I know many few testers who do hardcore security testing. They use cool tools which are open source for their testing activity. Today, I am going to list few things that might be of your help in your testing activity for security quality criteria.
– SQL Injection
You might have heard about this. I have heard from many discussions that when someone asks, “How to do SQL Injection”. There is 100(s) of people who respond giving some URL and say try with few queries in cheatsheet etc.
But what I say is, SQL Injection requires learning of MySQL, Oracle, and Sybase etc. language. When you understand them you do not need cheatsheet which is limited to some extent.
A Trap: You might be querying MySQL commands when the database is Oracle. So here is where your skills come into picture where you want to know what the database is so that your next step would be what query you have to use.
– Dictionary Attack
I have seen products where there is a password strength indicator which says whether the password is poor, weak, strong, and very strong. They use algorithms like alpha | alphanumeric | alpha + numeric | special characters | one number + one alphabet | one uppercase letter etc. Different products might have different algorithms for this password strength indicator.
Dictionary attack uses a text file which contains all the words listed in dictionary. This could be used for cracking passwords of user who keep passwords that are simple and are in dictionary.
Example passwords that could be cracked with this technique,
NOTE: Also applicable for Desktop or standalone application(s)
– Brute Force Attack
I love this technique. There are different ways in which you can implement this. Write your own code to implement this or use which are already available like Cain & Abel, Brutus etc. Please do some research on this technique using Google.
My quote, “Where there is no captcha, there are always lovely bots”. Brute Force or Dictionary attack techniques are feasible in much better way where there is no captcha. Whenever you are reporting that there is no captcha try to provide why it’s dangerous not to have captcha by helping your readers understand that really captcha has to be added.
– Cross Site Scripting – XSS
I am bored with some of the testers always using the famous below tag to conclude whether a field is vulnerable to XSS or not,
Please learn about java script and other information like cookies, cookie stealing etc. to become XSS guru. Do not just use some tags which are in your notepad and copy paste them always.
I hope you enjoyed this blog post and if you want me to write more about this topic then let me know and I will extend this blog post. Depends on how many of you liked this and want more about this topic.
My interests include traveling, driving my SUV, health & fitness and many others. I mentor budding entrepreneurs, testers, teams in any profession.
Latest posts by SanthoshTuppad (see all)
- Mobile App Testing at Test Insane Software Testing Services - September 3, 2014
- Why OCD sucks for me/entrepreneur/anyone? - August 18, 2014
- DIY: SMART TIPS TO TEST! - July 1, 2014