Wednesday, May 27, 2020
Security Testing in Mobile Application and Web Application - 2475 Words
Security testing in mobile application and Web application (Essay Sample) Content: Name:Institution:Date of submission:Security testing in mobile application and Web applicationThe objective of this project is to focus on the security threats experienced in web and phone application. It will also try the possible causes of these security threats and how they can be taken care of. This project also tries to provide recommended solutions to counter these security threats.Web application and mobile has become so popular lately due to technological improvements. Security of these applications has been the trending issue because of the vulnerabilities of these applications. Hackers have been taking advantage of peopleà ¢Ã¢â ¬s lack of knowledge to access peopleà ¢Ã¢â ¬s information without the ownerà ¢Ã¢â ¬s consent.Mobile applicationsThese are applications designed for smart phones. They ease the access of some activities and services like bank services, mailing services, travelling program s and many others through the mobile phones. Introduct ion of these applications have made it easier for people due to access of a lot of services not by necessarily finding a PC to do so but through their smart phones. These applications are either installable or browser based. A lot of people can now perform important functions through their mobiles.Like web applications, mobile applications also have security risks. Testing for security for mobiles is hard compared to the test performed to web applications. This reason makes it hard for people to test for their mobile application security. These mobile applications are not secure compared to web applications and should also be tested for security.The methodology used in testing web application is the same one that is used to test phone application security. The difference is that in testing for mobile application security it is focused on mobile related problems. During the application security test, you need to identify the type of application you are dealing with: installable or br owser based.Like desktops applications, mobile application a new puts in files, change registry ingress and design settings, schedules fresh tunes, and act upon other similar functions on installation. It is very important to analyze these gears during this test. During analysis, it is important to perform file analysis and applications overturn analysis. The file system of the installed application should be well analyzed to ensure the applicationà ¢Ã¢â ¬s security.It is important to install mobile application in the external memory rather than in the internal mobile memory to allow access of the files created during application installation. These files must be well analyzed. The most known analysis of these files is application reverse, application modification and to view the applicationà ¢Ã¢â ¬s buried information. CITATION Cha15 \l 1033 (Fairchild)Multiple application tasks are performed to identify the changes experienced to the files. This is easily done by assigning the files with simple labeling called hashes. These labeling changes when a change is detected in that file. Different kind of information is displayed in the mobileà ¢Ã¢â ¬s file system during various stages of application operation. This information is analyzed well to look up for the most important data that can be stored in phone memory.After installation, the application code is uncovered to help overcome security measures put in the application and to change the code if need be. The design and execution defects and probably find the way to take advantage of them. The application code helps to get hidden information like encryption codes, passwords, and other significant data.The application traffic is then routed through a web proxy to cut it off and get more comprehensive information and adjust data for data confirmation, authorization and other testing areas. This gives a person full power over punter server interface helping perform a detailed test. In scenarios where HT TPs are involved, it is possible to use some web proxies like Fidder. This however requires some tweaking. Their signing certificates should be imported into the trusted mobileà ¢Ã¢â ¬s store to make them appropriate to be used for traffic interception. CITATION Gur14 \l 1033 (Kalra)Some modern security teams such as OWASP and NETCRAFT are trying to provide security checks for mobile applications. These app security providing services companies have emerged due to the high rate of mobile application insecurity. This security check takes about four full days. CITATION net15 \l 1033 (netcraft)Web applicationsMost people recently are depending on web applications. Security is a major issue in web apps since nobody wants his information to be disclosed to unauthorized individuals. There are a lot of vulnerabilities in the web apps which include injection, cross-site scripting, cross-site request forgery, security misconfiguration, broken authentication and session management only t o mention a few.These vulnerable can be assessed using penetration testing and static analysis. To perform security tests on web applications, tools and manuals are used. It is important to use the both methods since some vulnerability can only be seen manually. CITATION McG06 \l 1033 (McGraw)Most vulnerability in web application includes SQL injection which allows data breaching that are later parsed and implemented. The way out is to directly insert the malicious code into user input variables with the SQL commands. The malicious code can also be injected to strings which are providence for some stored data. When this is done, the malicious code is implemented leading to access and maybe modification of data in database by utilizing the SQL vulnerability.When