A code review gives a good, but not necessarily complete picture of the security issues related to an application. What to think of software libraries, often supplied by third parties, of which there is no source code available? Additionally, the structure of an application is often complex to such an extent that it proves highly time-consuming to discover all security issues by means of a code review alone. For these reasons Qbit uses hands-on application testing.
With a hands-on application test, you will provide Qbit with a URL and, if applicable, authentication credentials and/or tokens. Qbit will then test the application hands-on for the following points of interest:
In various ways, for instance via reverse engineering of the interactive components of an application, information is gathered that could be used in staging an attack. Specific attention is paid to hidden form fields, cookies, certificates, HTML, directory indexing, directory traversal, et cetera.
Database access and access to the back-office is normally only possible via the application. This part of the assessment targets at finding implementation- and/or design issues that may lead to unauthorised access to the database or back-office using injection techniques (for example SQL, LDAP, server-side includes).
In some cases, it is possible to crash an application or manipulate its actions by presenting input completely differing from normal input. In some cases, this leads to unexpected behaviour such as information leakage, buffer overflows, cross-site scripting. In most situations, not all inputs but a subset assumed to be representative will be tested.
This part of the assessment focuses on the possibility for non-authorised or authorised users to ead or manipulate data of other users in non-authorised ways and/or authorise transactions in the name of another user. With the latter, think about manipulating certificates and/or performing a man-in-the-middle attack.
In case the security of a mobile app, like an iOS or Android app, is tested, Qbit will:
- Download the apps through the regular store.
- Install the apps on out test phones.
- Perform a static analysis using tools like QARK to test if, for instance, dangerous permissions are required, and the app is protected against common vulnerabilities.
- Use an isolated test network to map the traffic of the app (normal use). We will check if, for example, secure connections are used, and only necessary information is sent.
- Analyse the configuration, cache and temporary files which are stored on the phone. Are they secured or encrypted? Do they contain sensitive information? And how does the app react to external changes?
Benefits of hands-on application testing
- Find out if your application is hacker-proof
- Insight in level of security and real vulnerabilities
- Practical and feasible recommendations