My comments for what Jakob Nielsen mentions in his article,

Jakob Nielsen says: “Typically, masking passwords doesn’t even increase security, but it does cost you business due to login failures.”

Santhosh Tuppad says: Security is not about making it fool-proof. It is about building layer by layer. Yes, it does increase security rather than not having masked password. It protects against shoulder surfing.

Jakob Nielsen says: “More importantly, there’s usually nobody looking over your shoulder when you log in to a website. It’s just you, sitting all alone in your office, suffering reduced usability to protect against a non-issue.”

Santhosh Tuppad says: I have seen many people even in office feel uncomfortable when someone is sitting beside them and they need to enter their password. It is because they feel they might look into the keyboard if their typing is slow. When they feel uncomfortable for this instance, will they not feel unsecured for showing the password without masking? I have seen my colleagues coming to my desk and asking for something. There have been instances when they came to my desk for something where I had to login to application and show them something. Now, do I need to ask them to turn that side and keep looking at them if they are watching me and then type my password?

I would say contexts are different, if you are sitting alone in your office in a separate chamber it’s different. But, remember that here we are dealing with the whole Web End-Users and not just hand-picked people.

Jakob Nielsen says: “Most websites (and many other applications) mask passwords as users type them, and thereby theoretically prevent miscreants from looking over users’ shoulders. Of course, a truly skilled criminal can simply look at the keyboard and note which keys are being pressed. So, password masking doesn’t even protect fully against snoopers.”

Santhosh Tuppad says: Well, by unmasking them you are giving chance even to any snooper rather than skilled ones. You are degrading the security here. Let me give a typical example which you can relate to: You have doors for your home and windows. Even windows could be used to by thieves to get in the house by breaking them. Now, it doesn’t mean you should remove doors because they can get in from window as well. I repeat: Security is about adding layers rather than saying FOOL PROOF security.

Jakob Nielsen says: “Password masking has proven to be a particularly nasty usability problem in our testing of mobile devices, where typing is difficult and typos are common. But the problem exists for desktop users as well.”

Santhosh Tuppad says: I partially agree to usability problem in mobile devices where the keypad is cumbersome while I disagree with desktop users – Yes, there have been times when we have typed it wrongly but, I personally have not found it as a usability problem. It is as simple as this; by mistake from bunch of keys I inserted some other key in the lock which did not open it. So, it doesn’t make sense to say “Let me not lock the door itself”.

Jakob Nielsen says: Users make more errors when they can’t see what they’re typing while filling in a form. They therefore feel less confident. This double degradation of the user experience means that people are more likely to give up and never log in to your site at all, leading to lost business.

Santhosh Tuppad says: I personally see password not being asked as a security vulnerability rather than seeing it from usability perspective. I have not seen end-user saying I will not login to this site because they mask the password. Well, password is secret and it has to be secured. If there is a website which doesn’t mask its password, then I would say it is a security bug rather than seeing it as a usability element.

Jakob Nielsen says: The more uncertain users feel about typing passwords, the more likely they are to (a) employ overly simple passwords and/or (b) copy-paste passwords from a file on their computer. Both behaviors lead to a true loss of security.

Santhosh Tuppad says: How does it help when password is unmasked? Still people will continue to use simple password which they can remember. This doesn’t make any difference. People having random passwords who want to copy paste will still continue even when password is masked or unmasked. It is important to remember that, technology provides one layer of security and other layer should come from individual awareness. I cannot complain that system is not securing my account while I wrote my password on some piece of paper and hacker got that piece of paper.

Jakob Nielsen says: Yes, users are sometimes truly at risk of having bystanders spy on their passwords, such as when they’re using an Internet cafe. It’s therefore worth offering them a checkbox to have their passwords masked; for high-risk applications, such as bank accounts, you might even check this box by default. In cases where there’s a tension between security and usability, sometimes security should win.

