- Automated Vulnerability Scanning: Automated Vulnerability Scanning of the application to identify obvious and common security holes – (Production replica/Test Environment)
- Application Penetration testing: Tests will be performed with the intention to identify the possible internal and external abuse of the application’s sensitive information (Test Environment/Production replica)
A high-level approach for conducting Security testing of the Application.
- Information Gathering: In this phase, the test team will make an effort to understand the target system to gather the data required for overall Security testing
- Vulnerability Assessment: The objective of the phase is to uncover all the possible vulnerabilities in the Web Server and Application under test.
- Penetration Testing: In this phase, the target system is subjected to attack and exploited manually with the information gathered in the previous phases of testing in order to confirm the identified vulnerabilities
- Security Test Reporting: A security test report is produced with all the identified vulnerabilities for their implications and possible counter measures
OWASP Methodology for testing and focuses on following potential vulnerabilities:
- Business logic bypass
- SQL / XSS / HTML Injection
- Session Management
- CSRF vulnerability
- Sensitive data exposure
- Insecure direct object references
- Missing function level access
- Privilege escalations
- Encryptions
The following tools will be used for security testing of application –
- Burp Suite Pro
- SQL Map
- Browser plugin’s – cookie manager, Web develop