As cyber threats become increasingly sophisticated, ensuring the integrity and security of your applications is more critical than ever. According to Security Magazine, there are around 2,220 cyberattacks daily, equating to more than 800,000 attacks yearly. While automated security testing tools can efficiently identify many common issues, they often miss specific vulnerabilities that can only be detected through manual testing.
In this article, you will learn 9 tips on how to perform security testing manually. Let’s start!
What is Security testing?
Security testing is a crucial part of quality assurance in the software development lifecycle. It ensures that the product is protected against security threats like hacking, viruses, and other malicious attacks, protecting the integrity of the application, its data, and its users.
Security testing includes various specialized forms of testing, with penetration testing being the most popular.
This type of testing requires a deep understanding of potential threats and how to prevent them, helping to avoid catastrophic security breaches.
Why is manual security testing important?
- Contextual understanding – Manual testers can grasp the detailed contexts in which software operates. This awareness helps them identify vulnerabilities specific to the application's architecture, design, and functionality.
- Creative exploration – Human testers bring creativity to the process, envisioning attack scenarios and techniques that automated tools might miss. This creativity is crucial for uncovering novel vulnerabilities.
- Realistic simulation – Manual testing mimics the methodologies of real attackers, providing a more accurate simulation of real-world cyber threats. Testers can adapt their techniques to evolving attack vectors, enhancing the test's effectiveness.
- Comprehensive reporting – Testers offer detailed insights into vulnerabilities, including potential impacts and recommended mitigation strategies. This rich reporting helps developers create targeted security enhancements.
Types of manual security testing
Manual security testing includes several types, such as:
- Penetration testing (Ethical Hacking) – Simulates real-world attacks to identify system vulnerabilities. Certified ethical hackers try to breach systems under controlled conditions without causing damage.
- Application security testing – Identifies vulnerabilities in software applications throughout their development lifecycle.
- Web application security testing – Identifies vulnerabilities in web applications, such as issues with user authentication, data protection, and exposure to attacks like SQL injection and cross-site scripting (XSS).
- API security testing – Uncovers vulnerabilities in APIs that could allow unauthorized access or data exposure. It includes testing for issues like man-in-the-middle (MiTM) attacks, injections, and improper authorization controls.
9 best tips to perform security testing manually
Here are some of the best tips on how to perform security testing manually:
1. Monitor access control management
Access control is essential for protecting applications and systems from unauthorized access, both from external attackers and internal threats. Access control management can be divided into two categories:
- Authentication (who you are)
- Authorization (what you can do and what information you can access).
For example, employees should only access information relevant to their jobs. A customer service representative might need access to customer contact information and service history but should not have access to financial records or proprietary business data. This approach ensures that sensitive information is only accessible to those with the appropriate permissions, reducing the risk of data breaches and misuse of information.
Manual Testing steps:
- Create user accounts – Set up accounts with different roles.
- Attempt access – Use these accounts to access the application or system, ensuring each account only accesses its designated forms, screens, accounts, menus, and modules.
- Cross-role requests – Test requests made by one user or role in a different user or role session.
- Check disabled accounts – Attempt to log in with a disabled account to identify security issues.
2. Use static analysis (Static code analysis)
Static code analysis is a widely used method of manual security testing, often performed as part of white-box testing or code review. This process identifies potential vulnerabilities and maintains secure code in the "static" (non-running) source code.
Static code analysis involves techniques such as:
- Data flow analysis – Examines how data moves through the code to identify potential vulnerabilities.
- Taint analysis – Tracks potentially harmful data as it moves through the system to find security issues.
Here's how it's done:
- Understanding the environment – Manual testers who are familiar with the operating environment and the application's users conduct the analysis. They understand the application's overall purpose and its individual functions.
- Using static analysis tools – These testers apply their knowledge to various static analysis tools that inspect the source code, documentation, and executables to find vulnerabilities without running the code.
3. Check server access controls
Web applications must balance user access with security to prevent data breaches or attacks. Here's how testers can check server access controls:
- Verify access points – Ensure all network access points are used only by authorized machines (IPs), applications, and users. Access should be tightly controlled.
- Test access restrictions – Attempt to access these points from various machines with both trusted and untrusted IP addresses to confirm access restrictions.
- Simulate real-time transactions – Perform a variety of transactions in bulk to assess the application's performance under load conditions.
- Check specific actions – Test if open access points allow users to perform actions securely. For example, you can upload a file exceeding the maximum size limit, attempt to upload a restricted file type, or try downloading data from a restricted site.
4. Inspect Ingress/Egress entry points
Testers must check network ingress and egress points to ensure no unauthorized traffic or information is exchanged with the host network.
Ingress Traffic includes all network traffic from external sources directed towards the host network, while Egress Traffic comprises all traffic originating from within the host network and directed toward external networks.
To test these points:
- Check ingress points – Attempt to send data from a restricted external network to the host network and verify whether the host network blocks or allows this traffic.
- Check egress points – When sending sensitive or confidential information from the host network to an authorized external network, block unauthorized data transfer.
5. Use password management
Effective password management is another quite important security testing technique, especially during manual testing. This technique involves using various methods to discover passwords and gain access to user accounts or systems.