Santhosh Tuppad says: The checkbox idea might be employed given that by default password is masked. However; I do not agree where Jakob Nielsen mentions only about “high risk applications”. Why is there discrimination? Any application that has login feature is made with the purpose to protect the data.

Banking application by default should have masking feature for password? Why not others? You are putting masking feature by default that no one else should see it and you should not feel uncomfortable to continue with your work while someone is sitting beside you. Right? Then why do it only for some applications and leave others. Just like “iPhone is iPhone”, “Security is Security” and “End-user is end-user” irrespective what kind of application he / she is using.

Summary

In my opinion, it doesn’t make sense to say, “I will remove the doors to add usability, so people can not open the door lock and put efforts in it”. People can still get in by breaking the window or door but, it is layer of security which is same as “masked” password rather than removing it. I agree to some extent to the checkbox idea where you give a checkbox to unmask the password and show it as plain text to end-user however; by default it has to be masked. It is just like you are not checking “Remember Me” in option by default because of Security. Considering this password unmasking, then “Remember Me” should be checked by default to add usability which is not correct.

It is not security versus usability. It is about thinking how we can build applications with better security and better usability and not compromises on both of them to at least a certain level even if we cannot match both of these and there are contexts where I have provided solution so that there is no degrade of usability or degrade of security. It is not security must win and usability should lose and vice-versa (They are not contenders). There are always better ideas, what it needs is brainstorming. Usability is more of analysis and psychology rather than just concluding in few minutes or concluding by thinking as individual. I would finally like to add one point here – “If you are not masking the password then you are spoiling User eXperience and may be you can make end-users not login to your application because they feel uncomfortable logging in with plain text while someone is beside them.”

I hope you had a good read and happy learning.

Share/Bookmark

1. 2 Days Conference
2. Workshops on different topics like Exploratory Testing (@testertested), Performance Testing (@rahul_verma) and Security Testing (@santhoshst)

How this conference is different from yet another conference that happens?

I have attended quite a few conferences till now and the only conference where I enjoy being is “BugDeBug” which is organized by RIA RUI society. Some of the things that I like about this conference are,

1. Organizing part
2. Speakers
3. Competitions
4. Not to forget, good lunch! Yummmmmmmm!
5. Affordable price for registration (Remember that, the value that you will be getting out of this conference will be no match to what you have paid. It’s awesome conference)

The list will go on if I want to speak all the good things about this conference.

How can you benefit from this conference?

Networking with people

Once you register and just sit their idle in the conference doesn’t work out. You need to move out from the place, go introduce yourself and network with the people around you. Do not wait for others to come to you and talk. Just go and say “Hi” and start rolling the ball.

Participating in competitions

There would be some competitions I guess even in this conference. So, do not be shy from participating. Participate actively and you might win some goodies.

Workshop

If you are attending a 1 day workshop, then please do carry a laptop with you which can facilitate better learning for you. If you do not have one, then you can request someone to share their laptop with you.

What are you waiting for?

This is not the time to think, go and register for BugDeBug at http://bugdebug.in/ and keep your fingers crossed to witness one of the successful software testing conference in India.

See you all at Bug De Bug 2012 in Chennai.

Share/Bookmark

Share/Bookmark

Enumeration & Profiling
Suppose, there is a shopping website http://shoppy.com. A user could place an order by clicking on “Place Order” button. The user is taken to http://shoppy.com/buy. An attacker can check if a web service is involved or not by accessing http://shoppy.com/buy?wsdl. WSDL file for the web service becomes accessible through a browser. In this particular case, “buy” is a web service whose WSDL file can be accessed by attaching “?wsdl” as the query parameter in the URL. The WSDL file shouldn’t be allowed for public view in the first place. An authentication process needs to be in place to check if an authorized user is accessing the WSDL or not. Once WSDL is accessible, attacker can get information about web methods, data types of input and output parameters, end point information and others. This in turn can be used to exploit it further.

