Add web application security testing and life’s sweet

New Thinking 29 April 2013 Barret Chin

Cake is like a web application

Cakes come in many different forms, all of which are delicious. Some contain chocolate and others fruit, but each has something that makes it distinct from the next. The same can be said for web applications – they come in many different forms and can contain various features worth getting your teeth into. However, just like cakes, not all of these features are necessarily good for you – and even contain some nasty security surprises. This is where web application security testing comes into play.

This leads us onto our next common form of attack, which is to identify and manipulate broken authentication and session management. One example would be if the login page reports a different error when different information is provided for the user name and password. A malicious user could use this to discover valid user names. Or, if he realises URLs can be accessed without logging on, he could try to guess secure page names and attempt to access something that they shouldn’t be.

So, just like a piece of cake and its many enticing features, a web application’s features can contain some nasty security surprises – hence the need for web application security testing. Just like the cake’s abundance of sugar or butter, the many features of a web application might make it moreish, but will also increase the risk of potential security dangers. We need to take a leaf out of the nutritionist’s book and ask ourselves if it’s really necessary and if we’ve thought about the negative consequences of this feature.