Custom «Secure Web Systems» Essay Paper Sample

1. Compare and evaluate black box and white box testing.

Security testing and examination techniques can be divided into two broad techniques depending on the amount of knowledge of the implementation details of the system being tested that are available to the testers. These techniques are black box and white box testing. Black box testing assumes that there's no prior knowledge of the web application to be tested while white box testing provides the testers with complete knowledge of the web application to be tested, often including network diagrams, source code, and IP addressing information.

The relative merits of these approaches are debated but most testing of custom applications are done using white box techniques; this is so because the source code is usually available. However, white box techniques cannot detect security defects in interfaces between components, furthermore they cannot identify security problems caused during compilation, linking, or installation-time configuration of the application. Black box techniques are used primarily to assess the security of individual high-risk compiled components; interactions between components; and interactions between the entire application or application system with its users, other systems, and the external environment. But white box techniques still tend to be more efficient and cost-effective for finding security defects in custom applications than black box techniques.

Fundamentally, Black box techniques are used to determine how effectively an application or application system can handle threats while white box testing simulates what might happen during an "inside job" or after a "leak" of sensitive information, where the attacker has access to source code, network layouts, and possibly even some passwords. Many tests use both white box and black box techniques-this combination is known as gray box testing.

2. What is the rationale for carrying out a W-APT?

A penetration test is undertaken on a computer system that is to be deployed in a hostile environment, in particular any internet facing site, before it is deployed. The purpose of the test is to provide a level of practical assurance that any malicious user will not be able to penetrate the system.

The test provides practical assessment on the design, implementation, and technical information relating to the security procedures of a web application. This can be used for several purposes-such as finding vulnerabilities in a system or network and verifying compliance with a policy or other requirements.

3. Explain briefly what types of vulnerabilities may be present in a web application due to insufficient input validation.

Since the internet "environment" is so diverse and contains so many forms of programmatic content, input validation and sanity checking is the key to Web applications security.

If an applications fail to fully validate the input they receive from users it becomes difficult to locate especially in large codebases with lots of user interactions. Developers therefore employ penetration testing methodologies to expose these problems. Web applications are, however, not immune to the more traditional forms of attack. Poor authentication mechanisms, logic flaws, unintentional disclosure of content and environment information, and traditional binary application flaws (such as buffer overflows) are rife.

4. With relevance to web-application vulnerabilities, what are race conditions and how can they be exploited?

Vulnerability scanners check only for the possible existence of vulnerability but the attack phase of a penetration test exploits the vulnerability to confirm its existence. One of the vulnerabilities exploited by penetration testing is race conditions.

Race conditions are attacks that occur during the time a program or process has entered into a privileged mode. To exploit them a user can time an attack to take advantage of elevated privileges while the program or process is still in the privileged mode.

5. Give an example of web application logic vulnerability

Cross-site scripting or XSS is an example of Web application logic vulnerability. XSS is the most prevalent and pernicious web application security issue. XSS flaws occur whenever an application takes data that originated from a user and sends it to a web browser without first validating or encoding that content.

This allows attackers to execute scripts in the victim's browser, which can hijack user sessions, deface web sites, insert hostile content, conduct phishing attacks, and take over the user's browser using scripting malware. The malicious script is usually JavaScript, but any scripting language supported by the victim's browser is a potential target for this attack.