Parameter Tampering
Attacker gets to know about input and output parameters through Enumeration & Profiling of web service. He can exploit web services using different types of parameters.

Meta characters: He could tamper using Meta characters like single quote, double quote, ampersand, percentage and dollar symbols as input values for web methods which consider an input.
Data type mismatch: Attacker may provide numeric values to string data type or null values to arrays.
Large Buffer / Abnormal values: Attacker could also provide large values in the range 0 – 2^31. Highest value or lowest value for the input parameters may also break the system.

Once inputs are provided and web methods are serviced by the web service, note the messages in the web service response to the user. These should not contain any confidential information about the web service.

The following Web service accepts username and password as input and issues a security token as output.

Web Service Request
<?xml version=”1.0″?>
 <soap:Envelope xmlns:soap=http://schemas.xmlsoap.org/wsdl/soap/envelope/”
         xmlns:xsi=”http://www.w3.org/2001/XMLSchema-instance”
                       xmlns:xsd=”http://www.w3.org/2001/XMLSchema”>
  <Soap: Body>
   <getSecurityToken xmlns=http://tempuri.org/>
    <username>JohnA</username>
    <password>Eiffel6Tower</password>
   </getSecurityToken>
  </soap:Body>
 </soap:Envelope>

Web Service Response
<?xml version=”1.0″ encoding=”utf-8”>
 <soap:Envelope xmlns:soap=http://schemas.xmlsoap.org/wsdl/soap/envelope/”
         xmlns:xsi=”http://www.w3.org/2001/XMLSchema-instance”
         xmlns:xsd=”http://www.w3.org/2001/XMLSchema”>
  <Soap: Body>
   <getSecurityTokenResponse xmlns=http://tempuri.org/>
    <getSecurityTokenResult>304334</getSecurityTokenResult>
   </getSecurityTokenResponse>
  </soap: Body>
 </soap: Envelope>

XML Poisoning
One could add exploitable elements into existing XML build a SOAP envelope around it and process it as a web service request. If appropriate validation is not in place, exploitable elements might get into database or query critical information from the server. Attacker can also use this attack to observe messages returned in the response to gather information about the server.

Directory Traversal
Attacker could look for Autoexec.bat script by keying in../../../../Autoexec.bat or using different versions of the same command to get hold of automatically executable batch files. <faultstring> messages sometimes return directory paths.

Consider following example:
<faultstring>
Server was unable to process request. –&gt; Could not find file &amp; quot;c:\inetpub\wwwroot\news\junk&amp;quot;.
</faultstring>

Attacker now knows about c:\inetpub\wwwroot\news\junk!

SQL Injection
Keying in symbols like single quote, double quote, hyphen, asterisk, and common parenthesis may result in different <faultstring> messages provided the input parameters were acting as direct inputs to the database query executed at the server level.

Using 1’ or 1=1 may return complete records of username.

In above web service request, replace JohnA with 1’ or 1=1 as input. If the web service was performing a query like Select * from username where username=’JohnA’, using the input 1 or 1=1 would result in a query Select * from username where username=’1’ or 1=1 hence displaying complete details for the first record in the table. Using this, user may even drill down to other records in the table using smart SQL queries.

HTTP method tampering
Web services will include a GET or POST method to support its operations. Using GET method to transfer confidential data is not secure enough. Any services using GET need to be cross checked by processing them using Burpsuite or wsKnight tool and checking what data gets submitted and returned through the web service. POST methods need to be converted to GET and check if any confidential information gets revealed.

SOAP message tampering
1. Providing * in input fields in web service request above may return several records if suitable validations are absent
2. Attackers could use brute force method to continuously key in username and password to gain illegal entry into secure area of the server. Note that there is no account lockout policy at Soap request level (Good Catch?)
3. Parameter Guessing can be used to continuously guess username and password using social engineering attacks, observe the <faultstring> messages, and fine tune guessing method to get access to web service.