data which is not trusted is sent to the web browser the application is vulnerable to cross site scripting. This allows the hacker to embed malicious scripts like Java script and executing this script on his side allows him to get data, interrupt sessions, redirection of users to another site and so on. This eventually leads to compromise of private information, exploitation and burglary of cookies and this hacker can still make requests that can be flawed for those of a valid user.There are three types of cross site scripting. Reflected XSS IS where web pages take text put forward by the user and returns the text to the user in its response. Stored XSS is where data put forward by a malicious user of a website is stored in databases which are used to create pages. Visitors of these web pages get the wrong information from the website. Local XSS make use of objectives within the webpage. CITATION LaS15 \l 1033 (LaShanda Dukes)Broken authentication and session management is the where the application does not perform its session management and authentication duties correctly. The hacker uses leak as exposed accounts and passwords in the session management and authentication to imitate the user. In this case the hacker is able to acquire the position of the website user or the administrator and can perform his duties.These vulnerabilities can be prevented eventually. Filtering information properly can prevent injections. It involves going through information thoroughly and thinking whether the input inputted can be trusted. Using oneà ¢Ã¢â ¬s filtering functions is the most secure way for filtering ones input. There are many pitfalls which allows authentication of a website.To avoid these pitfalls one should understand them and how they work. Using oneà ¢Ã¢â ¬s own framework also prevents broken authentication. Make sure that the websiteà ¢Ã¢â ¬s URL does not contain critical information like ID and a referrer header. The passwords used should not be predictable. They should also be well encrypted to prevent any chance of authentication. Timeout should also be well implemented to reduce the chances of session usurp by hackers.To avoid XSS one should make sure that he does not return HTML tags to the client. These HTML tags may lead to HTML injection pausing insecurity risk to any websites. HTML entities should be converted or simply sanitized such that it gives an impression of broken HTML. This discourages hackers.Insecure direct object references can also cause serious data insecurity. This means that any user has a direct exposure to a certain internal information or key. In providing such a reference, a hacker can be able to access information that is critical and may perform some activities that should be highly protected. This can be avoided by keeping the information internally and not relying CGI parameters to pass information to the client.Security should be well configured ... Security Testing in Mobile Application and Web Application - 2475 Words Security testing in mobile application and Web application (Essay Sample) Content: Name:Institution:Date of submission:Security testing in mobile application and Web applicationThe objective of this project is to focus on the security threats experienced in web and phone application. It will also try the possible causes of these security threats and how they can be taken care of. This project also tries to provide recommended solutions to counter these security threats.Web application and mobile has become so popular lately due to technological improvements. Security of these applications has been the trending issue because of the vulnerabilities of these applications. Hackers have been taking advantage of peopleà ¢Ã¢â ¬s lack of knowledge to access peopleà ¢Ã¢â ¬s information without the ownerà ¢Ã¢â ¬s consent.Mobile applicationsThese are applications designed for smart phones. They ease the access of some activities and services like bank services, mailing services, travelling program s and many others through the mobile phones. Introduct ion of these applications have made it easier for people due to access of a lot of services not by necessarily finding a PC to do so but through their smart phones. These applications are either installable or browser based. A lot of people can now perform important functions through their mobiles.Like web applications, mobile applications also have security risks. Testing for security for mobiles is hard compared to the test performed to web applications. This reason makes it hard for people to test for their mobile application security. These mobile applications are not secure compared to web applications and should also be tested for security.The methodology used in testing web application is the same one that is used to test phone application security. The difference is that in testing for mobile application security it is focused on mobile related problems. During the application security test, you need to identify the type of application you are dealing with: installable or br owser based.Like desktops applications, mobile application a new puts in files, change registry ingress and design settings, schedules fresh tunes, and act upon other similar functions on installation. It is very important to analyze these gears during this test. During analysis, it is important to perform file analysis and applications overturn analysis. The file system of the installed application should be well analyzed to ensure the applicationà ¢Ã¢â ¬s security.It is important to install mobile application in the external memory rather than in the internal mobile memory to allow access of the files created during application installation. These files must be well analyzed. The most known analysis of these files is application reverse, application modification and to view the applicationà ¢Ã¢â ¬s buried information. CITATION