Test Automation Forum

Welcome to TAF - Your favourite Knowledge Base for the latest Quality Engineering updates.

Author an Article

Test
Automation
Forum

(Focused on Functional, Performance, Security and AI/ML Testing)

Brought to you by MOHS10 Technologies

Security Testing

image

VAPT to Safeguard your Healthcare Apps

Full Automation Testing, Security Testing / By

Introduction : In an era where cyber threats are increasingly sophisticated, ensuring the security of healthcare applications is paramount. This article outlines the process of conducting a vulnerability assessment and gray-box penetration testing on a healthcare application using Burp Suite Professional, OWASP ZAP, and manual testing techniques. The primary objective was to identify potential vulnerabilities that could be exploited by attackers and provide recommendations for mitigating these risks.  Purpose of testing : The purpose of this security testing was to identify vulnerabilities in the healthcare application and ensure its robustness against cyber threats. By uncovering weaknesses, we aim to enhance the application’s security posture, protect sensitive health data, and ensure compliance with industry standards (OWASP Top10 issues).  Scope of testing : The scope encompassed both automated and manual testing techniques. The testing focused on identifying critical vulnerabilities, including OWASP Top 10 issues, SQL injection, Cross-Site Scripting (XSS), and other common security flaws. The testing was divided into two main phases:  Vulnerability assessment  Penetration Testing  Tools and techniques : Vulnerability assessment:- Automated scanning tools, such as Burp Suite Professional and OWASP ZAP, were employed to systematically identify common security vulnerabilities. These tools were chosen for their robust capabilities in detecting a wide range of security issues efficiently. The automated phase involved:  Burp Suite professional: Used for its extensive functionality in identifying and exploiting vulnerabilities, Burp Suite provided comprehensive coverage of the OWASP Top 10 issues.  OWASP ZAP: Utilized for its user-friendly interface and effective automated scanning capabilities, OWASP ZAP was instrumental in the initial identification of vulnerabilities.  The automated scans targeted various components of the healthcare application to uncover vulnerabilities such as:  SQL Injection   Cross-Site Scripting (XSS)   OWASP Top 10 issues   Other critical vulnerabilities  These automated scans provided a comprehensive overview of the existing security weaknesses within the healthcare application, setting the stage for the subsequent penetration testing phase.  Penetration testing :- The manual testing phase involved a more detailed and nuanced examination of the system. This included:  Thorough manual assessment: We began with a meticulous manual review of the application to identify potential vulnerabilities. This involved examining the architecture and functionality to pinpoint key fields and components susceptible to attacks.  Exploitation of vulnerabilities: Based on the findings from the manual assessment and automated scans, we attempted to exploit identified vulnerabilities to understand their potential impact.  Identification of additional vulnerabilities: Manual testing also focused on discovering vulnerabilities that automated tools might have missed, ensuring a comprehensive assessment.  Findings and Analysis: The combination of automated and manual testing techniques provided a full view of the healthcare application’s security posture. Key findings included:  High severity issues: The assessment revealed that cloud metadata was potentially exposed, posing a significant risk to the confidentiality and integrity of sensitive data stored in the cloud environment.  Medium severity issues:  CSP (Content Security Policy) wildcard directive: The presence of wildcard directives in the Content Security Policy could weaken security controls and increase the risk of cross-site scripting (XSS) attacks.  Hidden file found: Discovery of hidden files within the application’s directory structure could indicate potential security risks or unauthorized access.  TLS certificate issues: Weaknesses in the Transport Layer Security (TLS) certificate configuration could expose sensitive data to interception or unauthorized access.  Strict transport security not enforced: Failure to enforce Strict Transport Security (HSTS) could leave the application vulnerable to protocol downgrade attacks and unauthorized access.  Low severity issues: The assessment also identified areas for improvement in data protection measures, although these were classified as low severity Recommendations : Based on the findings, we provided the following recommendations to mitigate identified risks:  High severity issues:  Cloud metadata exposure: Implement stringent access controls and encryption for cloud metadata to prevent unauthorized access. Regularly review and update cloud security configurations to ensure compliance with best practices.  Medium severity issues:  CSP Wildcard directive: Remove wildcard directives from the Content Security Policy. Define specific sources for content to minimize the risk of XSS attacks.  Hidden file found: Conduct a thorough audit of the application’s directory structure to identify and secure hidden files. Implement access controls to restrict unauthorized access.  TLS certificate issues: Review and strengthen the TLS certificate configuration. Ensure the use of strong, up-to-date certificates and enforce proper TLS protocols to protect data in transit.  Strict transport security not enforced: Enable and enforce HTTP Strict Transport Security (HSTS) to prevent protocol downgrade attacks and ensure secure communication.  Low severity issues:  Data protection improvements: Enhance data protection measures, including data encryption and secure storage practices. Regularly review and update security policies to align with industry standards. Conclusion : The vulnerability assessment and penetration testing of the healthcare application highlighted critical security issues and provided valuable insights into the application’s security. By addressing the identified vulnerabilities and implementing the recommended security measures, the healthcare application can significantly enhance its defence against potential cyber threats, ensuring the safety and integrity of sensitive health data.  5+

