Try : Insurtech, Application Development










Dev Ops(2)

Enterprise Solution(20)




AI in Insurance(28)


Product Innovation(36)


Augmented Reality(7)

Customer Journey(7)


User Experience(21)




Telehealth Care(1)

Artificial Intelligence(96)



Cognitive Computing(7)

Computer Vision(6)

Data Science(14)


Intelligent Automation(25)

Machine Learning(43)

Natural Language Processing(10)

[Part 2] Web Application Security Testing: Top 10 Risks & Solutions

By :
7 minutes, 29 seconds read

In the previous article, we discussed risks and web application security testing measures for 5 types of attacks-

  1. Injection
  2. Broken authentication and session management
  3. Cross-site scripting
  4. Indirect object security reference
  5. Security misconfiguration

Link – Part 1

Now let’s continue with the remaining 5 web application security threats.

6. Sensitive data exposure

Broken authentication and inefficient session management leads to sensitive data exposure. Examples of applications vulnerable to sensitive data exposure.

  • Data stored in plain text, such as passwords or credit card data 
  • Lack of HTTPS on authenticated pages
  • Hashed passwords with lack of salt, making the password easily cracked
  • Tokens disclosed in public source code
  • Browser header caching sensitive data

I would suggest going through the part 1 of this series for in-depth knowledge about this vulnerability.

7. Cross-site forgery

Cross-Site Request Forgery (CSRF) or session riding- attacks, an attacker forces a victim to make an inappropriate web request such as a fraudulent bank transaction. For example, an attacker tricks the victim client into calling a banking function in a vulnerable page that transfers money from the victim’s to the attacker’s account. The victim triggers the attack by following an attacker’s link or visiting an attacker’s page. The vulnerable server page doesn’t recheck the authenticity of the victim’s request and allows proceeding the transfer.

The following steps detail the anatomy of a CSRF attack:

  1. The attacker finds a functionality in a web application that is vulnerable to CSRF.
  2. Attacker builds a link invoking the vulnerable function and by passing the required parameters, executes the attack.
  3. The Attacker then waits until the victim client authenticates with the vulnerable web application.
  4. Attacker tricks the victim client into following the malicious link.
  5. Victim client sends a forged request to a vulnerable server.
  6. Vulnerable server allows and executes the forged request.

For example, the link might look like this when the payload is to transfer money from the victim’s to the attacker’s account:


The following link sends an email titled ‘Hello’ to johny@example.com – 


Basic test for cross-site request forgery

You can follow these test steps to test against CSRF bugs-

  1. Find a web application page that triggers/performs an action upon user request.
  2. Construct a page containing a link or redirect that sends a forged request to the application server. This link usually contains a tag such as an img or iframe with the source address pointing to the request.

<a href=”http://bank.com/transfer.do?acct=MARIA&amount=100000″>View my Pictures!</a>

<img src=”http://bank.com/transfer.do?acct=MARIA&amount=100000″ width=”1″ height=”1″ border=”0″>

  1. Note that the links above will generate a GET request. In order to test for POST requests you must create a page containing a form with the URL parameters passed as hidden input, and add a script to automatically submit the form:
 <form action=”http://bank.com/transfer.do” method=”post”>
     <input type=”hidden” name=”acct” value=”MARIA”>
     <input type=”hidden” name=”ammount” value=”100000″>
  1. Open an Internet browser and log in to the web application as a legitimate user.
  2. Open the page built in step 2 (follow the link if necessary).
  3. Confirm if the request was successful.
  4. Repeat test case for every application create/update/delete/mail action.

Expected result: the test fails if the application trusts and processes the forged request.

Also, attackers can manipulate cookies.

Another example,

Suppose, we allow users to post images on our forum. What if one of our users post this image?

<img src= “http://foo.com/logout”>

This is not really an image. But, it will force the target URL to be retrieved by any random user who happens to browse that page — using their browser credentials! From the webserver’s perspective, there is no difference whatsoever between a real user initiated browser request and the above image URL retrieval.

If our logout page was a simple HTTP GET that requires no confirmation, every user who visits that page would be immediately logged out.

Consider these examples of cross-site forgery: CSRF token leakage through Google Analytics, deleting account and erasing imported contacts, change any user ZONE, Add optional two factor mobile number

8. Missing function level access control

If the authentication check in sensitive request handlers is insufficient or non-existent, the vulnerability is Missing Function Level Access Control.

How to test for missing function level access control?

The best way to find out if an application fails to properly restrict function level access is to verify every application function-

  1. Does the UI show navigation to unauthorized functions?
  2. Are server side authentication or authorization checks missing?
  3. Are server side checks solely rely on information provided by the attacker?

Using a proxy, browse the application with a privileged role. Then revisit restricted pages using a less privileged role. If the server responses are alike, the My Organization application is probably vulnerable.

In one potential scenario an attacker simply forces the browser to target URLs. Consider the following (non-My Organisation) URLs which should require authentication. One also requires admin rights to access the “admin_getappInfo” page.



