Stack Overflow
Stack Overflow

Questions tagged [security-testing]

The six basic security concepts that need to be covered by security testing are: confidentiality, integrity, authentication, availability, authorization and non-repudiation.

Security testing is a process intended to reveal flaws in the security mechanisms of an information system that protect data and maintain functionality as intended. Due to the logical limitations of security testing, passing security testing is not an indication that no flaws exist or that the system adequately satisfies the security requirements.

Typical security requirements may include specific elements of confidentiality, integrity, authentication, availability, authorization and non-repudiation. Actual security requirements tested depend on the security requirements implemented by the system. Security testing as a term has a number of different meanings and can be completed in a number of different ways. As such a Security Taxonomy helps us to understand these different approaches and meanings by providing a base level to work from.

70 questions
0
votes
1 answer

ZAP security testing in Mobile - unable to launch app or browser via connected wifi after changing Proxy to manual in mobile ( both android and IOS )

First I did the below mentioned steps: " First you need to install the certificate in your mobile device for ZAP to record it. You can do that by following steps: Open ZAP Go to Tools Click in Options then click in Dynamic SSL Certificate and…
Subha Krish
  • 3
  • 1
0
votes
1 answer

Api automation,Load testing and Security testing Do one project

I want to do API automation and load testing and security testing at the same time using one project. What kind of tool or technology can I use to implement that project?
lahiru dilruwan
  • 29
  • 6
0
votes
1 answer

Information in .well-known/openid-configuration page is exposed to internet, a security concern?

I am doing a security scan of a client and observed they have implemented OpenID. While reading up I came to know about this URL .well-known/openid-configuration, which has good amount of information(endpoints-{authorize, connect, userinfo, jwks},…
Roshan Gami
  • 1
  • 1
0
votes
1 answer

DAST security scaning of a IoT Nodemcu esp8266 LUA script www HTML server connected to camera and A/C relay

I have not, but shall DAST* security test, out of curiosity, an IoT device; Nodemcu esp8266 www server I built. It's showing a HTML page (on a mobile phone for example) that allows to control and interact with a camera module and a A/C relay. With…
zombieboy
  • 116
  • 1
  • 10
0
votes
1 answer

Does sonarqube community edition provide any sort of static application security testing

We use sonarqube community edition and though it workes great for static code analysis, i don't see anything much significant when it comes to security analysis. It does flag security vulnerabilities and provides security reports for OWASP Top 10…
Ashley
  • 1,447
  • 3
  • 26
  • 52
0
votes
1 answer

Conflict in gosec results in golangci-lint tool

I am trying to gosec in golangci-lint. However, some issues that are reported in gosec do not get reported when using gosec through golangci-lint. I've used https://github.com/golang/example project. There were 3 issues reported when running…
nishamaz
  • 1
  • 1
0
votes
1 answer

ZAP: Mix manual browsing, active scanning and fuzzing for testing a very large Web application?

We've got a very large Web application with about 1000 pages to be tested (www.project-open.com, a project + finance management application for service companies). Each page may take multiple parameters (object-id, filters, column name to use for…
fraber
  • 1,204
  • 1
  • 8
  • 21
0
votes
1 answer

Spring REST Security Testing - Cross Origin Issue

I am working on Spring Boot and Spring Rest application. The Security Testing have reported the issue "The web application or services inform web client of the allowed domain using the HTTP response header Access-Control-Allow-Origin. The header…
PAA
  • 1
  • 46
  • 174
  • 282
0
votes
1 answer

How to avoid showing session and firebase details on chrome network console

we have application in node js which which can be opened in desktop chrome and uses firebase as backend . Right now all the request can be intercepted and shown on the chrome network console which be a security concern . How can we stop showing some…
priya
  • 852
  • 18
  • 39
0
votes
1 answer

Is there a way to do cross site script (XSS) testing using JMeter

Given that JMeter is not a browser and only simulates the actions of a browser, has anyone ever attempted to do cross-site script testing using JMeter?. I was reading online some articles about how to do security testing using JMeter but I didn't…
Chamindra Sulakshith
  • 103
  • 1
  • 11
0
votes
1 answer

During an AppScan, is it possible to tell if a specific URL has been scanned?

I'm using IBM AppScan Standard. When I run a scan, in the left hand pane with the 'URL Based' button selected, I can see the different URLs that AppScan has found and will be scanned. While the scan is in progress I know that at the bottom of the…
Stackman
  • 129
  • 3
  • 14
0
votes
1 answer

How can we do VAPT using OWASP ZAP in microservices?

I had gone through the OWASP ZAP and I found that ZAP requires endpoint of the web application. But still, I tried to provide URL of REST APIs of our microservices but I was getting 404 error. What I think is OWASP ZAP scans on HTTP GET method and…
saurabh kumar 100rab
  • 5
  • 2
0
votes
1 answer

Types of scans performed by OWASPZAP

I have started working with OWASPZAP (Manual Scans) and till now the learning and simultaneous execution had been exciting. I did a Passive Scan on our Application and have found 3 Alerts and have interpreted the Description / OtherInfo / Solution…
undetected Selenium
  • 183,867
  • 41
  • 278
  • 352
0
votes
1 answer

zap weak password and SSL policies

I have search through ZAP documentation and ZAP Coverage of OWASP Top 10 and have not determined how to automatically check weak password policy and SSL/TLS testing with ZAP. Is there a plugin in the ZAP Marketplace? Is there an approach using ZAP…
BenDavid
  • 134
  • 4
  • 17
0
votes
1 answer

Can we configure the OWASP ZAP report with mail?

I want to configure the zap report to my mail id so that whenever I generate ZAP report it should send it to my mail. Is is possible to do so?
user8795416
1 2
3
4 5