The methods and techniques used for security testing
Security testing can be done in many ways like,
oBlack box level
oWhite box level
oDatabase level
black box level
oSession hijacking
Session hijacking commonly called “IP spoofing” where a user session will be attacked on a protected network.
oSession prediction
Session prediction is a method of obtaining data or a session ID from an authorized user and gains access to the application. In a web application, the session ID can be retrieved from cookies or from the URL.
Session prediction can be predicted when a website is not responding normally or stops responding for an unknown reason.
o Phishing by email
Email spoof duplicates the email header (“From” address) to make it look like it originated from the real source, and if the email is replied to, it will end up in the spammers inbox. By inserting commands in the header, the message information can be modified. It’s possible to send a spoofed email with information you didn’t enter.
o Falsification of content
Phishing is a technique to develop a fake website and make the user believe that the information and the website are genuine. When the user enters their credit card number, password, SSN and other important details, the hacker can get the data and use it for fraudulent purposes.
Identity fraud
Phishing is similar to email phishing, in which the hacker sends a genuine-looking email that attempts to obtain the user’s personal and financial information. The emails will appear to come from well-known websites.
oDecryption of passwords
Password cracking is used to identify an unknown password or to identify a forgotten password
Password cracking can be done in two ways,
1. Brute force: The hacker tries a combination of characters within a length and tries until it is accepted.
2. Password Dictionary: Password dictionary is used by hacker where available in various topics.
White box level
oMalicious code injection
SQL Injection is most popular in Code Injection Attack, the hacker attaches the malicious code to the good code by inserting the field into the application. The motive behind the injection is to steal the secure information that was meant to be used by a set of users.
In addition to SQL injection, the other types of malicious code injection are XPath injection, LDAP injection, and command execution injection. Similar to SQL Injection, XPath Injection deals with XML documents.
o Penetration tests
Penetration testing is used to verify the security of a computer or a network. The testing process scans all security aspects of the system and attempts to penetrate the system.
oInput validation
Input validation is used to defend applications from hackers. If input is not validated primarily in web applications, it could lead to system crashes, database tampering, and corruption.
oManipulation of variables
Variable manipulation is used as a method of specifying or editing variables in a program. It is mainly used to modify the data sent to the web server.
Database level
oSQL injection
SQL Injection is used to hack the websites by changing the back-end SQL statements, using this technique the hacker can steal the data from the database and also delete and modify the data.