Web Software and Security Testing

Course:   WSST
Duration:   3 Days
Level:   I
On our website at:   http://www.verhoef-training.com/courses/WSST.html
 
Course Summary

Security, or lack of it, is now perceived as a major problem for any form of on-line transaction. Whereas no system will ever be 100% secure, there are a number of security measures that can, and should, be implemented to ensure that the users of a Web site can be confident their data is reasonably protected.

This course introduces attendees to the security problems associated with Web sites and how to test the security measures which have been put into place.

Topics Covered In This Course

Testing Security

  • How big is the problem, where is the problem
  • Common attack methods
  • Security policies, building a policy
  • Hackers and crackers
  • Security testing techniques
  • Manual inspections and reviews - gap analysis
  • Threat modeling - attack trees and use/misuse cases
  • A framework for testing

Internet Architecture

  • Basic Internet architecture
  • Communication protocol models, the four-layer model
  • Packets, IP addresses, IP v4 and v6
  • Transmission Control Protocol (TCP), three-way handshake
  • HyperText Transfer Protocol (HTTP)
  • Universal Resource Locators (URL), Domain Name System (DNS)
  • Intranets and extranets
  • Virtual Private Networks

Wired and Wireless Networks

  • Wired networks, wireless networks, IP spoofing
  • Secure Sockets Layer (SSL) and Transport Layer Security (TLS)
  • Encryption, Public Key Infrastructure (PKI)
  • SSL and TLS Sessions
  • Wireless encryption

Code Quality Assurance

  • Quality control and quality assurance
  • Unit testing
  • Hypertext Markup Language (HTML)
  • HTML validation
  • Images
  • Cascading Style Sheets (CSS)
  • Client-side scripting
  • Extensible Markup Language (XML)

Browsers and Web Servers

  • Client hardware and software
  • Different browsers (Internet Explorer, Firefox, Chrome, Opera, Safari, etc.)
  • Browser modes
  • Server software
  • Choosing the test environment

Navigation

  • Static and dynamic links
  • Framesets
  • Inline frames
  • Internal search engines
  • Site maps
  • Site navigation tools

Client-side Functionality

  • Forms
  • Client-side and server-side validation
  • AJAX
  • Client-side pop-ups
  • Client-side objects
  • Code signing
  • Java and the Java Virtual Machine

Server-side Functionality

  • Server-side includes
  • Dynamic page generation (ASP, PHP, Python, Ruby, etc.)
  • Common Gateway Interface (CGI)
  • Database interaction
  • Database middleware

Firewalls

  • What firewalls can and can?t do
  • Packet filtering, screening routers
  • Proxy servers
  • Network address translation
  • Types of firewall configuration
  • Dual-homed host, screened host firewall system, screened subnet firewall system

Information Gathering

  • Mapping out the network topology, scoping the testing effort
  • IP address inventory, ping sweeps
  • Service/socket inventory, port scanning
  • Hardening the system software
  • Spiders, robots and crawlers
  • Web application fingerprinting
  • Using site maps
  • Testing source code
  • Testing for error code
  • Testing for weak cipher levels
  • Testing SSL certificate validity
  • Testing for file extension handling
  • Old, backup and unreferenced files, server logs
  • Evaluating intruder detection, intruder detection systems

Authentication Testing

  • Credentials transport testing
  • Testing for user enumeration
  • Default or guessable user accounts, brute force
  • Direct page requests, parameter modification, session ID prediction
  • File and directory privileges
  • Password remember and reset
  • Social engineering and insiders
  • Logout testing, cached pages

Session Management

  • Maintaining a session
  • Cookies
  • Private browsing
  • Analysis of session management
  • Cookie reverse engineering
  • Cookie manipulation by guessing
  • Cookie manipulation using brute force
  • Overflow
  • Exposed session tokens

Data Validation Testing

  • Cross site scripting
  • HTTP methods and cross site tracing
  • SQL injection
  • Testing for authorization bypass attacks
  • Testing for Select statement attacks
  • Testing for Insert statement attacks
  • Buffer overflows
What You Can Expect

In this course, you will learn how to:

Who Should Take This Course

Software testers, auditors, members of QA teams and test managers who will be involved in security testing and auditing of Web sites and applications.

Recommended Prerequisites

A basic knowledge of the Internet and software testing.

Training Style

Instructor led with 60% lecture and 40% lab.

Related Courses
Code Course Title Duration Level
STCDEV
Software Testing Considerations for Developers
2 Days
I
Details
UASTF
Software Testing/User Acceptance Testing Fundamentals
3 Days
I
Details
STQA
Software Testing and Quality Assurance Techniques
3 Days
I
Details
WSPT
Web Software and Performance Testing
3 Days
I
Details
JWSEC
Java Web Security
4 Days
II
Details

Every student attending a Verhoef Training class will receive a certificate good for $100 toward their next public class taken within a year.

You can also buy "Verhoef Vouchers" to get a discounted rate for a single student in any of our public or web-based classes. Contact your account manager or our sales office for details.