Security in web applications

Some common terms in web application security testing:

Password Cracking:  In order to log in to the private areas of the application, one can either guess a username/ password or use some password cracker tool for the same. Lists of common usernames and passwords are available along with open source password crackers.  Enforce a complex password (e.g. with alphabets, number and special characters, with at least a required number of characters)

URL manipulation:  Check all ranges of input variables. Dont accept values which are not needed by the application. Avoid forming dynamic variables.

SQL Injection: This is the process of inserting SQL statements through the web application user interface into some query that is then executed by the server.  Escape the quotes. Use mysql_escape_string or equivalent.

Cross Site Scripting:  When a user inserts HTML/ client-side script in the user interface of a web application and this insertion is visible to other users, it is called XSS. All HTML tags should be scrubbed from the variables. Dont use eval directly on any user input.

Spoofing: The creation of hoax look-alike websites or emails is called spoofing.  Use identity images like the ones Yahoo! and bank websites are using so that user is confident he is logging on to the correct system.

Crumbs: To ensure user has come from a  previous page in the flow and not directly.

One thought on “Security in web applications”

Leave a Reply