Skip to main content

Development

Going Beyond Confirmed Web Security Flaws

untitled

If you’ve been around web security for a while you know that some of the more technical flaws can take some time to uncover. Heck, many of the issues take some time to just understand.

Web application security testing is both an art and a science. It requires deep creativity and strong analytical skills. With Web applications, we need to be able to look for specific – and verifiable – vulnerabilities using both automated scanners and manual analysis. But we can’t stop there. We also need to be able to think longer term and think about how some other potential flaws could lead to other problems. This means outlining various scenarios of what could happen if X, Y or Z falls into place and an exploit occurs.

Some issues that come to mind include:

  • Password policies (or lack thereof) – just because you don’t find any weak passwords doesn’t mean they’re not there.
  • Application logic flaws – if an application workflow seems a bit off then it very well could be. How could someone take advantage of this and what is there to lose when something goes awry?
  • Possible SQL injection issues as found by Web vulnerability scanners – even if you’re unsuccessful validating the vulnerabilities, you or your SQL injector tool may not have dug in deeply enough so the flaw could still be present.
  • Authentication mechanism issues that appear to permit login bypassing or session manipulation – these can be tricky to reproduce, but again it doesn’t mean they’re not there for the taking by a malicious attacker with nothing but time on his hands.

Bottom line: you’re the expert. You can’t blame vendors for failing to find or report on all Web security issues in your environment. People are counting on you to do your best so you owe it to your developers (and your business) to make them aware of all the issues – both confirmed and plausible.

Sure, you’re not going to find all the vulnerabilities and odds are you’re not going to completely understand them all – especially at first. That said, given what’s at stake, the general expectation is that you’re doing what you can to continually learn new things and have an open mind and the analytical skills needed to know where to look in order to ferret out the not-so-obvious “issues” that could get ugly down the road.

Just like every Web application, we’re all a work in progress. As long as we understand what’s required of us to work in this ever-changing field and we’re committed to staying focused in the right direction, that’s all that matters.

Original from:

http://www.acunetix.com/blog/web-security-zone/beyond-security-flaws/

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Categories
Follow Us