If a non-authentic user (attacker) gets access to either page, then it means — unauthorized access was allowed. This flaw may lead the attacker to access more unprotected admin pages.

Example of missing function level access control atack – Delete Credit Cards from any Twitter Account.

9. Shellshock and Heartbleed attacks


It is a remote command execution vulnerability in Bash. A series of random characters, () { :; }; , confuses Bash because it doesn’t know what to do with them, so by default, it executes the code after it.

More on — manually exploiting shellshock vulnerability

Tools for checking Shellshock

Through command line:

To determine if your Linux or Unix system is vulnerable, type the following in the command line-

 env x='() { :;}; echo vulnerable’ bash -c “echo this is a test”
If the system is vulnerable, the output will be:
 this is a test
 An unaffected (or patched) system will output:
 bash: warning: x: ignoring function definition attempt
 bash: error importing function definition for `x’
           this is a test

Online tools – 

  1. Penetration testing tools
  2. Shellshock bash vulnerability test tool


It is a critical bug in OpenSSL’s implementation of the TLS/DTLS heartbeat extension. It allows attackers to read portions of the affected server’s memory, potentially revealing users data, that the server did not intend to reveal.

An attacker can trick OpenSSL into allocating a 64KB buffer, copy more bytes than is necessary into the buffer, send that buffer back, and thus leak the contents of the victim’s memory, 64KB at a time.

Web application security testing tools for heartbleed attack

  1. defribulator v1.16 : Command→ python ssltest.py example.com (ssltest.py file is available with me)
  2. Online tool: Filippo
  3. For android, you can download Bluebox open SSL scanner

Also read – Heartbleed bug FAQs, Bugs and solutions

How to prevent heartbleed attack?

  • Upgrade the OpenSSL version to 1.0.1g
  • Request revocation of the current SSL certificate
  • Regenerate your private key
  • Request and replace the SSL certificate

Examples of Heartbleed security attacks: information disclosure on Concrete5, port 1433, server returning more data

10. Unvalidated redirects and forwards

Unvalidated redirect vulnerabilities occur when an attacker is able to redirect a user to an untrusted site when the user visits a link located on a trusted website. This vulnerability is also often called Open Redirect.

It is possible when a web application accepts untrusted input that could cause the web application to redirect the request to a URL contained within untrusted input. By modifying untrusted URL input to a malicious site, an attacker may successfully launch a phishing scam and steal user credentials.

How to test unvalidated redirects and forwards?

Spider the site to see if it generates any redirects (HTTP response codes 300-307, typically 302). Look at the parameters supplied prior to the redirect to see if they appear to be a target URL or a piece of such a URL. If so, change the URL target and observe whether the site redirects to the new target.

Web application security testing: preventing unvalidated redirects

  1. Simply avoid using redirects and forwards.
  2. If at all you’re using redirects/forwards, do not allow the url as user input for the destination. In this case, you should have a method to validate the URL.
  3. If you  cannot avoid user input, ensure that the supplied value is valid, appropriate for the application, and is authorized for the user.
  4. Map any such destination input to a value, rather than the actual URL or portion of the URL. Ensure that server side code translates this value to the target URL.
  5. Sanitize input by creating a list of trusted URL’s (lists of hosts or a regex).
  6. Force all redirects to first go through a page notifying users that they are going off of your site, and have them click a link to confirm.

Consider these examples: open redirect, open redirect in bulk edit

So, this was all about prevailing risks and web application security testing measures to prevent your website from attackers. For further queries & doubts, feel free to write to hello@mantralabsglobal.com

About the author: Rijin Raj is a Senior Software Engineer-QA at Mantra Labs, Bangalore. He is a seasoned tester and backbone of the organization with non-compromising attention to details.



Knowledge thats worth delivered in your inbox

What will ‘Behavioural Changes’ Mean for India’s Digital Health Future

We are in the middle of a global pandemic, facing a threat unlike one never seen before. COVID-19 has been a reason for global concern since it has negatively impacted economies, shut down workplaces, and forced cities into lockdowns.

But history also tells us  that times of uncertainty also foster innovation. The pandemic has forced consumers and businesses to rethink how they behave both physically and digitally. As per McKinsey, COVID-19 has speeded up the adoption of digital technologies.

India, which was on the cusp of a ‘digital health’ revolution, has now been forced to embrace innovation and emerging trends. The healthcare sector holds great promise since new-age technologies like telemedicine, robotics, artificial intelligence (AI), genomics, etc. are transforming healthcare services.

There have been unprecedented changes in consumer behaviour as well. People are now increasingly relying on using the internet to find clinical information or engage with healthcare professionals digitally. Moreover, online consultations, telemedicine, and e-pharmacies have seen a rise in popularity.

Companies will thus need to capitalize on the changing patterns of consumption and health-seeking behaviour.

This article focuses on how changing patient behaviour will affect India’s digital health future.