Cha15 \l 1033 (Fairchild)Multiple application tasks are performed to identify the changes experienced to the files. This is easily done by assigning the files with simple labeling called hashes. These labeling changes when a change is detected in that file. Different kind of information is displayed in the mobileà ¢Ã¢â ¬s file system during various stages of application operation. This information is analyzed well to look up for the most important data that can be stored in phone memory.After installation, the application code is uncovered to help overcome security measures put in the application and to change the code if need be. The design and execution defects and probably find the way to take advantage of them. The application code helps to get hidden information like encryption codes, passwords, and other significant data.The application traffic is then routed through a web proxy to cut it off and get more comprehensive information and adjust data for data confirmation, authorization and other testing areas. This gives a person full power over punter server interface helping perform a detailed test. In scenarios where HT TPs are involved, it is possible to use some web proxies like Fidder. This however requires some tweaking. Their signing certificates should be imported into the trusted mobileà ¢Ã¢â ¬s store to make them appropriate to be used for traffic interception. CITATION Gur14 \l 1033 (Kalra)Some modern security teams such as OWASP and NETCRAFT are trying to provide security checks for mobile applications. These app security providing services companies have emerged due to the high rate of mobile application insecurity. This security check takes about four full days. CITATION net15 \l 1033 (netcraft)Web applicationsMost people recently are depending on web applications. Security is a major issue in web apps since nobody wants his information to be disclosed to unauthorized individuals. There are a lot of vulnerabilities in the web apps which include injection, cross-site scripting, cross-site request forgery, security misconfiguration, broken authentication and session management only t o mention a few.These vulnerable can be assessed using penetration testing and static analysis. To perform security tests on web applications, tools and manuals are used. It is important to use the both methods since some vulnerability can only be seen manually. CITATION McG06 \l 1033 (McGraw)Most vulnerability in web application includes SQL injection which allows data breaching that are later parsed and implemented. The way out is to directly insert the malicious code into user input variables with the SQL commands. The malicious code can also be injected to strings which are providence for some stored data. When this is done, the malicious code is implemented leading to access and maybe modification of data in database by utilizing the SQL vulnerability.When data which is not trusted is sent to the web browser the application is vulnerable to cross site scripting. This allows the hacker to embed malicious scripts like Java script and executing this script on his side allows him to get data, interrupt sessions, redirection of users to another site and so on. This eventually leads to compromise of private information, exploitation and burglary of cookies and this hacker can still make requests that can be flawed for those of a valid user.There are three types of cross site scripting. Reflected XSS IS where web pages take text put forward by the user and returns the text to the user in its response. Stored XSS is where data put forward by a malicious user of a website is stored in databases which are used to create pages. Visitors of these web pages get the wrong information from the website. Local XSS make use of objectives within the webpage. CITATION LaS15 \l 1033 (LaShanda Dukes)Broken authentication and session management is the where the application does not perform its session management and authentication duties correctly. The hacker uses leak as exposed accounts and passwords in the session management and authentication to imitate the user. In this case the hacker is able to acquire the position of the website user or the administrator and can perform his duties.These vulnerabilities can be prevented eventually. Filtering information properly can prevent injections. It involves going through information thoroughly and thinking whether the input inputted can be trusted. Using oneà ¢Ã¢â ¬s filtering functions is the most secure way for filtering ones input. There are many pitfalls which allows authentication of a website.To avoid these pitfalls one should understand them and how they work. Using oneà ¢Ã¢â ¬s own framework also prevents broken authentication. Make sure that the websiteà ¢Ã¢â ¬s URL does not contain critical information like ID and a referrer header. The passwords used should not be predictable. They should also be well encrypted to prevent any chance of authentication. Timeout should also be well implemented to reduce the chances of session usurp by hackers.To avoid XSS one should make sure that he does not return HTML tags to the client. These HTML tags may lead to HTML injection pausing insecurity risk to any websites. HTML entities should be converted or simply sanitized such that it gives an impression of broken HTML. This discourages hackers.Insecure direct object references can also cause serious data insecurity. This means that any user has a direct exposure to a certain internal information or key. In providing such a reference, a hacker can be able to access information that is critical and may perform some activities that should be highly protected. This can be avoided by keeping the information internally and not relying CGI parameters to pass information to the client.Security should be well configured ...
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.