Web Application testing is the name given to software testing that focuses on web applications. Web applications can be susceptible to server-side and client-side attacks.
Server-side attacks try to compromise the web server, and have the potential to attack any associated sub domains. Once compromised, the attacker could gain access to any of the backend services, such as user databases, and configuration data.
Most server-side attacks are made possible, due to poor configuration, bad patching or lapse coding controls. These issues can allow the attacker to modify the application’s behavior or even access files containing configuration or sensitive information.
In the worst case scenario, an attacker can take control of the server directly and begin to execute malicious code. This in turn can lead to a full compromise of the host.
Other attack vectors can include database exploits, such as SQL injection, can lead to a compromise of the database along with any of the sensitive information it may contain.
Client-side attacks attempt to exploit the browser application data flow.
Client-side attacks can take control of the web browser session by injecting malicious code. This may take the form of tricking users to execute tasks that could cause an unexpected result.
Nearly all attacks will concentrate on input validation, such as Cross Site Scripting, where an attacker can execute malicious scripts into a legitimate website. The purpose of this is to deliver the malicious script to the user, via their visit to the website.