses.
Step 6 – The security test window shows the progress of each test step and matching security scans. This screen shows all the configurations of Cross Site Scripting. Similarly, all the scans have their own in-built configurations.
Analyse Security Test Results
Step 7 – The Transaction Log shows additional information about security scans.
Step 8 – The details of a particular request or response are available in the inspector.
The Setup pane contains the detail about the configuration used for the tests.
Generation of Security Test Report
Step 9 – After the security test run finishes, click View Summary Report:
Step 10 – In the dialog that appears, click View Full Report.
Step 11 – After that, ReadyAPI will open the report in the default PDF viewer.
Sample Test Report
Analyse Security Test Report
Step 12 – Example of HTTP Method Fuzzing
Example of Cross Site Scripting
Congratulations!! We have successfully created the Security Test from the Functional Test. We are also run the test and generated the Security Test Report also. That’s a great accomplishment.
What is ReadyAPI?
ReadyAPI allows teams to create, manage, and execute automated functional, security, and performance tests in one centralized interface – accelerating API quality for Agile and DevOps software teams. It allows importing API definitions like OpenAPI/Swagger or AsyncAPI, testing and recording live API traffic, or virtualizing web services to remove pipeline dependencies.
ReadyAPI is handled by SmartBear. ReadyAPI is not an open source tool, but a licensed tool.
In ReadyAPI, We can easily manage our APIs and project. We can easily create APIs from an openAPI, Swagger, WSDL, and WADL definition and use Discovery to record API requests and methods.
ReadyAPI can be used to perform
How to install ReadyAPI – Version 3.20.0
Step 1 – Go to SmartBear ReadyAPI Installation site.
Step 2 – Before starting the installation, please check the system requirements for ReadyAPI.
Step 3 – As ReadyAPI is a licensed tool, but it also provides a trial version as well as commercial Pro License.
If you want to go for the trial version, fill in the details on this page and get Free Trial.
If you have license, then download the installer for your platform from the ReadyAPI Downloads Center.
I have a license, so will download ReadyAPI Desktop 3.20.0 (Windows Installer 64-bit).
Step 4 – Once the download is completed, run the installer. The installer will unpack the files and prepare them for installation:
Step 5 – Click the Next button to proceed with the installation:
Step 6 – If you install ReadyAPI for the first time or have chosen to install it to a different directory, the wizard will ask you to specify the installation folder:
Step 7 – This image shows that installation is in progress.
Step 8 – When the installation is complete, you can select the Run ReadyAPI check box to run ReadyAPI upon closing the wizard. You can also select the Create a desktop icon check box to create a desktop icon for ReadyAPI. Click the Finish button.
Step 9 – Once the installation is successfully completed, ReadyAPI will open, and it will look like something as in the below image.
We are done! Congratulations on making it through this tutorial and hope you found it useful! Happy Learning!!
QA Automation Expert 