OS command execution
Users could append valid operating system commands to input parameters and get access to confidential information.

For eg. “JohnA” | ls –r

Above input may process JohnA as username and also pass on ls –r command to list down directories in Unix OS.

Summary
This blog post is a guideline on how web services can be exploited during testing. Attackers can devise many more powerful attacks to gain access to web services.

Author Biography

Parimala has eight plus years of experience in testing, managing and mentoring teams of software testers. Apart from testing that she is most passionate about, she loves mentoring testers and has mentored over 30 testers. She frequently writes about her testing experiences at http://curioustester.blogspot.com. She has authored/co-authored articles for testing magazines like Better Software, Testing Circus and Testing Planet. Apart from testing, she loves to play with her two lovely kids, read books, magazines, articles and many more. She is a self-claimed emotional over eater who eats to beat every emotion in the world!
 
Parimala currently works as a Test Manager at Moolya Software Testing Pvt Ltd, Bangalore. She can be reached at parimala@moolya.com. 

Share/Bookmark

Few things that I understand and suggest others to understand too,

1. Usability is not what is usable for you however; you might be one of the end-users too.
2. Do not change your design based on the feedback from one of the end-user from 100 end-users. The nightmare could be tomorrow for that one change it could reverse wherein, 99 end-users dislike and that one end-user likes.
3. If your product is for web developers and you are using traditional web components instead of jazzy stuff which fall under Web 2.0 then you are not considered in the competition at the first place.
4. Do not follow someone just because they are quite well-known in the field of usability. What you need to do is – Question yourself these things, how this design helps end-user from the current one? Is it an intelligent change that we are making to our system? Why are we making this change? (Classic example: Gmail was good before till it got its new version released where there are GUI changes and most of us do not like it compared to the earlier versions).
5. Ask this question to other testers in your team, how do you feel about the GUI of this product? Is it engaging? Attractive? Does it achieve the goals for which it is built for?

For those who are enthusiastic about “Usability and User eXperience” here are some sources which they could make use of,

1. http://useit.com/
2. http://userfocus.com/
3. http://boxesandarrows.com/

Share/Bookmark

Web Developer Add-on

There are different categories under Web Developer add-on and below are some and explanation on how we use them in our testing activity;

1. Validation

I would use this add-on to quickly validate CSS, HTML, find broken links or 404 pages. We would be using tools from W3C which is a standard and that would help me to give a quick report.

2. Forms

Under this I would get to know the risks like; server side validation is being done or not, maxlengths could be by-passed and get some system error message or any unexpected behaviour, can the methods of forms be converted from GET to POST and vice-versa

3. Images

This helps in performing section 508 standard tests (Web Accessibility) in very quick approach. We use navigate to a page and click on “Display ALT / Title attributes” and in the page itself all the list is displayed including existing ones and non-existing ones (No need of hovering over every image and seeing whether ALT or tooltip is visible).

Resolution Test

I use this to get coverage on how a web page looks on different screen resolutions. Some might have different resolutions set and this add-on would help us quickly to know if there are any risks associated with resolution of a webpage.

Also try ScreenFly (http://quirktools.com/screenfly/) which can provide resolution for Tablets like iPad / Motorola, Mobile Phones, Desktop and TV.

iMacros

Let’s say we want to test My Profile page for new registered user. Now, this is a repetitive process if the test is about creating new users. So, we automate it very quickly. Let’s say within 30 seconds we could automate the register form (Without captcha or else we need to enter captcha and then submit the form). iMacros is supportable on Internet Explorer, Mozilla Firefox and Google Chrome; now even these iMacros which are recorded would help for running them on different web browsers except Apple Safari. This is just an example; we know many other contexts where we could use iMacros.

Form Fuzzer

I use this to populate the text fields with different characters from different character set. Example: !@#$%^&*()-+ etc. – I have test data and with just one click we populate every text field with the test data and then submit the form which helps in validation of input.

