How to test a web application for security?

I

insomnia772015-02-28 09:48:08

Software testing

insomnia77, 2015-02-28 09:48:08

Conducted integration testing for 2 weeks found 200+ errors. They said to test for safety. Unfortunately, there was no experience of testing for safety. I tried to stick xss into the fields. I read the description for burp, tested with it for a couple of days. Couldn't find any errors - but I'm 100% sure they are. Actually the question is, has anyone come across a good, detailed, systematized material on how to "hack a site"? In particular, I'm interested in how to forge requests and steal cookies from users?

Reply

Answer the question

In order to leave comments, you need to log in

3 answer(s)

V

Vladimir Martyanov, 2015-02-28
@vilgeforce

Acunetix. sqlmap to look for injections.

Q

Qudu, 2015-03-04
@Qudu

I think this material
will be very useful. As a beginner, you should still use security scanners: Acunetix, Netsparker, w3af
To send requests, you can use both CURL and Burp, including Acunetix has such functionality.
To understand how to steal cookies, you need to understand XSS and cookie attack scenarios.
All this is suitable for BlackBox testing, if you have the code then check it for best practices.
The description covers your task. For a more detailed analysis, please contact the experts. ;-)

D

dmitry4623, 2019-01-15
@dmitry4623

Above, it was correctly advised to read the owasp testing guide first. As a last resort, articles on Habré :)
Of the scanners, I can also advise arachni, x-spider, detectify.com, metascan.ru. The latter writes in reports how to exploit XSS and how to fix them.
In general, use ready-made solutions when time is running out, you will find the most common mistakes.