There is usually a lot of speculation on the use of manual and automated testing. Manual is often considered less trustworthy since it only relies on the efforts of a test engineer. Automated testing, on the contrary, involves several external tools, programming knowledge and computational power, which seems more impressive and therefore more reliable.
Wrong! Discussing these two approaches as “manual vs. automated” is a mistake, as both of them have different goals, different methods and different benefits, especially when it comes to security testing.
Security testing is all about ensuring that the information you gather, process, and store on your website is safe from theft or leakage. Hackers have an array of tools and methods at their disposal to attack a web application. The task of a QA engineer is to be one step ahead and make sure that the web app can withstand such attacks.
To make this possible, a QA engineer has to imitate a hacker, trying out as many attack approaches as possible to discover vulnerabilities where a maletruder can bypass website security.
In security testing, the correlation between manual and automation is extremely important.
Manual security testing. XSS and SQL injections
Manual security testing requires a QA engineer to try and hack a system manually after analyzing documentation and any other available information sources. Their main task is to ensure that:
- A user can’t unintentionally crash the system.
- A hacker that doesn’t use any additional tools can’t cause major problems.
There are two major types of attacks that can be performed manually: XSS (Cross-Site Scripting) and SQL-injections. Both of these require a more exact description.
Cross-site scripting, or XSS, is an injection of malicious scripts into web pages through contact forms, registration forms, search fields or any other input forms. When these scripts are executed by the browser, the maletruder gets access to cookies, tokens or any other sensitive information that has been shared during the session.
For example, a hacker can inject a script that forces the user to go to another webpage after clicking on the image:
The script steals cookies from the logged user. As a result, the login and password info, as well as any other data entered during the session can be stolen. More complicated scripts are capable of doing even more harm.
How to prevent XSS?
Validation for all types of input fields may help prevent some lightweight XSS attacks. Also, filtering out tags that are often used for XSS attacks, such as <script>, <img>, <span>, is a common practice. However, filtering isn’t a silver bullet. Attackers are constantly improving and using more sophisticated approaches to fool validation or filters.
One more useful tip is to use X-XSS-Protection headline for the server response. This enables the server to detect XSS attacks and protects user requests. However, an application still requires good internal protection on the code-level.
This type of injection is similar to XSS. However, it uses SQL - a programming language designed to work with databases. As a result, an SQL-injection might be much more dangerous.
A maletruder can send an SQL-request, which can modify, delete or copy data stored in the database. If your registration or login form is covered with proper validation and database requests don’t contain any mistakes, then your database is safe. However, even a tiny mistake can make the data vulnerable. The task of a QA engineer is to test whether the application is resistant to this type of attack.
Take a look at an example of an SQL-injection:
SELECT * FROM Users; DROP TABLE Customers
These are two requests placed into one string and separated by a semicolon, which means that they can be executed consecutively. As a result, the user list will be displayed on the screen and the Customer table will be deleted. Such a simple injection can do significant harm to a business.
How to prevent SQL-injection?
Actually, SQL-injection vulnerabilities are quite easy to avoid. All you have to do is following these steps:
- Use parameterized database queries. This enables the database to distinguish between code and data and doesn’t let an SQL-injection pass through.
- Use stored procedures for data processing.
- Whitelist input validation. This approach won’t allow the user to enter data in any format other than the one expected.
- If none of the mentioned is feasible, you should escape user input. However, this technique isn’t a silver bullet to protect a web app from any SQL-injections.
Other vulnerabilities that can be discovered with manual testing
Along with different types of injections, other vulnerabilities are easy to discover with manual testing.
Sensitive data exposure – this occurs when unencrypted data is stored or transmitted. This vulnerability can be discovered manually through audits of cookie files, tokens, and database entries. To protect sensitive data such as passwords, banking information, etc. from exposure, it is important to use encryption and define accessibility.
Insecure direct object references is a vulnerability that enables a hacker to bypass authorization by entering modified parameter values. The testing engineer can directly access any piece of information by directly pointing to it, which means that an attacker can do this as well and the vulnerability should be eliminated.
Broken authentication. For each valid session, the website creates a session cookie and session ID, containing sensitive information such as username, password, etc. When the session ends, these cookies should be invalidated, otherwise, this data will be stored in the system. When using a public computer, there is a danger that log data will become available to other users. Such a vulnerability is easy to discover manually.
Automated security testing
In most cases, it is impossible to manually audit application security. This method gives you access to very limited types of vulnerabilities. But most of these hide deeper.
To reveal some problems in website security you have to intercept data channels, access the computer remotely, load the system with heavy DoS, DDoS attacks, etc. Doing this manually requires too much time and effort, and in most cases isn’t worth it since a specialized tool can automatically audit an application.
To protect the web app on a deeper level, vulnerability scanners are needed. These tools scan the app code and discover vulnerabilities that can be missed during manual testing.
OWASP Zed Attack Proxy (ZAP)
ZAP is an open-source tool offered by OWASP - an international organization that supports application security. This vulnerability scanner is widely supported by volunteers from all over the world. When discussing functionality, ZAP is able to discover security vulnerabilities in an application, even if it’s still in development.
To audit your web application, you just need to enter the link to it and start scanning. Testing time may vary depending on the app architecture complexity or database size.
ZAP tests an app’s frontend and backend to extensively analyze the code and provide you with a detailed report. It can be also used as a static code analysis tool.
Qualys Free Scan
Qualys is an online security tool that is free to use after registration. It scans the network, server, and app for typical vulnerabilities.
In addition, Qualys scans your environment to detect traffic anomalies. So, if an attack occurs, you can react instantly, and not only after the damage has been dealt.
Veracode is a powerful platform for static and dynamic security testing of web applications. The most appreciated benefits include scanning of the network, server, and client, statistics, and audit of vulnerabilities, and working with one or several projects simultaneously.
Veracode offers a free trial period, allowing you to become acquainted with the service and its advantages.
Acunetix Vulnerability Scanner
The Vulnerability Scanner offered by Acunetix can be used two ways: as an online tool, or as a program installed on your laptop. A testing engineer can select the approach that best fits the current project.
The scanner crawls your web app, performing grey box and black box testing, enabling it to find even more vulnerabilities. For example, Acunetix can discover whether your web app is sensitive to XSS or SQL-injections without performing them manually.
Most website owners don’t even suspect that their web app is vulnerable until the threat becomes real and the maletruder gets access to sensitive data. Security testing is here to predict and prevent possible attacks.
An experienced quality assurance engineer uses a combination of manual and automated testing to discover as many vulnerabilities as possible before the website goes live. Some of the described testing tools constantly scan traffic to your web app in order to discover unusual events that could potentially be an attack. As a result, you can react immediately and keep your and your users’ data safe.
Are you not sure about your website security? Our quality assurance department can help! We provide extensive manual and automated security testing to ensure the maximal security of your data! Contact us for more details!