Database security testing is conducted to figure out the loopholes in security mechanisms and also finding the sensitivity or fragility of database system.
The main objective of database security testing is to figure out sensitivity in a system and to decide if its data and resources are safe guarded from potential intruders. Security testing establishes a way to recognize potential vulnerabilities effectively, when performed systematically.
Below are the major objectives of performing database security testing −
This is most common variety of attack in a database system where malicious SQL statements are introduced in the database system and are executed in order to get critical data from the database system. This attack will take advantage of loopholes in implementation of user applications. In order to avoid this, user inputs fields must be attentively handled.
Privilege Elevation in Database
In this attack, a user who is already having some access to the database system and he will only attempts to raise this access higher level so that the user can do some illegal activities in database system.
Denial of Service
In this type of attack, the attacker makes application resource or database system unaccessible to its authorized users. Applications may also be attacked in some aspects that render the application, and in some cases the whole machine, useless.
Unauthorized Access to data
Another type of attack is acquiring illegal access to data inside an application or database system. Unauthorized access involves −
In Identity Spoofing, a hacker will make use of user credentials or device for launching attacks in opposition network hosts, steaking the data or bypassing access controls to database system. To avert this attack needs IT-infrastructure and reductions in network-level.
In a data manipulation attack, a hacker alters data to attain some advantage or to destruct the image of database owners.
A penetration testing is an attack on a computer system with the purpose of figuring security loopholes, potentially attaining access to it, its data and functionality.
Risk Finding is a process of evaluating and determining on the risk involves with the type of loss and the possibility of sensitivity occurrence. This is decided within the organization by different discussions, interviews and analysis.
SQL Injection Test
It involves verifying the user inputs in application fields. For instance, giving a special character such as ‘,’ or ‘;’ in any text field in a user application must not be permitted. When a database error takes place, it means that input given by the user is inserted in some query, which is then executed by the application. In such a scenario, the application is sensitive to SQL injection.
SQL Injection attacks are a huge risk to data as the attackers can get access to crucial information from the server DB. To verify SQL injection entry points into your web application, figure out code from your code base where direct MySQL queries are executed on the DB by taking some user inputs.
SQL Injection Testing can be performed for Brackets, Commas, and Quotation marks.
This is the most crucial test while doing database system testing. In order to access critical information, hackers may use a password-cracking tool or may guess a common username/password. You can find these common passwords freely on internet and also password cracking tools prevail freely.
Therefore, it is mandatory to verify at the time of testing whether the password policy is properly maintained in the system. In case of any banking and finance applications, it is necessary to set a strict password policy on all the cricial information database systems.
Security Audit of Database System
A security audit is a process of assesssing security policies of company at a systematic time interval to make sure whether necessary standards are followed or not. Different security standards can be followed according to business need to specify the security policy and then assessment of set policies against those standards should be done.
ISO 27001, BS15999, etc are some examples of most common security standards.
There are different system testing tools present in market, that can be employed to test OS and application check. Few of the most common tools are discussed here.
Zed Attack Proxy
It is a penetration-testing tool for figuring out the sensitivity in web applications. It is designed to be employed by people with extensive range of security experience and as such is perfect for developers and for functional testers who are fresh to penetration testing. It is usually used for Windows, Linux, Mac OS.
All HTTP and HTTPS data between server and client, along with cookies and form fields, can be stopped and altered with these scanners. It is employed for Cross-platform, Java JRE/JDK 1.4.2 or above.
Social Engineer Toolkit
It is an open source tool and human elements are attacked in place of system element. It permits you to send java applets, emails etc. consisting of the attack code. It is selected for Linux, Apple Mac OS X and Microsoft Windows.
This tool is employed to scan their sites for sensitivity. Reports created by the tool are used to serve as a basis for professional web application security assessments. It is selected for Linux, FreeBSD, MacOS X, and Windows.
It is an open source, multiplatform web security tool that is employed to figure out instances of cross-site scripting (XSS),SQL injection and other vulnerabilities in web applications. It is selected for Java, Linux, and Windows.
Wapiti is an open source and web-based tool which scans the web pages of the web application and verify for scripts and forms to check where it can insert data. It is built with Python and have the ability to catch File handling errors, XSS, Database LDAP and CRLF injections, Command execution detection.
It is written in Java and is employed for inspecting the applications that interact via HTTP/HTTPS protocols. This tool is mainly designed for developers who can write logic by themselves. This tool is not OS dependent.
Database Testing Related Interview Questions
|Web Service Testing Interview Questions||ETL Testing Interview Questions|
|Agile Testing Interview Questions||Manual Testing Interview Questions|
|Database Testing Interview Questions||UI Developer Interview Questions|
|Automation Testing Interview Questions||Software testing Interview Questions|
|API testing Interview Questions||Unix Inter-Process Communication (IPC) Interview Questions|
|Test Cases Interview Questions||Hadoop Testing Interview Questions|
All rights reserved © 2020 Wisdom IT Services India Pvt. Ltd
Wisdomjobs.com is one of the best job search sites in India.