Chapter 6 DXp SeCurity • Use of weak unique key generation algorithms to create IDs • Stack traces and exception handling modules providing details of server and other internal details that can be exploited by others • Absence of auditing and monitoring security events such as account lockout, login, logout, password failed attempts, password change events, and such. General Web Security testing In this stage, we do the black box security testing for common and known vulnerabilities. We carry out testing of vulnerability scenarios and penetration scenarios. This includes testing the application for OWASP (Open Web Application Security Project) top 10 vulnerabilities, CWS/SANS (SysAdmin, Audit, Network, Security) top 25 errors, and common injection attacks. Many tools such as Burp Suite, Zed attack proxy, Fiddler, and WebScarab can be used for vulnerability testing and penetration testing. The main testing scenarios in this category are as follows: • XSS testing • Testing of directory browsing of resources • Testing of absence of access controls on protected resources. • Testing of access to URLs and resources • Checking for accidental information disclosure in cookies and HTTP headers • Checking for information leakage in server error pages and error handling • Checking of CSRF tokens • Checking for misconfigured security settings such as misconfigured HTTP headers or misconfigured error pages • Testing for buffer overflow • Testing the injection attacks (SQL injection, LDAP injection, XPath injection) • Testing for denial of service 194