Blog

Articles to grow your career

Article

Security Testing

Security testing is a software product research aimed at testing, detecting, and correcting defects related to the safety of user data, namely:

  • Integrity. Limiting the number of users who have access to data, determining the degree of damage caused by the loss of certain data.
  • Availability. This means that resources must be available to an authorized user, internal entity, or device. As a rule, the more critical the resource, the higher the level of availability should be.
  • Confidentiality. It means hiding certain resources or information. This presupposes restricting access to a resource for a certain category of users.

During testing, most often the tester plays the role of a hacker, and begins to manipulate the application in different ways:

  • Attempting to find out the password using external means.
  • Attacking the system using special utilities that analyze protection.
  • Suppressing or flooding the system to see if it refuses to serve other clients.
  • Deliberately injecting faults to infiltrate the system during recovery.
  • Browsing unrestricted data to find a login key.

Moving on, there are several types of vulnerabilities:

XSS (Cross-Site Scripting) is a type of web application vulnerability in which malicious scripts are executed on a server-generated page to attack the client.

XSRF/CSRF (Request Forgery) is a type of vulnerability that allows you to exploit the HTTP protocol. Attackers work according to the following scheme: a link to a malicious site is installed on a page that is trusted by the user; when the user clicks on the malicious link, a script that saves the user’s personal data (passwords, payment information, etc.) is executed or sends spam messages on behalf of the user, or modifies the access to the user account to gain full control over it.

Code injections (SQL, PHP, ASP, etc.) are a type of vulnerability that makes it possible to run executable code to gain access to system resources, unauthorized data access, or disable the system.

Server-Side Includes Injection is a type of vulnerability that inserts server-side commands into HTML code or runs them directly from the server.

Authorization Bypass is a type of vulnerability in which it is possible to gain unauthorized access to another user’s account or documents.

Learn about more testing types here.

a lady with a laptop

Alex Kara
By Alex Kara on Aug 12, 2021
QA Testing Types