Stack Overflow
Stack Overflow

Questions tagged [security-testing]

The six basic security concepts that need to be covered by security testing are: confidentiality, integrity, authentication, availability, authorization and non-repudiation.

Security testing is a process intended to reveal flaws in the security mechanisms of an information system that protect data and maintain functionality as intended. Due to the logical limitations of security testing, passing security testing is not an indication that no flaws exist or that the system adequately satisfies the security requirements.

Typical security requirements may include specific elements of confidentiality, integrity, authentication, availability, authorization and non-repudiation. Actual security requirements tested depend on the security requirements implemented by the system. Security testing as a term has a number of different meanings and can be completed in a number of different ways. As such a Security Taxonomy helps us to understand these different approaches and meanings by providing a base level to work from.

70 questions
12
votes
5 answers

Are there cross-platform tools to write XSS attacks directly to the database?

I've recently found this blog entry on a tool that writes XSS attacks directly to the database. It looks like a terribly good way to scan an application for weaknesses in my applications. I've tried to run it on Mono, since my development platform…
Joachim Sauer
  • 302,674
  • 57
  • 556
  • 614
9
votes
4 answers

Can SonarQube be used as a Static Application Security Testing (SAST) tool?

I'm looking for a Static Application Security Testing (SAST) tool and I can't afford the commercial products (eg. Checkmarx). SonarQube is a great static code analysis tool but I notice that there is only a few rules of the "Vulnerabilities" type…
DogJunior
  • 91
  • 1
  • 1
  • 6
4
votes
1 answer

OWASP's ZAP and the Fuzz ability

My scenario: I navigate to a login page. I put in a known username with a bad password. ZAP picks this up no issue. I select the POST to the login page. I find the lines that contain the Username and password. The…
James Craig
  • 473
  • 3
  • 9
  • 22
4
votes
1 answer

ZAP PROXY : security testing for REST API

Any help here will be greately appreciated :) Wanted to check if anyone has used ZAPProxy for performing the security testing on the RESTfull WebServices (API). I know this tool provides good out of the box features for doing security testing on…
Girish
  • 1,981
  • 3
  • 17
  • 18
3
votes
2 answers

Paros Proxy detailed tutorials

Can anyone suggest, where to find out detailed tutorials on Paros Proxy, I mean how to test application with paros. The information provided in concern site is not enough as it suggest only its use, I want like how to put SQL injection or XSS etc.…
Subimal Sinha
  • 129
  • 3
  • 3
  • 10
2
votes
2 answers

Updated: Free tools for checking security vulnerabilities for rails app

I would like to know whether there are any free tools available which can be used to test security vulnerabilities in a rails app. I came across skipfish, which I found was not very intuitive in its report. Are there any similar tools…
leenasn
  • 1,466
  • 10
  • 16
2
votes
1 answer

Can we single out an alert say "Web Browser XSS Protection Not Enabled" and rerun in ZAP Proxy

Context : We used OWASP Zed Attack Proxy version 2.7.0 to do vulnerability tests of an application. We got a few alerts, and is doing the resolution. Problem : We wanted to single out an alert say "Web Browser XSS Protection Not Enabled" and run…
arunvg
  • 1,209
  • 1
  • 20
  • 31
2
votes
3 answers

client failed to negotiate an ssl connection : no cipher suites in common -- burp suite

Unable to tamper HTTPS request using burp suit after importing PortSwigger certificate . it given an alert 'client failed to negotiate an ssl connection : no cipher suites in common'... where as it works fine for http request.. i have tried Internet…
zzz
  • 497
  • 3
  • 14
  • 32
2
votes
1 answer

How to perform sql injection test on an iOS app on a non-jail broken iphone 5?

I have been involved in security testing of iOS apps lately. The app is running on iOS on iphone 5. This app is similar to "bookmyshow" app, where user can book events occurring at various places in the city. I need to perform sql injection testing…
Python_Novice
  • 170
  • 4
  • 16
2
votes
2 answers

Worklight Push Notification, and SecurityTest

I am using Worklight in my iOS and Android Project. I am also using adapters, with on security test, and using adapter based authentication. I want to use push notifications, with users ids recieved from adapter based authentication function. So I…
WiPhone
  • 683
  • 6
  • 24
1
vote
1 answer

trying to use mockMvc.perform(....content(someJson) to Test my Web-Application

when using mockMvc.perform to Test my Web-Application I'm trying to use .content(someJson) to meet the requirements for the body. Unfortunately, when using .content it appears red with the error: Cannot resolve method 'content' in…
Florian Eppe
  • 21
  • 3
1
vote
1 answer

How to Disable HTTP protocol for OPTIONS Verb?

In our application(Deployed in IIS), we have enabled only HTTPS(Disabled HTTP access). While accessing API endpoint using http protocol with OPTIONS verb, its returning 200 Ok response. How to fix?
Nithyanantham Mylsamy
  • 35
  • 1
  • 6
1
vote
1 answer

Using OWASP ZAP (and tools of the same purpose) on AWS EC2

I am currently planning to do some web application vulnerability testing on an EC2 server with OWASP ZAP. From my very quick google search, I found that AWS has stated that penetration testing services are allowed without approval…
Sesario Imanputra
  • 21
  • 2
1
vote
2 answers

Can we use an existing OWASP ZAP Session to test for new release?

Currently, we have monthly releases. This month I have manually explored the application using OWASP ZAP and saved the session. In the next release i.e, next month can I use the same session to test the new release?
Vineel Pellella
  • 332
  • 2
  • 4
  • 20
1
vote
1 answer

Broken Authentication and Session Management

Using Firefox: I am authenticated with valid credentials with ZAP proxy I capture the 302 response code and a valid cookie. Using Chrome: I am providing wrong credentials and replace the response with the captured 302 response containing the valid…
Madhu sudana
  • 13
  • 3
1
2 3 4 5