The Top 10 Application Security Issues of 2021 (OWASP) & how to test them

Security Testing / By

Introduction With the trending technologies like AI, IOT, AR & VR, 5G, Blockchain etc. in our daily life, Cybersecurity becomes more and more vital than ever for us and the enterprises as well. In the past recent years, we have seen rapid expansion of the Internet all over the world which produces significant demand of web applications with strict security requirements.  Modern web systems are really complex, distributed and heterogeneous, ever evolving and rapidly changing whereas the web domain is pervasive and dynamic in nature that makes it more prone to malicious actions like virus attacks, threats, etc. thus security becomes a critical issue and is also related to the quality of web applications. We can concatenate Security testing with Development phase for decreasing the risk factors for the Web application. The main goal of security testing is to detect or identify the flaws that could be exploited by the hackers. In this article, we would like to discuss OWASP 2021’s top 10 Application Security Vulnerabilities and will also discuss about how to detect these security vulnerabilities much earlier in the application lifecycle and address them before the application is deployed in production. Let’s start with the Top 10 application security issues that was reported by Open Web Application Security Project® (OWASP Foundation, https://owasp.org/) in 2021. OWASP Top 10 application security issues (2021): 1. Broken Access Control: The action of the attacker to access all the performed data between the Server and the Client is the cause of Broken Access Control vulnerabilities. Here the hackers act as a user without being logged in and as an admin when logged in as user. This attack can be made by bypassing access control checks by altering the Application URL (parameter tampering or force browsing), internal application state, or the HTML page, or by using an attack tool modifying API requests. QA/Testing teams should include functional access control scenarios in integration and system testing phases. In a role-based web app, all the absolute links should be tested thoroughly for all types of users to ensure the right level of authentication is in place. 2. Cryptographic Failure: This mainly leads to release of sensitive data. That includes Passwords, Credit card, medical records, Confidential records or private email. If the encryption for sensitive data is either weak or missing, then the attackers can easily access the data in an unauthorised manner and manipulate them in order to initiate harmful attacks. The application shouldn’t store sensitive data unnecessarily. Developers must write some code to ensure the sensitive data is discarded as soon as possible or use PCI DSS compliant tokenization or even truncation. Dev/QA teams should ensure that the application data is appropriately identified and classified according to privacy laws, regulatory requirements, or business needs and must develop testcases to check adequate encryption during storing and handling of these data by the application. 3. Injection (SQL, NoSQL, OS command, and other commands):  Under an injection attack, the attacker/hacker can hack databases (like username / password) which are to be relational databases. By leveraging an SQL injection vulnerability, given the right circumstances an attacker can use it to bypass a web applications authentication and authorisation mechanism and retrieve the content of entire database.  It can be also used for modifying, adding and deleting records in a database which affects data integrity. Testing team to ensure there is ample client side and server-side validations are in place before the application accepts inputs from users for processing at the server end. 4. Insecure Design: This is a new category that was introduced in 2021 that focuses on the vulnerabilities related to the design and architectural flaws of the web applications. Applications of the current times must use threat modelling, secure design patterns, and reference architectures. As we adopt methodologies Agile/DevOps etc. the rigor around app security must shift to left, even starting requirements phase as well e.g., identifying the protection requirements like confidentiality, integrity, availability, and authenticity etc. Application Teams need to consider leveraging the OWASP Software Assurance maturity model(SAMM)https://owaspsamm.org/ in order to structure their secure software development efforts. 5. Security Misconfiguration: Security Misconfiguration refers the infrastructure or the server that is used to host the web application. Misconfiguration in the services or settings (e.g., unnecessary ports, services, pages, accounts, or privileges) can allow the attackers to hack the system. Misconfiguration vulnerabilities cause the application to be vulnerable to attack that target any component of the application stack. Unencrypted files, old & out of date web application; unused devices, web application and closed misconfiguration can be considered as the issues in security misconfiguration.  Development, QA/Staging, and Production environments must be setup and configured identically, with ample authentication and authorisation in place. This process can be automated by using some good 3rd party utilities (e.g. Chef tool, https://www.chef.io/) in order to minimize the effort required to set up a new secure environment on demand. 6. Vulnerable and Outdated Components:  This moves from #9 in 2017 list to #6 on 2021.  Vulnerable components are such known issues that we struggle to test and assess risk, it is the only group that doesn’t have any Common Weakness Enumeration (CWE). The whole deployment of the application is likely to be vulnerable, if we are using vulnerable, unsupported, or out of date 3rd party components we are using at both client and server side. And it could be prevented by removing unused dependencies, unnecessary features. There should be a continuous check on version of both client & server. Every organization should develop a plan for monitoring, triaging, and applying updates or configuration changes for the lifetime of the application or portfolio as part of their company-wide Security Policy. 7. Identification and Authentication Failures: This was previously known as Broken Authentication, and had been placed from #2 in 2017 list to #7 in 2021 but still in top 10 which is a big deal. It deals with User Identity, authentication, session management and all of these are very critical to protect the application and the sensitive

Submit your article summary today!

[wpforms id="2606"]
Contact Form

Thank you for your interest in authoring an article for this forum. We are very excited about it!

Please provide a high level summary of your topic as in the form below. We will review and reach out to you shortly to take it from here. Once your article is accepted for the forum, we will be glad to offer you some amazing Amazon gift coupons.

You can also reach out to us at info@testautomationforum.com