Introduction to Web Security Testing and Common Vulnerabilities

1. What Is Security Testing

Security testing is the process of verifying whether a software product meets defined security requirements throughout its lifecycle, essentially discovering software security flaws to protect data and functionality.

A comprehensive web security testing framework can address deployment and infrastructure, input validation, authentication, authorization, configuration management, sensitive data handling, session management, encryption, parameter manipulation, exception handling, and audit/logging.

2. Why Perform Security Testing

Web applications are increasingly widespread, making security threats more apparent. Thorough security testing uncovers existing or potential vulnerabilities and strengthens the system against illegal intrusion.

Common Security Vulnerabilities

1. Login‑Related Vulnerabilities

Weak passwords : Simple passwords like "123456" can be cracked via brute‑force attacks.

Overly specific error messages : Login failures should return a generic "username or password incorrect" message rather than indicating which field is wrong.

No limit on failed attempts : After repeated failures, a captcha or lockout should be enforced to prevent brute‑force attacks.

Missing session validation : Session identifiers must change after login/logout.

Captcha handling : Captchas should refresh automatically after a failed login, expire after a time limit, and be validated together with username and password.

2. Cross‑Site Scripting (XSS)

Principle : An attacker injects malicious script code into a web page; when a user views the page, the script executes.

Types :

Stored XSS – malicious data is saved on the server and executed when the page renders.

Reflected XSS – malicious script is reflected in the URL and executed after the server processes the request.

DOM‑based XSS – the attack occurs entirely in the browser by manipulating the DOM.

Differences :

Stored XSS resides on the server and does not pass through the database.

Reflected XSS appears in the URL, passes through the server and database.

DOM XSS is a client‑side JavaScript issue without server involvement.

Prevention : Apply both input validation and output encoding. Validate length, type, syntax, and business rules for all inputs, and escape HTML, JavaScript, CSS, and URLs on output.

3. Cross‑Site Request Forgery (CSRF)

Principle : An attacker tricks a logged‑in user into sending unwanted requests (e.g., email, message, account takeover, purchases) on the victim’s behalf.

Typical CSRF attack steps:

User logs into a trusted site A, receiving a session cookie.

Without logging out, the user visits a malicious site B that triggers unauthorized requests to site A.

Defenses :

Validate the HTTP Referer header.

Implement anti‑CSRF tokens.

Use captchas for sensitive actions.

Prefer POST over GET for state‑changing operations.

Employ double‑cookie verification.

4. SQL Injection

Principle : An attacker injects malicious SQL commands into a web form, causing the server to execute unintended queries.

Example :

Normal query:

select * from table_user where username = 'xxx';

Malicious query that returns all users:

select * from table_user where username = 'xxx' or '1'='1';

Because the condition '1'='1' is always true, the query bypasses the username filter and returns the entire table.

5. Authorization Bypass (Privilege Escalation)

Principle : A user can perform actions on resources they should not have permission to access due to missing or improper permission checks.

Categories :

Horizontal privilege escalation – accessing data of other users with the same role.

Vertical privilege escalation – accessing functions or data reserved for higher‑privilege roles.

Cross privilege escalation – a combination of horizontal and vertical.

Prevention :

Implement dual validation on both front‑end and back‑end.

Enforce strict authentication and authorization checks before critical operations.

Require re‑authentication for highly sensitive actions.

Validate and sanitize all user‑controlled parameters.

6. File Upload/Download Vulnerabilities

Principle :

File upload – lack of file‑type validation or execution permissions allows attackers to upload malicious scripts.

File download – predictable download URLs enable attackers to retrieve arbitrary files such as configuration files.

Prevention :

Store uploaded files in non‑executable directories.

Validate file type using MIME types and whitelist extensions; optionally process images to strip embedded code.

Rename files with random identifiers and paths to increase attack cost.

What We Can Do

Security testing is broad; to start integrating it into daily development, consider the following recommendations.

1. Cultivate Proactive Security Awareness During Version Testing

Functional testing simulates normal user behavior, whereas security testing simulates malicious actions. For example, a malicious user might publish a product linked to an unauthorized agreement, modify another supplier’s price, or bypass front‑end validation to inject illegal data.

2. Conduct Comprehensive Web Security Testing

Assess the system from multiple angles:

Deployment & infrastructure – secure communication, firewall topology.

Input validation – identify entry points, trust boundaries, and validate all inputs.

Authentication – distinguish public vs. restricted access and verify caller identity.

Sensitive data – ensure confidential information is stored securely.

Parameter handling – validate all parameters and avoid transmitting sensitive data in URLs.

Exception management – use structured handling and avoid exposing internal details.

3. Use Dedicated Security Testing Tools

Tools such as OWASP ZAP and Burp Suite help capture and modify HTTP requests, enabling the simulation of malicious scenarios that bypass front‑end checks. Automated scanners can also detect classic vulnerabilities, though business‑specific risks still require manual investigation.

References:

https://www.jianshu.com/p/855395f9603b

https://zhuanlan.zhihu.com/p/130919069

https://cloud.tencent.com/developer/news/54472