Black Box testing for web-based application: (5)
Software Testing Methodolog
(Continued from previous question...)
Black Box testing for web-based application: (5)
27. Directory setup
The most elementary step of web security is proper
setup of directories. Each directory should have an
index.html or main.html page so a directory listing
doesn't appear.
One company I was consulting for didn't observe this
principal. I right clicked on an image and found the
path "...com/objects/images". I went to that directory
manually and found a complete listing of the images on
that site. That wasn't too important. Next, I went to
the directory below that: "...com/objects" and I hit
the jackpot. There were plenty of goodies, but what
caught my eye were the historical pages. They had
changed their prices every month and kept the old
pages. I browsed around and could figure out their
profit margin and how low they were willing to go on a
contract. If a potential customer did a little
browsing first, they would have had a definite
advantage at the bargaining table.
SSL
Many sites use SSL for secure transactions. You know
you entered an SSL site because there will be a
browser warning and the HTTP in the location field on
the browser will change to HTTPS. If your development
group uses SSL you need to make sure there is an
alternate page for browser with versions less than
3.0, since SSL is not compatible with those browsers.
You also need to make sure that there are warnings
when you enter and leave the secured site. Is there a
timeout limit? What happens if the user tries a
transaction after the timeout?
28 Logins
In order to validate users, several sites require
customers to login. This makes it easier for the
customer since they don't have to re-enter personal
information every time. You need to verify that the
system does not allow invalid usernames/password and
that it does allow valid logins. Is there a maximum
number of failed logins allowed before the server
locks out the current user? Is the lockout based on
IP? What if the maximum failed login attempts is
three, and you try three, but then enter a valid
login? What are the rules for password selection?
29. Log files
Behind the scenes, you will need to verify that server
logs are working properly. Does the log track every
transaction? Does it track unsuccessful login
attempts? Does it only track stolen credit card usage?
What does it store for each transaction? IP address?
User name?
30. Scripting languages
Scripting languages are a constant source of security
holes. The details are different for each language.
Some exploits allow access to the root directory.
Others allow access to the mail server. Find out what
scripting languages are being used and research the
loopholes. It might also be a good idea to subscribe
to a security newsgroup that discusses the language
you will be testing.
31. Web Server Testing Features
- Feature: Definition
- Transactions: The nunber of times the test script requested the current URL
- Elapsed time: The number of seconds it took to run the request
- Bytes transferred: The total number of bytes sent or received, less HTTP headers
- Response time: The average time it took for the server to respond to each individual request.
- Transaction rate: The average number of transactions the server was able to handle per second.
- Transferance: The average number of bytes transferred per second.
- Concurrency: The average number of simultaneous connections the server was able to handle
during the test session.
- Status code nnn: This indicates how many times a particular HTTP status code was seen.
Other Interview Questions
|