Web security testing is comprised of two parts: Application testing and Environment testing.
Application Testing
Application testing is simply testing the behavior of the application code itself. This typically includes SQL Injection and Cross Site Scripting among others. The state of the server and its configuration is not directly tested for, though application behavior is dependent on it. Web Application testing is done using by only sending HTTP traffic to the designated application port (usually 80). The traffic will be malformed off course to test how the application responses. Trying to bypass application controls like authorization, authentication, access control and business logic by means of HTTP traffic only is typical of application testing.
Enviroment Testing
Environment testing assesses the state of the server without taking into account the web application running on it. This typically includes testing for: open ports, OS fingerprinting, running services, installed software, OS vulnerabilities and configuration settings of OS and running applications. The environment testing attempts to look for vulnerabilities that can be exploited on the machine without taking advantage of application vulnerabilities which may or may not exist.
Enviroment Testing before Application Testing
Environment testing is almost always done before application testing for two reasons. First, environment testing is an automated process. There are many software out there that can perform this task without human intervention. Because this task is automated, it can finish very fast and the invested effort is minimal. Application testing can't be fully automated since it requires understanding of the application logic. Some tests like SQL Injection and XSS can be partially automated but all in all, human supervision is necessary. That's why we always start with environment testing before going to application: easier and faster. The second reason is that usually server vulnerabilities are more effective and direct in most of the cases. A server exploit allows for much more control on the server including application code, while application exploits are usually specific to applications but can be leveraged to compromise the whole server in many cases.
Legal Issues and Shared Hosting
The most important aspect in "application VS environment" testing is the legal part of it. As you are aware, information security testing is illegal unless authorized. If the web application in question is hosted on a company owned server there is nothing to consider. Things get complicated when the website is hosted on a shared server with other websites. In this case environment testing might be an issue since you will need to test features common to all websites hosted on that server. In this case all concerned parties should give their approval. Testing will be restricted to that of application only. Application testing is always fine. Consider the analogy with a physical security company that evaluates security measures in buildings against theft. If you live in your own house, you are free to give full authority to the company to evaluate the situation, but if you live in a building with other people, you can only grant the company authority to test the locks on your own door but not that of the main building entrance.
0 评论:
发表评论