Application testing is integral to ensure system stability, robustness and security. This testing involves different software tools to identify any vulnerability in the application developed by organization.

The application provides services using client/server model. The application is targeted through internet by either using black box method or white box method. The client application is converted into binary code and protocols used in client/server model are determined. The auditor use different inputs for debugging to determine the underline programming logic. Different access points in application are determined where authentication is required. Then different techniques are used to bypass these access points such as URL encoded strings and Unicode encoding strings.

Password grinding is used to determine the password by using different passwords for each new login. Many old operating systems such as Wind95/98 allow users to enter many password combinations. Application logic behind login is determined by number of incorrect tries, timeouts and duration. Session analysis is carried out by gathering data from cookies, session ID from HTML header. Its relation with IP is determined by using same credentials in other client host.

Session limitation with respect to time, file size for transfer, bandwidth utilization is analyzed. Man in Middle attack on session is carried out by eavesdropping to gather important information about victim such as password, bank account details. A proxy server is established between server and client and attacker captures packets of both sides in such a way that both are unaware about his presence. Different inputs are used to determine the character range, maximum length, overflow vulnerability. Cross site scripting is used by adding malicious code in the legitimate HTML replay by the intruder. When the victim opens the page the malicious script is loaded and important information entered in webpage by victim is sent to the attacker. The auditor examines the cross site scripting response by application. The auditor examines the response of application when unauthorized access is made to server’s directory using path traversal string in input. Auditors access server using “Server Side Include”. In SSI a link to file containing text is added in webpage. Text in the file appears in webpage and when ever the text is changed in file the text in webpage also changes. The response of server application is examined by manipulating the cookies during session, fields of HTML form and HTTP protocol. Auditor also gathers information from client application cache, cookies, temporary files and serialized objects Serialization is carried out to convert objects to stream of bytes so that they can be stored in storage device or sent over internet. The auditor gathers all the information present in application web pages such as instructions, welcome and farewell messages.