A growing Indian healthcare market

According to a report by Future Health Index, India is a leader in the adoption of digital health technology. As per India Brand Equity Foundation (IBEF), the Indian healthcare market is expected to grow at a compound annual growth rate of 22% to reach a valuation of USD 372 billion by 2022. This growth can be attributed to the following –

  • Growing health awareness
  • Aging population
  • Lifestyle-related diseases
  • Rising income levels
  • Growth of internet availability

The rise of digital health start-ups is also playing a role in the growth of the healthcare sector. Indian health tech startup landscape has now matured.

Over the last few years, telemedicine has emerged as a fast-growing sector in India. Prominent start-ups like Practo, mfine, and Lybrate have established themselves in the telehealth market. McKinsey estimates that India could save up to USD10 billion by 2025 by using telemedicine instead of in-person doctor appointments.

COVID-induced behavioural changes

The COVID-19 pandemic has brought about changes to patient behaviour. The fear of leaving homes to get treatment has led to the growth of virtual care and telemedicine. 

As per a report by Accenture, almost 70% of the patients canceled or postponed their treatments due to the COVID-19 pandemic. Technology, therefore, played a crucial role in helping patients continue their care. Healthcare providers were even able to improve the experience for patients by delivering them faster response time, personalized interactions, and the convenience of getting consultation from home.

The same report by Accenture highlights some key behavioural changes that are being observed in patients – 

  • Nearly half of the patients now get their treatment at their homes instead of visiting a clinic.
  • Almost 60% of patients want to continue using technology for communicating with healthcare providers.
  • About 41% of patients now use video conferencing to connect with their healthcare providers. Of these, for almost 70% of patients, it’s their first-time using video conferencing for healthcare.
  • Almost 44% of patients used new apps or devices during the pandemic to manage their health conditions.

All this highlights the need for healthcare providers to reimagine their patient engagement strategies in keeping with the changing patient behavior.

Future of digital health in India

New digital technologies and tools are making an impact across the healthcare sector. They hold great promise in improving the efficiency of healthcare services while delivering better patient care. Below are some of the technological developments that are expected to revolutionize the way we seek healthcare.


About 68% of India’s population lives in rural areas where healthcare services are not usually up to the mark. This barrier can be overcome by telemedicine that offers an excellent way for patients to consult a doctor in a much shorter duration. Telemedicine can cut waiting times and allow patients to avoid traveling to a clinic or hospital. Some other benefits of telemedicine include –

  • Immediate access to specialist healthcare providers.
  • Cost-effectiveness.
  • Improved quality of care.
  • Convenience to the patients.
  • Improved patient engagement.

Internet of medical things (IoMT)

The rapid growth of IoMT devices is rapidly changing healthcare delivery by playing an important role in tracking and preventing chronic illnesses.

It not only helps eliminate the need for in-person medical visits but also helps reduce costs. Goldman Sachs estimates IoMT to save USD 300 billion annually for the healthcare industry. IoMT will benefit those patients the most who are unable to get access to quality healthcare due to remote location.

Big data in healthcare

There has been dramatic growth in the amount of medical and health data in the last few years. These massive datasets can be used to draw insights and opportunities for healthcare organizations. Analysis of healthcare data can help discover warning signs and create preventive plans.

The widespread adoption of IoT devices also makes it easier to monitor heart rate, blood pressure, etc. This can help in the early detection of diseases like hypertension, asthma, heart problems, etc.

Electronic medical records

Electronic medical records or EMRs help collect, digitalize patients’ information, and store it in a single place. EMRs store various types of medical data like medical history, prescriptions, drug allergies, etc. and allow doctors to make accurate disease prognosis in a much shorter time. Some other benefits of EMRs include – 

  • Effective medical decisions.
  • Easy data recovery.
  • Improved collaboration.
  • Portability.
  • Security of medical data.

Artificial intelligence

Artificial intelligence (AI) has a big role to play in improving healthcare since growing digitization leads to the availability of a large amount of health data. AI has the potential to transform everyday health management in the following ways –

  • Improved accessibility of healthcare services (for example – the AI-based mobile app Ada is available across 140 countries and makes it possible for anyone to have access to medical guidance).
  • Improved efficiency.
  • Accurate disease diagnosis.
  • Improved insights to reveal early disease risks (for example – a popular app Verily can forecast noncontagious and hereditary genetic diseases).
  • Time and cost savings.


Mobile health or mHealth refers to the monitoring and sharing of health data via mobile technology like health tracking apps or wearables. 

mHealth apps can prove to be beneficial in increasing patient engagement, providing health education, and offering remote consultations to patients. It can also use the data from wearable devices to improve the quality of care. Some other benefits of mHealth include – 

  • Faster access to physicians.
  • Improved medication adherence.
  • Remote patient monitoring.
  • Increased medication reconciliation accuracy.
  • Improved coordination between healthcare providers and patients.


It’s quite clear that COVID-19 has significantly impacted patient behaviour. There has been a growing preference for telehealth and mHealth apps. But all of this has also compelled healthcare organizations to put in more effort in adapting to these behavioural changes. Healthcare providers are opting to rely more on new technologies to continue delivering patient care. A more affordable standard of high-quality care is in the works for India’s digital health future.


Knowledge thats worth delivered in your inbox

Loading More Posts ...
Go Top

May i help you?

bot shadow