[Me]:- Guruji, if I have to do Security testing, what questions I will need ask and get answers for effective testing
[Guruji]:- You can ask yourself these questions
1) What security problems were present in the previous version? Examine these and understand how they could have been prevented. Make sure that these and any new ones are all documented through the development process.
2) Could a malicious user get the server to respond or send an error that gives away information about the server (name, IP address, and so on)?
3) When connected to the application/site with IE, can a user go to File → Edit with Microsoft FrontPage or File → Edit with Microsoft Word or File → Edit with Notepad to alter and save the files back to your servers?
4) Are cookies used to store user state or other user information? What features read or set a cookie?
5) For each cookie, is it persisted or session only? Is it marked as HTTP only (IE6 feature)?
6) What if the user does not accept the cookie? What if the user has cookies set to Prompt and then accepts the cookie?
7) What information is stored in the cookie? What happens if the user edits any of this information?
8) Is any user information passed in a URL (parameter, path, and so on)?
9) Are any forms being submitted to the server using the GET method?
10) What information do we have of the users? Is any of it sensitive (credit card, SSN, address, and so on)? How could it be used to their detriment? Make sure that this information is not passed in cookies or in the parameters in the URL.
11) Do we send any of the sensitive information in the body of the request? If so, could a malicious user grab it with a packet sniffer?
12) How could any of these pieces of information be put together to be used maliciously?
13) What information is the user expecting to be kept secure? (A user ID may not be something that the user has an opinion about, but in answer to the previous question, having the user's ID plus a time stamp may allow a malicious user to guess at a user's email locations, as the Hotmail bug did.)
14) Can a malicious user deny a valid user access to his own data?
15) Could a malicious user alter or corrupt data?
16) What software do you depend upon? (Windows NT, IIS, Sun Solaris, Apache, SQL, and so on.) What vulnerabilities do these pieces of software have? Make sure you are up-to-date on all patches and security releases. Monitor BugTraq at http://www.securityfocus.com to keep up with recent exploitations.
17) What security problems does your competitors' or other similar software have? How can you avoid them? Again, some of this might be available at http://www.securityfocus.com, but also on other sites.
18) How are your servers configured? What permissions are set on those directories and files?
19) Are users required to log in to the application? What if they are behind a firewall or proxy server?
20) Does your application perform any encryption? Does it use SSL?
21) Does your application generate passwords for the user? Are they easily guessed?
22) Does your application allow users to select their own password? Are there guidelines that they must follow?
23) Are there any points where data could be shared or accessed by users other than the creator?
24) Is this written in managed code? Are there any unsafe functions? Are there legacy pieces or other components that are unmanaged? Where are the transitions from managed to native code?
25) Could a malicious user set up scripts to guess at a password 10,000 times until it is guessed correctly? What safeguards could be put in place to safeguard against that?
26) Could a malicious user flood your application with requests? Do you want your application to try to respond to them all, or are safeguards in place for that?
27) Could a malicious user send a malformed request? What does your application do with it?
28) Could a malicious user send a NULL request? What would your application do with it?
29) Could a malicious user send a very large request? What would your application do with it?
30) Could a malicious user send a small request and tell the server it was a large request? Does the server hang?
31) Could a malicious user open many connections to your server? What would your application do about that?
32) What ports are open? How could these be exploited?
33) What is the response to a denial of service attack?
34) What buffer overruns could exist in the software? You do not have to go through the work of identifying how they can be exploited as long as you fix them when you find them.
35) Is there a data conversion in this feature or between two features?
36) Is data parsed in this feature or between two features?
37) Does your application try to write to the server? Could a malicious user exploit this by convincing the server to write more data than it has space for?
38) What kind of logging does your application do on the server side? Does it make note of attacks on the servers, and are they descriptive enough to help identify attacks? Are these logs too granular or too general?
39) Is there a user-side cache? Does the application rely on it?
40) Always assume that the worst happens. How will the server recover? Have a plan in place for each scenario.
41) What gets cached on the client side?
42) Do cookies contain sensitive data or data that can be combined to be sensitive?
43) Should the code stipulate Cache-control: no-cache headers?
44) How can you programmatically access the data in the SQL database?
45) Is there a way to do this from the outside?
46) Can the administrators or product support personnel read the information in the database?
Vinay Jagtap
A hard core Technocrat with over a decade of extensive experience in heading complex test projects coupled with real time experience of project management and thought leadership. Extensive experience in Performance, Security and Automation Testing and development of automation frameworks and ability to setup and execute Global service centers and Center of Excellences for testing.
