The Name of the Class (Course)
The Name of the School (University)
The City and State
Black-Box testing on Web Applications
The internet has experienced a floodgate of users in recent times. Companies, State corporations, other private entities, as well as individual people spend most of their time on the internet either advertising their trade or finding out the current trends in the global market (Andrews 2006, p. 4). A large number of people using the internet have resulted to security vulnerabilities for web application as people attempt to access even unauthorized sites. The situation leads to theft of confidential information, violating data integrity or worse still affecting web application availability.
Various approaches are used to detect and prevent web application vulnerability. The approaches include black-box, white-box testing, and Gray box testing. Halfond and Alessandro (2008) argue that malicious patterns that implement vulnerabilities such as SQL injection are submitted into web application forms whose output analysis is done thereafter. SQL injection is a code injection mechanism where malicious code is inserted into input point of a web application to allow access to the database (Anley 2002, 16). If application errors are observed then an assumption is made of a possible vulnerability in the web application.
Black Box Testing
Black-box testing web application vulnerability uses scanners to check the security of a web application. These scanners are automated to do era probe for security vulnerabilities without accessing source code that is used in making the applications (Chess and McGraw 2004, 386). It is used to detect Web application security vulnerabilities like cross-site scripting, SQL injection, and cross-site request forgeries. These vulnerabilities allow unauthorized access to web application to obtain classified information such as credit card numbers. Black box testing uses various techniques to detect the vulnerabilities. These techniques include:
Equivalence Class Technique
The technique allows the user to divide software data into partitions of data so as to derive test cases from the partitions (Whittaker and Thompson 2003, 19). One test case is used for each partition to check the program.
Expected result Coverage Technique
The technique is majorly extended on output test values for input values related to it (Sangita, Avinash and Ashok 2012, 502). The difference that is exhibited between the actual result and the expected result will trigger further probe to determine if there is unauthorized business in the application, or it is just a program error.
The scanners in black box technique find loopholes in the existing application. This is done on the web application‘s input point. The scanner stimulates the attack against the input point, which summarizes the events on it in the form of a report (Andrews 2006, 14). To begin the scan, the URL of the web application is entered, and a set of user login credentials for the application is provided. Options for the scanner’s page crawler are specified so as to maximize coverage for page scanning. After the crawler is set, the scanning profile is specified, or test vector specified. Profile scan or tester vector would be used in the vulnerability detection run before the scan is launched. The scanners will automatically start operating after profile selection (Beizer 1995, 12).
Codd (1970) posits that black box testing technique is an efficient method of protecting web application against various vulnerabilities. It has various advantages to the user who chooses it over other techniques such as white-box technique. It is easy to use as the testers can create test cases by working through the application. The testing is so simple that can be done by people with minimal expertise. The testers can also be developed quickly as it only requires graphical user interface. It is not necessary to identify internal paths that are used in a specific process. However, black box technique has its drawbacks. For instance, Gallagher, Bryan, and Lawrence (2006) state black-box technique requires script maintenance where user interface should remain relatively the same. If the interface keeps changing, it becomes a challenge since the input would also start changing affecting script maintenance.
The black box technique relies on graphical user interface. Unfortunately, this aspect makes script fragile, as GUI may not be implemented effectively on different platforms (Wassermann and Su 2007, 36). The test may, therefore, fail unless the tool can handle the difference in GUI. Finally, unlike in a white box, the black-box technique is incapable of looking into the inner logic of the application. This feature makes it ineffective in testing application fully. To supplement it, a combination of black-box technique and white box techniques are used (Fonseca, Vieira & Madeira 2007, 368). The combination results into a new testing model referred to as Grey box testing. The model is used to supplement the shortfalls of black-box in web application testing.
Conclusion
Web application has become as a critical component of internet management as is the techniques used to do the testing. The main objective of web application testing is to run the application using inputs and state to identify failures or vulnerabilities. The testing that can be classified into white or black box ensures that the application is safe at all times. The fact that black boxing is performed in user perspective ensures that it gives out valid output that protects the web application. It is imperative that users apply the black box technique in a proper way to ensure that their web application is secure.
Reference
Anley, C (2002), Advanced SQL Injection In SQL Server Applications, NTGS Software Insight Security Research.
Andrews, M (2006), ‘The State of Web Security’, IEEE Security & Privacy, vol.4, no. 4, pp. 14-15.
Beizer, B 1995, Black-Box Testing: Techniques for Functional Testing of Software and Systems. New York, NY: John Wiley & Sons.
Chess, B & McGraw, G 2004, ‘Static analysis for security’, IEEE Security & Privacy, vol. 2, no. 6, pp. 76-79.
Codd, E 1970 ‘A relational model of data for large shared data banks’, Communications of the ACM, vol.13, no. 6, pp. 377-387.
Fonseca, J, Vieira, M & Madeira, H 2007, ‘Testing and comparing web vulnerability scanning tools for SQL injection and XSS attacks’, Pacific Rim Int’l Symp. Dependable Computing, IEEE, vol. 0, pp. 365–372.
Gallagher, T, Bryan, J & Lawrence L 2006, Hunting Security Bugs. Redmond: Microsoft.
Halfond, G, Alessandro, O & Panagiotis, M 2008, ‘WASP: Protecting Web Applications Using Positive Training and Syntax-Aware Evaluation’, in Proc. IEEE Transaction on Software Engineering (TSE 07), vol. 34, pp. 65-81.
Sangita, R, Avinash, K & Ashok, S 2012, ‘A Novel Approach to Prevent SQL Injection Attack Using URL Filter’, International Journal of Innovation, Management and Technology, vol. 3, no.5, pp. 499-502
Wassermann, G & Su, Z 2007, ‘Sound and precise analysis of web applications for injection vulnerabilities’, SIGPLAN Not, vol. 42, no. 6, pp. 32–41.
Whittaker, J & Thompson, H (2003), How to Break Software Security. Reading MA: Addison-Wesley.