Shulou(Shulou.com)06/03 Report--

Web security testing should also follow the principle of testing as early as possible, when conducting functional testing (you should execute the following test Checklist security testing scenario), and then scan the test after the functional test is completed and before the performance test. You can scan it with vulnerability scanning tools such as tool AppScan,Hp Webinspect,AWS.

Step 1: the more commonly used security tests Checklist are as follows:

1: if you do not log in to the system, directly enter whether the login page URL can be accessed.

2: if you do not log in to the system, directly enter whether the URL of the downloaded file can download the file.

3: after logging out, click the browser's back button to see if you can access the previous page.

4: whether manually changing the parameter values in URL can access pages that you do not have permission to access. For example, the parameter in the URL corresponding to the ordinary user is luploe, and the parameter in the URL corresponding to the advanced user is lately. after logging in to the system as an ordinary user, change the parameter e in the URL to s to access the page that you do not have permission to access.

5. All credentials should go through an encrypted transport channel (for example, during login).

6: secure pages should use the https protocol.

7: verify sql injection (including digital injection and character injection, etc.).

8: verify XSS cross-site scripting vulnerabilities. When performing new operations, type in all input boxes.

9. File type restrictions should be used for file upload function, or executable files such as exe should be used to confirm whether it can be run directly on the server side.

10: verify upload vulnerabilities. As long as Web applications allow file uploads, there may be file upload vulnerabilities. Because some programs do not verify the format of the uploaded files, or simply do JS verification on the client side, * * users can delete javascript verification on the client side through firebug, or pass JavaScript verification according to the normal process through Burp Suit, and then tamper with the http layer of the transmission.

11. Whether the error message contains SQL statements, SQL error messages, and other sensitive information about the web server.

12: verify the validity of the Session.

Step 2: after the functional test is completed, before the performance test starts, scan with professional scanning tools to generate test reports, such as WVS and AppScan are among the top ten scanning tools.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.