Web Application Security Testing Techniques

Testing Techniques Explained

It is a high-level overview of various testing techniques that can be employed when building a testing program.

Manual Inspections and Reviews


Manual inspections are human reviews that typically test the security implications of the people, policies, and processes. Manual inspections can also include inspection of technology decisions such as architectural designs. They are usually conducted by analyzing documentation or performing interviews with the designers or system owners.

Because of the simplicity of the concept of manual inspections and human reviews, they can be among the most effective and powerful techniques available. Just by asking someone how something works and why it was implemented a specific way, the software tester can quickly determine if any security concerns are likely to be obvious.

Manual inspections and reviews are one of the few ways to test the software development life-cycle process itself and to ensure that there is an appropriate policy or skill set in place.

OWASP says as with many things in life when conducting manual inspections and reviews it is recommended that a trust-but-verify model is adopted. Not everything that the tester is shown or told will be accurate. Manual reviews are particularly good for testing whether people understand the security process, have been made aware of the policy, and have the appropriate skills to design or implement secure applications.

Other activities should be accomplished using manual inspections such as manually reviewing the documentation, secure coding, policies, security requirements, architectural designs, etc.

Let's talk about the advantages and disadvantages of Manual Inspections


  • Requires no supporting technology

  • Can be applied to a variety of situations

  • Flexibility

  • Promotes teamwork

  • Early in the SDLC


  • Can be time-consuming

  • Supporting material is not always available

  • Requires significant human thought and skill to be more effective

Threat Modeling


Threat modeling has become a popular technique to help system designers think about the security threats that their systems and applications might face. Therefore, threat modeling can be seen as a risk assessment for applications. It enables the designer to develop mitigation strategies for potential vulnerabilities and helps them focus their certainly limited resources and attention on the parts of the system that most require it.

OWASP says that It is recommended that all the applications have a threat model developed and documented. Threat models should be created as early as possible in the SDLC and should be revisited as the application evolves and development progresses.

To develop a threat model, OWASP recommends taking a simple approach that follows the NIST 800-30 standard for risk assessment. This approach involves:

  • Decomposing the application - use a process of manual inspection to understand how the application works, its assets, functionality, and connectivity.

  • Defining and classifying the assets - classify the assets into tangible and intangible assets and rank them according to business importance.

  • Exploring potential vulnerabilities - whether technical, operational, or managerial.

  • Exploring potential threats - develop a realistic view of potential attack vectors from an attacker's perspective by using threat scenarios or attack trees.

  • Creating mitigation strategies - develop mitigating controls for each of the threats deemed to be realistic.

The Threat Model's output itself can vary but is typically a collection of lists and diagrams. Many Open Source projects and commercial products support application threat modeling methodologies that can be used as a reference for testing applications for potential security flaws in the design of the application.

OWASP says there is no right or wrong way to develop threat models and perform information risk assessments on applications.

Let's talk about the advantages and disadvantages of Threat Modelling


  • Practical attacker view of the system

  • Flexibility

  • Early in the SDLC


  • Good threat models don't automatically mean good software

Source Code Review


Source code review is the process of manually checking the source code of a web application for security issues. Many serious security vulnerabilities cannot be detected with any other form of analysis or testing. As the popular saying goes "if you want to know what's going on, go straight to the source." Almost all security experts agree that there is no substitute for actually looking at the code. All the required information for identifying security problems is there in the code somewhere.

Unlike testing the closed software, the source code should be made available for testing when testing web applications especially if they have been developed in-house.

OWASP says that many significant and unintentional security problems are extremely difficult to discover with other forms of testing or analysis like penetration testing. This makes source code analysis the technique of choice for technical testing. With the source code, a tester can accurately discover what is happening or is supposed to be happening, and also remove some efforts of black-box testing.

Examples of the issues that are particularly helpful to be found through source code reviews include flawed business logic, concurrency problems, access control problems, and cryptographic weaknesses, as well as backdoors, Trojans, Easter eggs, and time bombs, logic bombs, and other forms of malicious code. All these issues often betray themselves as the most harmful vulnerabilities in web applications.

Source code analysis can also be extremely efficient to find implementation issues such as places where input validation was not performed or where fail-open control procedures may be present. The operational procedures need to be reviewed as well since the source code being deployed might not be the same as the one being analyzed herein.

Let's talk about the advantages and disadvantages of Source Code Review


  • Completeness and effectiveness

  • Accuracy

  • Fast


  • Requires highly skilled security-aware developers

  • Can miss issues in compiled libraries

  • Cannot detect runtime errors easily

  • The source code actually deployed might differ from the one being analyzed

Penetration Testing


Penetration Testing, widely known as pen-testing is a commonly used technique to test network security for over decades also known as black-box testing or ethical hacking. Penetration testing is essentially the art of testing a system or application remotely to find security vulnerabilities without knowing the internals of the target itself. Typically, the pentest team is able to access an application as if they were users. The tester acts like an attacker and attempts to find and exploit vulnerabilities. In many cases, the tester will be given one or more valid accounts on the system.

While penetration testing has proven to be effective in network security, the technique doesn't naturally translate to applications. When penetration testing is performed on networks and operating systems, the majority of the work is involved in finding, and then exploiting, known vulnerabilities in specific technologies.

OWASP says Web applications are almost exclusively bespoke, penetration testing in the web application arena is more akin to pure research.

There are some automated penetration testing tools that have been developed and available in the market

Many people use web application penetration testing as their primary security testing technique. OWASP says that whilst it certainly has its place in a testing program, we don't believe it should be considered as the primary or only testing technique.

Gary McGraw wrote in the Software Penetration Testing paper

“In practice, a penetration test can only identify a small representative sample of all possible security risks in a system.”

However, focused penetration testing that attempts to exploit known vulnerabilities detected in previous reviews can be useful in the detection of some specific vulnerabilities that are actually fixed in the deployed source code.

Let's talk about the advantages and disadvantages of Penetration Testing


  • Can be fast, and therefore cheap

  • Requires a relatively lower skill set than source code review

  • Tests the code that is actually being exposed


  • Too late in the SDLC

  • Front-impact testing only

Related Posts

See All

In India, you must visit the National Cybercrime Reporting Portal (https://cybercrime.gov.in) of the Ministry of Home Affairs for reporting all types of cybercrime. This portal is an initiative of the


Thanks for submitting!