Check All / CheckFox

Let’s say there are 100 checkboxes and one of the tests for it is to check all 100 and submit the form. Now, doing it one by one takes a lot of time but, with CheckAll or CheckFox add-on I could do it within few seconds with dragging for the area that we want to check the required checkboxes or else with just one click. Even I can do inverse and uncheck.

Tamper Data / IE Tamper

I use this add-on for tampering the input values and submitting it to the server. This is man in the middle attack.

Example: Let’s say the item that I have purchased is of $100 but, there is a client side validation which is not allowing me to edit it. Now; I would use TamperData add-on and once you click on “Submit” Tamper Data shows the input in it’s own window and there I can edit it to only $10 and submit it. This helps us to find the risk if tampering of data could be done or not.

RegEx Tester

I use this add-on to test for regular expressions. Let’s say there is javascript code which exists for validation but; still the form is not fully built of functional. In this case, I need not stop my testing activity for validation. We could take those (A-Z, a-z, 0-9 etc.) regular expressions and perform the tests. So, even if the functionality is not implemented our testing is not blocked for input validation.

Edit This Cookie

I use this to reveal the risks (if any) like; modifying the cookie value and getting into different account which does not belong to us. Know the information that is being stored in cookie value; we look for what data should not be there in cookie information.

Lipsum

If I want to add some text (Alphabets) for 100 lines in text area we use Lipsum which is Lorem Ipsum text generator. So, I have the test data ready in few seconds.

Pendule

Helps in getting the coverage on Javascript and CSS; we use this on specific page and all the code is extracted in separate window for CSS and Javascript. So, we have all this on one page and we can go through this on a single page. Even indentation feature is available which is under “Beautify CSS”. There are other cool features too which would add value.

Share/Bookmark

1. Auto-complete will help in improved UX
2. Auto-complete can put your customers under threat if no good care is taken in avoiding it in some places

I will concentrate on the 2^nd point which you are interested in; let us consider a web application which doesn’t have auto-complete feature but, the web browser saves history and there is auto-complete feature with it. Now, most of them use auto complete with on in web browsers. Below is a mind-blowing example on how not disabling auto complete in the code of web application would lead to unauthorized access by a non-owner of some account,

There is a Secret Answer text field and it is in plain text (First of all this itself is a bad one because secret answer acts like a authentication too and it got to be masked; you are masking password because others should not see however; keeping secret answer in plain text – Does it make sense?) and there are users who would use shared computer. Let us say 10 customers sign up and they have chosen different secret answers – These are non-computer savvy’s. Now, someone like me (An example) who is evil hacker starts using the website where the 10 customers registered. I go to sign up page and double click on “Secret Answer” text field and guess what – I have 10 secret answers of one or the other end-user and now I should know what e-mail address they were using. That’s simple; double click on “e-mail address” text field and I get 10 e-mail addresses” – Wow! Let me have a mug of beer now and dance.

Above, you saw how not disabling auto-complete in the code of web application could impact on your customers and you too.

Where auto-complete should be handled as off?

1. E-mail address (Use Remember Me to help your users of not making them enter e-mail address always)
2. Secret Answer (Consider masking it too or else the one who is shoulder surfing might exploit)
3. Credit Card Numbers
4. Bank Account Numbers

Any confidential information should not be visible under auto-complete and should not be allowed to save in history of a web-browser. Question yourself; what is the impact of not having “auto-complete” and also what is the impact of having “auto complete” – This helps in adding usability as well as security to your web application.

You could maintain a checklist of what should not go as auto-complete in your web application. You might want to communicate about this even with the test team working in different projects in your organization to benefit your customers and your organization too. I hope you had a good reading.

Share/Bookmark

1. Forgot Username / Password
2. Registration – confirmation e-mail
3. Subscription / receive updates

There could be many other features which depend on the product that is developed or being developed. Above mentioned are the ones that you are familiar with.

