Manual Security Testing - How To Run It & Best Practices

According to Security Magazine, there are approximately 2,220 cyberattacks daily, totaling over 800,000 attacks annually. While automated security testing tools can effectively uncover many common vulnerabilities, they frequently overlook specific issues that can only be identified through manual testing.

In this article, we will explain how to conduct manual security testing, outline best practices, and provide relevant examples. Let’s dive in!

We can help you drive manual testing as a key initiative aligned to your business goals

What is manual security testing?

Manual security testing is when security experts assess and identify system, application, or network vulnerabilities. Unlike automated tools, manual testing involves a tester using their skills and experience to explore potential security weaknesses, such as misconfigurations, logic flaws, or coding errors that automated scans may not detect.

For example, testers simulate real-world attack scenarios during manual security testing to evaluate how well a system can withstand potential threats. This testing approach allows you to get a more detailed inspection of the system’s security posture, focusing on business logic, authentication flows, and access control, which require human judgment and creativity to identify vulnerabilities.

security-testing-importance

Types of manual security testing

Manual security testing includes several types, such as:

API security testing: Uncovers vulnerabilities in APIs that may allow unauthorized access or data exposure. It focuses on issues like injections, man-in-the-middle (MiTM) attacks, and improper authorization controls.
Application security testing: Identifies vulnerabilities in software applications across their development lifecycle.
Web application security testing: Finds vulnerabilities in web applications, including issues related to user authentication, data protection, and risks like SQL injection or cross-site scripting (XSS).
Penetration testing (Ethical hacking): Simulates real-world attacks to find system vulnerabilities. Ethical hackers attempt to breach systems under controlled conditions without causing harm.

manual-security-testing

Security testing principles

Here are some key security testing principles:

Confidentiality: Ensures data is protected from unauthorized access.
Integrity: Ensures data remains accurate and unaltered.
Availability: Ensures systems are accessible when needed.
Authentication: Verifies user identity before access.
Authorization: Grants permissions based on user roles.
Non-repudiation: Prevents denial of performed actions.
Least privilege: Grants minimal access required for tasks.
Defense in depth: Uses multiple security layers.
Risk-based testing: Focuses on high-risk areas first.
Trust but verify: Validates security even when trusted.

security-testing-principles

How do you run manual security testing?

Define the scope: Identify what systems, applications, or networks will be tested and establish the testing goals and boundaries.
Gather information: Collect data about the target system’s architecture, technologies, and potential entry points.
Identify vulnerabilities: Inspect the system for weaknesses such as misconfigurations, insecure coding, or flawed authentication mechanisms.
Map attack vectors: Outline all possible ways an attacker could exploit the system based on the identified vulnerabilities.
Prioritize vulnerabilities: Rank vulnerabilities by potential impact and likelihood of exploitation to focus efforts.
Exploit vulnerabilities: Simulate attacks to exploit weaknesses and assess how exposed the system is.
Test for business logic flaws: Check workflows like authentication or transaction processes for logic errors that could be exploited.
Verify security controls: Assess the effectiveness of encryption, two-factor authentication, and access restrictions.
Report findings: Document the vulnerabilities, the methods used to exploit them, and recommend fixes.
Retest and validate fixes: After fixes are applied, test the system again to ensure the vulnerabilities are resolved.
Ongoing monitoring: Recommend periodic testing after system changes to detect new vulnerabilities.

Manual security testing best practices

Let’s go through manual security testing best practices.

1. Monitor access control management

Test how the system manages user permissions and role-based access control to ensure that each user can only access the data and functions allowed for their specific role. Access controls must be enforced correctly to prevent unauthorized actions.

Test for role escalation: Verify that users cannot escalate their privileges through URL manipulation or session hijacking.
Audit logs: Ensure that any access attempts are logged for future audits.

Example:
Verify that a regular user cannot escalate privileges to an admin level by manipulating session tokens or accessing restricted APIs.

2. Dynamic analysis (Penetration testing)

Perform real-time tests on running applications to simulate external attacks. This method identifies vulnerabilities during application runtime that static analysis can miss.

Simulate real attacks: Use techniques like SQL injection, XSS, and CSRF (Cross-Site Request Forgery).
Analyze response: Examine how the application responds to attacks and whether it properly handles unexpected input.

Example:
Attempt to bypass authentication by injecting payloads into login fields or try to access hidden pages that should be restricted to specific users.

3. Static analysis (Static code analysis)

Review the application’s source code to identify security flaws such as hardcoded credentials or weak cryptographic implementations. This analysis helps catch vulnerabilities early in the development cycle.

Identify weaknesses: Consider issues like insufficient input validation, outdated libraries, and insecure configurations.
Code quality: Ensure adherence to coding standards that promote security best practices.

static-code-analysis

Example:
Scan the code to find places where input validation is missing or improperly implemented, leaving the system open to injection attacks.

4. Check server access controls

Verify that the server properly restricts access based on IP addresses, user roles, and other parameters. This practice ensures that sensitive areas are adequately protected against unauthorized access.

IP whitelisting: Check if access is allowed only from specific IP ranges.
Firewall rules: Test the effectiveness of firewall settings in preventing unauthorized access.

