Web Application Security Testing, Part 1

Member Submitted
This paper discusses how Web applications are different from traditional client server applications. This is first part of series of articles on Web application security testing and establish importance of security testing. Later parts will have more details on the subject.

Web application and Client-Server, are they same? This question is very common in software testing interviews, if you are part of some e-groups related to testing, you might have heard it many times from different people.

There are numerous differences in Client-Server and Web application architecture. As a tester if you are testing Web applications, it is important to understand what Client-Server architecture is and how Web is different from traditional Client-Server architecture.

Web is a specialized version of client server network, but it has got noticeable differences. In client server network, computing resources are conserved by delegating complex and time consuming task to powerful, expensive computers called server. These server machines are much more powerful in terms of large storage and computing power. They do all the computing and delivers result back to the machines called client over a communication path. Thus client-server architecture comprises of server, client and communication path connecting them.

If you see at the lower level, client server architecture is not that simple. In order to connect two computers, you need network level protocol, you need proper software at client side and server side to send and receive data over network. You need to take care of data loss during transmission, bandwidth issues, dropped connectivity etc. Most of these issues are already addressed by protocols like TCP/IP, UDP, ARP etc. and developers face very little problem in implementing them. These protocols are backbone of the client server architecture.

WWW was developed on top of existing client server architecture. It came into existence as a replacement for FTP and email as a mechanism of sharing files and data. New development in servers to handle more requests, new client software to connect and browse resources on server; new development like HTTP, HTML etc fueled the growth of Web. Main component of the Web architecture is the Web Server, which can serve request from any client. Initially, web started serving static content and soon it was explored for the possibility of doing much more than just static content.

Even though Web is built on top of client server, there are noticeable differences. For example

  • Web is a special case of client server architecture in which fat clients are used to communicate with the server using variety of protocols and standards like HTTP, HTML, XML, SOAP etc.
  • In client server architecture, both client and server exist within the walls of a single company, thus operates in a protected environment. Clients in that case become the trusted user. Web is different, since client can connect server from anywhere thus not a single connection can be treated as trusted.
  • Because client server is typically within a company’s firewall, issues related to security are not as important as in Web applications.
  • In client server architecture, clients are controlled as in who can access, how clients will communicate and use server’s resources etc. In Web, mostly anyone with a browser can connect to the Web.
  • In client server architecture, every client is known; every request received by server will have information on who originated this request. In Web, users are anonymous thus pose a greater security risk.
  • Web gives more opportunity to malicious users to tamper data at the client side as well as at the network level. Chances of data being tampered in the traditional client server architecture are much lesser as compare to Web.
  • Number of clients that can be connected to the server is predictable and can be controlled in the traditional client server, but it can not be controlled in the Web.
  • Clients are much more controlled in client-server.

AgileConnection is a TechWell community.

Through conferences, training, consulting, and online resources, TechWell helps you develop and deliver great software every day.