How can I use the above features to attack e-mail service or SMTP server?

Spamming and more bandwidth usage – I could get the victims username or e-mail address and use it in Forgot Password text field and keep sending e-mails to the target e-mail address thereby; spamming. I am not only spamming here but, also I am consuming the bandwidth of the e-mail server. I could easily automate this; so let us talk about numbers now. In 5 seconds I will send one e-mail.

5 seconds = 1 e-mail

1 minute = 12 e-mails

1 hour = 720 e-mails

It goes on.

dDoS attack if you are doing it at the same time from different computers. 100 bad guys connected on IRC say “Boom” and everyone invokes it. The number 100 is just for example purpose; there are guys who are connected on IRC as a team more than 1000+.

Countermeasures

There should be a restriction on sending of e-mails in a day or per hour or anything that would not harm the e-mail service and even the end-user.

A captcha should be shown if repeated usage of form is being detected. Example: Gmail displays captcha in login form if wrong attempts are made. This could help in stopping the attack which is done by automating the process.

Blacklisting IP address if the attack is continued; recording server logs.

I wrote this blog post quickly and published it. I would write in deeper way sometime later.

Share/Bookmark

Valid Username Valid Password
Valid Username Invalid Password
Valid Username No Password
Invalid Username Valid Password
Invalid Username Invalid Password
Invalid Username No Password
No Username No Password
Valid Username Valid Password and Incorrect Domain
Valid Username Invalid Password Correct Domain
Valid Username Valid Password and Correct Domain
Valid Username Invalid Password Incorrect Domain
Invalid Username Valid Password and Incorrect domain
Invalid Username Invalid Password and Correct domain

Case Sensitive

Password is case-sensitive?
Username is case-sensitive?

Maxlength

Username has maxlength?
Password has maxlength?

Alignment

Username and Password text fields are in proper alignment?
Username and Password labels are aligned properly?
Login button is placed in alignment and is not far from the text fields?

Input Validation

Alphabets
Alphabets + Numerical
Alphabets + Special Characters
Alphanumeric + Special Characters
Quotes, Double Quotes, Tilde
How does the login behave with the usage of different charset?
Changing the order of these characters like; AB1, 1AB (Adding numeric to end and adding numeric to first)

Keyboard mapping

Enter username and password and then press "Enter" key. Does it invoke Submit button?
Are there any keyboard shortcuts for Submit and Cancel?

 Feel free to add more by commenting to this blog post.

Recommended: Darren McMillan created a mindmap of Login Test Ideas and you can view it at

http://www.bettertesting.co.uk/content/?p=1372

Share/Bookmark

1. Data Source
2. SMTP Server
3. Authentication
4. Custom Error / Re-direction
5. Session timeout
6. Cookie exceptions

And many more details.

Example #1

Let’s say you are testing web application for session timeout and you are not aware when it would happen. At such times you might directly go to the /inetpub/wwwroot/ and go to the folder where application is deployed and open the web.config with any text editor (Notepad++ – Recommended) and search for string like “timeout” and now, you see that you get the details. You might also see that there is no timeout XML tag which means you have found a bug which is there is no timeout of session.

Example #2

We are experiencing delay in sending or receiving e-mail address. We purchased a cool SMTP server from some cool vendor. In such situation you could go to web.config and see if the SMTP server has the same incoming and outgoing servers which were purchased from that cool vendor. Now, that should be your first test. In case if it’s the same then you need to contact that cool vendor who turned to be not a cool vendor.

Example #3

Handling error pages – Let’s say when there is no page that server is looking for, an error page is displayed. Now, there are different status codes and these could be handled in web.config file. You can go to web.config and see if the developer is using custom error pages for all these. You can search for “customErrors” string to find the details if any.

For the list of HTTP status code you can refer here.

To be continued in the next blog post – Thanks!

Share/Bookmark