Testing Web Application Security

Note: This is copied from my March 30th blog post at My posts are generally about Quality Assurance related issues.

Testing Web Application Security

Over the weekend, hackers got into Oracle's using SQL injection. I was surprised that a big technology company like Oracle would be vulnerable to a SQL injection attack, especially because they are a database company and SQL injection is a well-known attack.

The quote in the article that really caught my attention was, "'It does not appear to be a vulnerability in the MySQL software, but rather flaws in the implementation of their websites,' Chester Wisniewski, senior security adviser at anti-virus firm Sophos, wrote in a blog post Monday. 'Auditing your websites for SQL injection is an essential practice, as well as using secure passwords.'"

Software Testers' Role in Web Application Security

In my experience, most software testers focus on testing the functionality of an application and do not focus on security. The websites that I've worked on that are especially sensitive to security breaches, like financial websites, have generally brought in a separate security expert to review the site.

I think that bringing in an expert is important for highly sensitive sites; however, in many cases, this extra resource is not available. As I've read about more breaches of security, I've come to realize that it would be good for software testers to, at a minimum, test their websites for the most common security vulnerabilities.

Unfortunately, learning the details of even the most common hacker attacks via the Internet can be a shady and sometimes virus-prone pursuit. After talking to a Web Application Security expert, I found a good starting point for learning about Web Application Security testing online.

The Open Web Application Security Project (OWASP)

The Web Application Security expert who I spoke with recommended looking into OWASP. I spoke with a couple other experts, and they all endorsed OWASP as a great place to safely and legally learn about Web Application Security.

There is a lot of great information on the site including an OWASP Testing Guide. However, the area that looks like it would be the most fun to start is the OWASP WebGoat Project. OWASP describes this as "a deliberately insecure J2EE web application maintained by OWASP designed to teach web application security lessons."

I've just started setting up WebGoat and attending meetings at my local OWASP chapter. I plan to write about some of my experiences as I gain new skills related to Web Application Security.

Your Experiences

I'd like to hear about your experiences with Web Application Security testing. Is it something that you currently have your test team focus on? Have you had any problems due to lack of or despite practicing Web Application Security testing?

E-mail me when people leave their comments –

You need to be a member of OWASP to add comments!



  • hello.. my name is Alfred. i'm new in this forum. i read your article and its interesting. all i want to ask is how can i know if the website is secure or not. let's say that i'm not a hacker. how can i know (website example), can't be hacked or can't be sql injection. is there any tools or software to test out the website whether is secure or not?? probably we dont do manual testing right? i mean we dont do the sql injection by ourself. there are many variations of sql injection that we are dont know. thanks..

  • I attended the first OWASP WebGoat Study Group yesterday, and I highly recommend it.  It was great to get some real-world context around the exercises in WebGoat.
  • For anyone in Austin, the local chapter Kevin is referring to, we are doing an OWASP WebGoat Study Group which meets weekly on Wednesdays from 12-1 PM on the National Instruments campus.  See the Austin OWASP Study Group group on here for more details.
This reply was deleted.