Saturday 26 October 2013

Web Application - Vulnerability Testing

Question:

I am a software tester with 11 months experience. I want to explore security testing area and would like to know more about vulnerability testing more specifically about SQL injection attack. Also guide me as to how these testing can be performed manually.

By: Saran Satyan

Answer:

Vulnerability Testing is a practice area for security professionals. There is no simple or one solution that will work in all cases. One has to go through a structured approach to accomplish this testing. The high level steps include scoping, information gathering, tool selection, and then performing the scanning. Most of the vulnerabilities require in-depth knowledge on the internals of the web application like its design and architecture in addition to the tools and technology used in its build. Manual methods or techniques may not help in identifying most of the vulnerabilities.

As we all know, SQL query language is used to retrieve data from the databases and a technique to exploit the the query language to fetch unintentional data by injecting unexpected input data is referred to as SQL Injection attack. As an example, typical where clause in a query used to authenticate a user would be like where userid = <user_id> and password = <password>. The user id and password as entered by the user would be substituted in this where clause in run time before execution. Programmers adopt different techniques to dynamically bind the input variables to build the needed where clause. One such simple method of dynamically building the where clause is by concatenating the input data like "... where userid = " + user_id + " and password = " + password = ";" In this case for instance, if the user inputs the password with something followed by "or 1=1" then the where clause of the final query will look like where userid = user_id and password = password = password or 1=1; As we all know, this query when executed will retrieve all the rows in the user table because of the condition or 1=1.

Here is an article worth referring to know more about SQL injection attacks.You may also check out the following links to know more about vulnerability testing:

Web Application Security Testing Cheat Sheet
The world's most advanced Open Source vulnerability scanner and manager
Web application security: Testing for vulnerabilities

Hope you will find this response useful.

Wednesday 23 October 2013

Website Scalability Test - JMeter Listeners

Question:


I am on a task to perform a scalability test of a website. I am new to JMeter and I want to know how to capture and analyze the test results using JMeter. More specifically I need to capture the response time of the pages that I would be testing.

By: Saran Sathyan


Answer:

You need to add a listener and configure to write the test results into a Log file. You have the option of using a csv or xml file format. You can do this visually, by right clicking on your test project shown in the left explorer bar and then add-> Listner->... JMeter provides many listeners and you may just choose either Simple Data Writer or View Results in a Table. In the resulting window, you will find options to specify the output file location and configure the data elements that you want to capture. JMeter captures two time fields, one being the elapsed time and the other being latency. While the latency indicates the time to the first response, the elapsed time indicates the total time to load the page completely. With this listener, all your test results will be logged, and you may use simple tools like excel or import into MS Access or such other database as you may be comfortable and then get the necessary summary data by grouping on appropriate fields.


Generally to assess the scalability of your website, you also need to monitor and collect stats from the server(s) on which your website is running at the same time your tests are run. You may have to engage your system administrators to help you in collecting the performance statistics on server resource utilization like, CPU, Memory, Network bandwidth, Disk IO, etc. As you simulate more load from JMeter, the utilization of the resources on the server will go up. The ideal approach is to plan to have multiple tests starting with 50 or 100 users and ramp up the load until you the resource utilization on the server hits the maximum (say 90%). This way you may also benchmark the site performance on the given server hardware and network bandwidth.

Your report should also report the server utilization details in addition to the page response time and the bytes received so as to make it useful for the report users to make further decisions. Also be aware that if you perform the load tests from one location, your test results might be biased as you may hit the bandwidth limitation on your end. Hope this helps.

For more details on JMeter listeners, check out the documentation available online at http://jmeter.apache.org/usermanual/listeners.html