Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

Lesser-known application security problems that testers should be aware of

SQL injection and cross-site scripting seem to get the most attention in the application security space, but there are other flaws testers should be aware of. Problems like logic errors and weak passwords often fly under the radar and thus cause problems.

I'm pretty confident in my ability to check for common Web security flaws but are there other issues I need to be concerned about that are less-obvious?
You're right. By using the right tools and techniques, it's reasonably simple to find the mainstream Web vulnerabilities. I've found that you can take your testing to the next level by looking for additional security flaws such as:

  • Logic problems that facilitate manipulation of the application
  • Session management weaknesses related to cookies and session IDs that allow for privilege escalation
  • Accounts with weak passwords
  • Login mechanism weaknesses that permit unauthorized access - especially within home-grown multi-factor authentication systems
  • Login credentials and other sensitive information left behind in the Web browser cache/history files

In addition, don't forget to consider vulnerabilities at the server level such as running unnecessary services, missing patches, running SSL version 2, and weak encryption ciphers for your SSL certificates.

Your approach to this shows that you take application security seriously so you're halfway there. Keeping a sharp eye out for the all the less common issues will help you take your application testing to a new level. This is good for business and good for your career! If you still hav questions and concerns about application security outside of what I included in my expert response I recommend checking out some of the below resources.

More information on application security
Quick attacks for Web security, penetration testing and SQL advisory
Are you in need of penetration testing but are on a strict budget? Expert Matt Heusser provides tips and tricks to get your software application live and without issues.

Network security: Analyze your hosts and ports with nmap, Nessus, and netcat
Application expert explains security tool options like nmap, Nessus and netcat to make your software applications safe and secure.

Dig Deeper on Topics Archive

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.