SECURITY TESTING – GET STARTED!

CHECKLIST FOR DEVELOPERS AND TESTERS

If you have been thinking of starting security testing as a programmer or tester, here is the basic checklist to get started. Look below!

  • Make sure robots.txt file doesn’t give details about sensitive URLs like /admin /administration /admin.aspx /administratorLogin/index.php or any other file that leads malicious user to navigate to administrator login form.
  • Make sure your 403 pages are shown as 404 on the front-end without giving a hint to the hacker about sensitiveness of the webpage.
  • Mask your server details like Apache / PHP / ASP which gives hint about the server details and also programming languages used. Also, mark the version number of your server and programming language used.
  • Add HTTPS / SSL Certificate if your website has money transactions or authentication pages.
  • Make sure server side validations are implemented for every form data. For instance: On client side there is a JS code that stop from entering DOB as 31/Feb/1999, but malicious hacker can bypass JS client-side validation using addon like “Tamper Data” and submit invalid DOB to the server. This shouldn’t be possible and server side validation is important for every form data.
  • Make sure 404 page is implemented securely. Try using URLs like http://example.com/page-that-doesnt-exist, http://example.com/example/hey.asdf, http://example.com//hello//..//whatsup, http://subdomaindoesntexist.example.com, and more combinations. Sometimes, the webpage displays some sensitive data if the server doesn’t know to handle a particular URL type.
  • Make sure unnecessary ports that are not being used or closed or set as filtered. I recommend “filtered” instead of “closing”. The only ports that I see should be open are 80 and 443 (HTTP = 80 | 443 = HTTPS).
  • Make sure your directory listing is set to OFF. This is one place which can look like a great treasure if directory listing is set to on.
  • If you are using a framework like DJANGO or any other development framework, make sure DEBUG is turned off before you deploy on the production server.
  • Make sure the session ids are dynamic. You can look into these session ids or cookie ids by using Live HTTP Headers addon on Firefox. Check for it without and with logged in session to also know about “session fixation” vulnerabilities.
  • Make sure you have closed the ports which are critical and kept HTTP, HTTPS open (because you want your users to visit your web application or website). I insist on using “filtered” state instead of “closed” for much better results. You can do the port scanning by using nmap (open-source utility)

Once you install nmap, you can open terminal on Mac (I use Mac currently) and type,

ping website-url

(You will get the IP address of the website)

And then,

sudo nmap -sS IP-address-of-the-website

ENTRY INTO THE HOUSE WITHOUT THE RIGHT KEY!

I am currently in Eastleigh (United Kingdom) and today morning I went to the city center and visited some shops. I wanted to buy a toy for my friend Mr. Thomas who is a brilliant human being at the age of 4. It was an impulsive decision based out of my love for Mr. Thomas (The emperor of future goodness). And I got inside the shop with my wife and my captain Tracy Stevenson to purchase the toy that we saw through the glass. The toy costed 60 GBP and I thought of using the card which was carried by my wife Gina Enache. She handed over the card to me and I punched in the point of sale device.

After punching, I entered the PIN Number and the transaction failed due to the reason “INSUFFICIENT FUNDS”. This was surprising to me that my Kotak Credit Card had sufficient balance before I flew to UK from India. Anyways, as I had cash as well, I could purchase the toy. I was happy, but also I was wondering about the card sufficient funds. Later, we started to walk to a shopping mall and Gina wanted to buy a local SIM card for her phone. Out of curiosity, I wanted to try with the same card again to do the transaction. I punched in the card and before I entered the PIN, I saw that it was a debit card and not a credit card (The same card was used before and transaction failed due to insufficient funds). But, wait! When I did the transaction for the first time in the toy shop, I entered PIN number of my Kotak Credit Card for my Kotak Debit Card and it said, INSUFFICIENT funds (This is true because my debit account had less balance or no balance probably).

Now, my question is: My debit card PIN entered was incorrect (Because I thought its credit card and punched in the wrong PIN) and still I received a message on POS display as “INSUFFICIENT funds”. How does it authenticate to even know “INSUFFICIENT FUNDS” without correct PIN of the card?

The algorithm looks like, “Without a right PIN number, the POS device can get into my account and check the balance?” Creepy!

I think that, the message that I have to receive is “INCORRECT PIN” instead of “INSUFFICIENT FUNDS”.

What are your views?