• info@helpingtesters.com
  • helpingtesters

Security Testing by Manual Testers?

February 28, 2018
Security Testing, security testing by manual tester, manual tester to perform security testing, how to carry out security testing in simple ways, methods to perform security testing, manual testing can cover security testing

What we all need at the end of the day? I mean most people want in life is Security. Why is security important in anyone’s life? This is because when you feel secure you are happy, comfortable and focus on things which you really want to achieve in life. So just think about the end user of your website from this point of view. How it will impact on your site audience if they don’t feel secure with your site and what if they know they are not secure enough to do what they supposed to do on the site. This is where security testing comes into account. And Yes, manual testers too can perform security testing to an extent.

I still remember I was exploring something and found an article on security testing. Like every tester what I hit first is with the password cracking. Yes, you are right it gets cracked after spending only 2 hrs. It was getting saved in cookies of end users. So, I started exploring what else I can do with security testing and learned few things which I want to share with you guys.

If your site is dealing with European Union, then you must be aware of GDPR. In that case, security testing is one of the high priority things for you as a tester from now onwards. Make sure your security testing work as an antivirus for all the threats to your web application.

Basic security testing concepts

  1. Authentication: Establishing the Identity of end user
  2. Nonrepudiation: Making sure that communication involved parties can’t later deny the transaction (or when the transaction is going on)
  3. Availability: Making sure that services are always available to end users.
  4. Confidentiality: Make information accessible to only those who have authorized access to do so.
  5. Integrity: Making sure that information has not been changed while storing or transferring etc
  6. Authorization: As per permission right of user, user can perform actions or receive a service

If you have a good hold on your application and know what different security threats can be to your application. By taking following easy steps any manual tester can ensure the security to a major extent. I am listing down here few simple methods of security testing.

1. URL manipulation:

As you know to get access to any website we need to hit a link URL. See below example.

Think about yourself as a hacker who simply change the website URL query string and get access to unauthorized information. Normally this happens when applications transfer the data between the client and the server using the HTTP GET method. Information is transferred in parameters in the query string.

Now you just need to modify the value of the parameter in the query strings to get access to unauthorized data.

For example:

If I am having access only to a sheet of accounts which is related to my department means testing but I don’t have access to another department account sheet. This account sheet simply containing the basic salary list along with employee name. Now I have access to this sheet by the following URL

http://qatesting.com/confluence/pages/viewpage.action?spaceKey=DEV&title=Account+sheet+for+Testing

So, if I simply pass the name of the sheet in the URL title then I am getting the access to the sheet which I am unauthorized to do so.

http://qatesting.com/confluence/pages/viewpage.action?spaceKey=DEV&title=Account+sheet+for+HR

So now think about your project, areas of security thread where anything is getting passed in the parameters and try to manipulate them.

A simple way of doing it:

Simply add Tamper data add-on in your Mozilla.

For more information watch this video.

2. Cross-site scripting (XSS)

When an application accepts an untrusted data and without validating it sends to the client (Browser) that simply refer to cross-site scripting(XSS). XSS forces victim’s browsers to execute the code (HTML code and javascript) injected by the attacker when victim page gets loaded. This code injected by attacker steal the vital information which is stored in the cookies.

A simple way of doing it : 

E.g enter the following scripting in name field

<script>alert(‘THIS IS AN XSS VULNERABILITY’)</script>

If the script gets executed, then it means it is allowing the attacker to do any nefarious action. So as a tester by simply putting these kinds of the script in various inputs of your website you can test your site for XSS vulnerability.

3. SQL injection

When an attacker enters SQL queries to input fields of an application and it gets passed to the backend database. It may result to give access of information which should not be accessible to that user or simply execute the query and display the query result.

SQL injection can do

  • Steal your sensitive data
  • Get enough information to perform serious attacks
  • Delete database or modify database
  • Can bypass authentication and pretend to be a particular user

For example

You have following URL

http://localhost:8080/qatesting/qa.reports?accessFrom=104&selectedreprtdate=12%2F10%2F201&EditDefault=false

Now in this case, if the user tries to update the following URL with SQL query, for (selectedreprtdate parameter) example if we update the above mention URL with following:

http://localhost:8080/qatesting/qa.reports?accessFrom=104&selectedreprtdate=%3BUpdate%20UserName%20set%20USERNAME%20%3D%20%27Rupali%27%20where%20EMPLOYEE%20%3D%202%3B–&EditDefault=false

Now you need to check if it is updating the database table which we mentioned in the URL.

4. Password cracking

One of the ways to crack the password of any site is a brute attack.

The brute attack is nothing but a simple way of trial and error method which is used to get the information such as a user password or personal identification number. Now how to do it. There are many automated software’s available using which you can test your website for the brute attack. One of the simplest tools is Mozilla Firefox add-on named as Fireforce.

After adding this to your browser you need to do following steps

  1. Open any site login for which you want to crack the password. For example, I am taking an example of flipkart.com
  2. First, enter any username and click on login button. Copy the error message you received on screen.
  3. Right-click on the password field and you will find the option Fireforce
  4. From here you just need to select which combination you want to try. For example, Password can be alphabets and numeric combination or only combination of letters.
  5. After selecting the same you will be able to see the screen where you need to give min and maximum characters length and validation message which appear on the failure of the combination.

That’s it whichever password matches the username we want to get into the application it will simply display the same in the same dialog and you will be able to get into the application.

5. View Source

There are a number of things which restricted from a different group of users (e.g admin, simple user) by simply viewing the view source code if the restricted user can access the data then again it is a security issue. Take an example of a website where the user is not able to see performance ratings for him given by his/her manager. But in the view source, it is visible.

As a software tester, I believe that delivering the not only quality product, but the well-secured product is also a responsibility of QA. Apart from making a good functional product, our focus should also be on well-protected software against any sort of attack attempts.  I hope now you guys will try all these as well as explore more security testing ways and ensure your end users are safe on your site.

Vaibhav is in software testing since a decade. Worked with different testing techniques along with exploratory testing. Performed different regression, performance, api etc testing with tools and libraries like selenium, jmeter, loadrunner, protractor, rest assured, Katalon Appium and others.

About the author

Vaibhav Singhal author

Vaibhav is in software testing since a decade. Worked with different testing techniques along with exploratory testing. Performed different regression, performance, api etc testing with tools and libraries like selenium, jmeter, loadrunner, protractor, rest assured, Katalon Appium and others.

Leave a Reply

Your email address will not be published.