Example:
Attempt to access a secure server from an unapproved location or use an account with minimal privileges to check if it can reach sensitive directories or services.

5. Ingress/Egress/Entry points

Test all external entry points, such as APIs, web forms, and login interfaces, for vulnerabilities. Understanding how data enters and exits the system is crucial for identifying potential attack vectors.

API security: Check APIs for common vulnerabilities like lack of authentication or improper validation.
Form input: Inspect forms to validate and sanitize user inputs.

egress-ingress-traffic

Example:
Test an API endpoint by sending malformed or oversized requests to check for denial-of-service vulnerabilities or injection attacks.

6. Session management

Assess how the system manages user sessions, including session expiration, session ID generation, and handling of concurrent logins. Furthermore, proper session management helps protect against session hijacking and fixation.

Session timeout: Verify that sessions expire after a period of inactivity.
Session ID rotation: Check if the system rotates session IDs after login to prevent fixation attacks.

Example:
Attempt session fixation attacks or hijack session tokens by inspecting the application’s cookies and other session-related data.

7. Password management

Test password policies, such as complexity requirements, password reset mechanisms, and storage practices. Strong password management is vital for protecting user accounts.

Password policies: Ensure passwords meet complexity requirements (length, character types).
Storage practices: Verify that passwords are hashed securely using algorithms like bcrypt or Argon2.

password-management

Example:
Check whether weak passwords can be used, whether passwords are stored securely (hashed), and whether password reset links properly expire after use.

8. Brute-force attacks

Simulate brute-force attacks by trying multiple login attempts with automated scripts to check if the system properly limits failed login attempts or blocks repeated requests from a single IP address.

Account lockout: Ensure that accounts are temporarily locked after a specified number of failed login attempts.
Captcha implementation: Test for the presence of CAPTCHA mechanisms to mitigate automated login attempts.

brute-force-attack-example

Example:
Test whether account lockout mechanisms are in place after multiple failed logins.

9. SQL injection

Attempt to inject SQL queries into input fields like login forms or search boxes to check if the application sanitizes user inputs properly. SQL injection still remains one of the most common and dangerous vulnerabilities.

Testing variants: Use various payloads to explore different SQL injection vectors (e.g., UNION SELECT, OR '1'='1').
Database exposure: Check if the application can return sensitive data from the database.

sql-injection-attack-example

Example:
Enter '; DROP TABLE users; -- into a login field and check if the application executes or rejects the query.

10. Cross-site scripting (XSS)

Test whether the application properly sanitizes user inputs to prevent XSS attacks. This vulnerability allows attackers to inject malicious scripts into web pages.

Stored XSS: Check if data submitted by users can be stored and executed in other users' browsers.
Reflected XSS: Test if user inputs can lead to scripts executing immediately upon page load.

cross-site-scripting-example

Example:
Inject a script like <script>alert('XSS')</script> into a comment form and check if the script gets executed when another user views the comment.

11. URL manipulation

Check if users can modify URLs to gain unauthorized access to restricted areas. URL manipulation is a common tactic for bypassing security measures.

Parameter tampering: Attempt to change query parameters to access unauthorized resources.
Access control checks: Verify that changing URL parameters do not expose sensitive information or actions.

Example:
Try changing a URL parameter like user=123 to user=456 and see if it allows access to another user’s profile or account information.

12. Specify high-risk functions

Identify and focus on testing functions with high-security risks, such as payment gateways, authentication mechanisms, and file uploads. High-risk functions are critical points where security can fail.

Payment processes: Test for vulnerabilities in payment gateways, ensuring data is encrypted and securely transmitted.
File upload features: Verify that file uploads have restrictions on file types and sizes to prevent malicious uploads.

Example:
Perform extensive tests on the file upload feature to ensure malicious files cannot be uploaded and executed on the server.

Manual vs. Automated security testing

Here's a comparison table highlighting the key differences between manual and automated security testing:

manual-vs-automated-security-testing

Conclusion

In conclusion, manual security testing is crucial for identifying complex vulnerabilities that automated tools might miss. Understanding the steps needed to perform effective testing and knowing the various types available are fundamental for any security professional.

Moreover, applying best practices enhances the thoroughness and accuracy of the assessment. One significant advantage of manual testing is the ability to harness human intuition and creativity, allowing testers to think like attackers and discover unique vulnerabilities.

How can we assist?

Global App Testing (GAT) specializes in functional bug identification, payment testing, and resolving UX issues. While we do not offer traditional penetration testing, we can still enhance your app's security through:

Scalable crowdsourced testing: We provide a blend of scalability, detailed analytics, and a comprehensive testing suite to effectively cover a range of devices, operating systems, and markets.
A global network of testers: With over 90,000 professional testers worldwide, we ensure thorough testing in real-world conditions.
Streamlined testing process: Clients define the testing tasks we match with suitable testers. This process facilitates real-time feedback and reporting for swift issue resolution.
Quality assurance: Each bug report and feedback item is validated for accuracy and relevance, delivering actionable insights for our clients.

Global App Testing is committed to maintaining data integrity, availability, and confidentiality. We achieved ISO 27001 Certification in 2023, and our AWS operations utilize advanced security architecture, robust encryption protocols, and authentication mechanisms to protect your data. If you want to learn more about our services, let’s schedule a call today!