How to test for efficient password management:
- Password policies – Ensure the web application or system enforces stringent password policies, such as requiring numerics, memorable characters, and passphrases. Weak policies can make it easy for attackers to brute-force passwords and gain unauthorized access.
- Encrypted storage – Verify that passwords are stored in an encrypted format. Unencrypted passwords are highly vulnerable to theft.
- Database security – Assess the database for vulnerabilities like SQL Injection, which attackers can exploit to steal information.
- Password cracking – Even if passwords are stored as hashes, they can still be cracked using tools like Brutus and RainbowCrack or manually guessing username/password combinations. It's essiential to test how resistant these hashed passwords are to such cracking attempts.
6. Leverage brute-force attacks
Brute-force attacks are a standard method for manually testing security.
A brute-force attack involves systematically guessing various password combinations until the correct one is found. Attackers use this method to gain access to sensitive information like passwords, usernames, and personal identification numbers. These attacks can lead to identity theft, unauthorized domain redirection to malicious sites, and other harmful activities.
There are 2 ways to test using brute-force attacks:
- Testing password strength – Security testers can use brute-force attacks to evaluate the strength of an application's encryption and the robustness of its passwords. For example, testers should attempt to log in with invalid passwords. A secure system should block the user after a limited number of failed login attempts.
- Multi-Factor authentication – If login attempts come from an unknown device or a suspicious network, the application should require multi-factor authentication (MFA). For example, sending a one-time password to the user's verified email or phone number or answering a security question set by the user.
7. Employ SQL injection (SQLi)
SQL Injection (SQLi) is a technique used to inject malicious SQL statements into an application, altering or extracting data from databases. It's one of the most dangerous, common, and oldest web application vulnerabilities, affecting any application that uses SQL databases like Oracle, SQL Server, MySQL, etc.
Manual testers can identify and prevent SQL injection vulnerabilities by following these steps:
- Identify entry points – Testers should identify parts of the application where SQL queries are directly performed on the database based on user inputs.
- Test user inputs – Input fields should be tested to see how the application handles special characters like single quotes (‘). If entering such characters causes a database error, it indicates a vulnerability, as the input is being directly included in an SQL query.
- Analyze error messages – Error messages shown in the browser can provide valuable information to attackers. If an input causes an error that reveals database structure or other sensitive information, it must be addressed immediately. These errors can help attackers extract data like usernames, passwords, and credit card numbers.
8. Don’t avoid Cross-site scripting (XSS)
In addition to SQL Injection, Cross-Site Scripting (XSS) is another critical vulnerability that testers look for during manual security testing. XSS is a client-side injection attack that executes malicious scripts in the victim's browser.
Malicious scripts injected through XSS can send the victim’s login credentials or session tokens to the attacker, log the victim’s keystrokes, or perform arbitrary actions on behalf of the victim.
Here are some tips on how to prevent XSS attacks:
- Validate user inputs – Ensure that input fields do not accept unvalidated user inputs.
- Encode outputs – Properly encode the output of input fields included in server responses to prevent malicious scripts from being executed.
- Apply input and output encoding – Consistently apply proper input and output encoding to safeguard against XSS attacks.
9. Be aware of URL manipulation
URL manipulation is a technique where attackers modify URL parameters to exploit applications. This involves changing the values in a URL to gain unauthorized access or perform malicious actions.
Examples:
Changing Path Segments:
- Original URL: http://example.com/user/profile/123
- Manipulated URL: http://example.com/user/profile/124
Modifying Query Parameters:
- Original URL: http://example.com/search?q=books
- Manipulated URL: http://example.com/search?q=admin
You can protect your application from URL manipulation by following these steps:
- Avoid sensitive information in URLs – Manual testers should check if the application includes sensitive information in the query string, as this can be easily manipulated.
- Test URL-Based inputs – Verify how the application processes URL-based inputs, particularly when using the HTTP GET method to transfer data between the server and client.
- Modify query parameters – Testers should attempt to change parameter values in the query string to see if the server accepts these modified values. If the server processes the altered parameters, it indicates a potential vulnerability.
- Check HTTP GET requests – Examine how user information is passed through HTTP GET requests. If a tester can manipulate these input variables, they might gain access to unauthorized information.
How can GAT help you?
Global App Testing (GAT) focuses on functional bug identification, payment testing, and UX issue resolution. While we don't provide traditional penetration testing, GAT can still enhance your app's security through:
- Scalable crowdsourced testing – We combine scalability with detailed analytics and a comprehensive testing suite, efficiently covering various devices, operating systems, and markets.
- A global network of testers – With over 90,000 professional testers worldwide, we ensure thorough testing under real-world conditions.
- Streamlined testing process – Clients set the testing tasks, which are then matched to appropriate testers. Real-time feedback and reports enable quick issue resolution.
- Quality assurance – We validate each bug report and feedback item for accuracy and relevance, providing actionable data for our clients.
Moreover, Global App Testing is dedicated to data integrity, availability, and confidentiality. We achieved ISO 27001 Certification in 2023, and our operations on AWS use advanced security architecture, robust encryption protocols, and authentication mechanisms to safeguard your data. If you are interested in finding out more about our services, let’s schedule a call today!
Keep learning
6 Penetration testing types to discover
7 Mobile app testing companies
10 Best performance testing tools