Database Testing Security - Database Testing

What is Database Testing - Security?

Database security testing is conducted to figure out the loopholes in security mechanisms and also finding the sensitivity or fragility of database system.

The main objective of database security testing is to figure out sensitivity in a system and to decide if its data and resources are safe guarded from potential intruders. Security testing establishes a way to recognize potential vulnerabilities effectively, when performed systematically.

Below are the major objectives of performing database security testing −

  • Authentication
  • Authorization
  • Confidentiality
  • Availability
  • Integrity
  • Resilience

What are theTypes of Threats on a Database System?

SQL Injection

This is most common variety of attack in a database system where malicious SQL statements are introduced in the database system and are executed in order to get critical data from the database system. This attack will take advantage of loopholes in implementation of user applications. In order to avoid this, user inputs fields must be attentively handled.

Privilege Elevation in Database

In this attack, a user who is already having some access to the database system and he will only attempts to raise this access higher level so that the user can do some illegal activities in database system.

Denial of Service

In this type of attack, the attacker makes application resource or database system unaccessible to its authorized users. Applications may also be attacked in some aspects that render the application, and in some cases the whole machine, useless.

Unauthorized Access to data

Another type of attack is acquiring illegal access to data inside an application or database system. Unauthorized access involves −

  • Illegal access to data via user based applications
  • Illegal access to by monitoring the access of others
  • Illegal access to reusable client certified information

Identity Spoofing

In Identity Spoofing, a hacker will make use of user credentials or device for launching attacks in opposition network hosts, steaking the data or bypassing access controls to database system. To avert this attack needs IT-infrastructure and reductions in network-level.

Data Manipulation

In a data manipulation attack, a hacker alters data to attain some advantage or to destruct the image of database owners.

What are Database Security Testing Techniques?

Penetration Testing

A penetration testing is an attack on a computer system with the purpose of figuring security loopholes, potentially attaining access to it, its data and functionality.

Risk Finding

Risk Finding is a process of evaluating and determining on the risk involves with the type of loss and the possibility of sensitivity occurrence. This is decided within the organization by different discussions, interviews and analysis.

SQL Injection Test

It involves verifying the user inputs in application fields. For instance, giving a special character such as ‘,’ or ‘;’ in any text field in a user application must not be permitted. When a database error takes place, it means that input given by the user is inserted in some query, which is then executed by the application. In such a scenario, the application is sensitive to SQL injection.

SQL Injection attacks are a huge risk to data as the attackers can get access to crucial information from the server DB. To verify SQL injection entry points into your web application, figure out code from your code base where direct MySQL queries are executed on the DB by taking some user inputs.

SQL Injection Testing can be performed for Brackets, Commas, and Quotation marks.

Password Cracking

This is the most crucial test while doing database system testing. In order to access critical information, hackers may use a password-cracking tool or may guess a common username/password. You can find these common passwords freely on internet and also password cracking tools prevail freely.

Therefore, it is mandatory to verify at the time of testing whether the password policy is properly maintained in the system. In case of any banking and finance applications, it is necessary to set a strict password policy on all the cricial information database systems.

Security Audit of Database System

A security audit is a process of assesssing security policies of company at a systematic time interval to make sure whether necessary standards are followed or not. Different security standards can be followed according to business need to specify the security policy and then assessment of set policies against those standards should be done.

ISO 27001, BS15999, etc are some examples of most common security standards.

What are Database Security Testing Tools?

There are different system testing tools present in market, that can be employed to test OS and application check. Few of the most common tools are discussed here.

Zed Attack Proxy

It is a penetration-testing tool for figuring out the sensitivity in web applications. It is designed to be employed by people with extensive range of security experience and as such is perfect for developers and for functional testers who are fresh to penetration testing. It is usually used for Windows, Linux, Mac OS.

Paros

All HTTP and HTTPS data between server and client, along with cookies and form fields, can be stopped and altered with these scanners. It is employed for Cross-platform, Java JRE/JDK 1.4.2 or above.

Social Engineer Toolkit

It is an open source tool and human elements are attacked in place of system element. It permits you to send java applets, emails etc. consisting of the attack code. It is selected for Linux, Apple Mac OS X and Microsoft Windows.

Skipfish

This tool is employed to scan their sites for sensitivity. Reports created by the tool are used to serve as a basis for professional web application security assessments. It is selected for Linux, FreeBSD, MacOS X, and Windows.

Vega

It is an open source, multiplatform web security tool that is employed to figure out instances of cross-site scripting (XSS),SQL injection and other vulnerabilities in web applications. It is selected for Java, Linux, and Windows.

Wapiti

Wapiti is an open source and web-based tool which scans the web pages of the web application and verify for scripts and forms to check where it can insert data. It is built with Python and have the ability to catch File handling errors, XSS, Database LDAP and CRLF injections, Command execution detection.

Web Scarab

It is written in Java and is employed for inspecting the applications that interact via HTTP/HTTPS protocols. This tool is mainly designed for developers who can write logic by themselves. This tool is not OS dependent.

All rights reserved © 2018 Wisdom IT Services India Pvt. Ltd DMCA.com Protection Status

Database Testing Topics