Software Testing Best Pratices

8/2/2019 Software Testing Best Pratices

1/22


2/22

Top 5 Web App Security bugs


3/22

Cross-Site Scripting

Normal execution


4/22

Cross-Site Scripting

What attacker does


5/22

Types of Cross-Site Scripting

Non-persistent Attack:

1. A often visits a particular website, which is hosted by B. B's website allowsA to log in with a username/password pair and stores sensitive data, such as

billing information.2. C observes that B's website contains a reflected XSS vulnerability.3. C crafts a URL to exploit the vulnerability, and sends A an email, enticing

her to click on a link for the URL under false pretenses. This URL will point to B'swebsite, but will contain C's malicious code, which the website will reflect.

4. A visits the URL provided by C while logged into B's website.5. The malicious script embedded in the URL executes in A's browser, as if it came

directly from B's server (this is the actual XSS vulnerability). The script can beused to send A's session cookie to C. C can then use the session cookie to stealsensitive information available to A(authentication credentials,billing info, etc.) withoutA's knowledge.


6/22


7/22

Prevention to Cross-Site Scripting

-Check that ASP.NET request validation is

enabled

-Review ASP.NET code that generates HTML

output

- Review potentially dangerous HTML tags and

attributes.


8/22

Clear Text Secrets

Sensitive"data like User Credentials, cryptographic keysmust never be stored, cached, or sent unencrypted. For

instance: logon passwords, PINs, credit card numbers,

telephone calling card numbers, session ID that can be

used to gain access to goods, services, or confidential

information must always be stored and sent encrypted.


9/22

Countermeasures to Clear Text Secrets

- Use trusted and proven standard algorithms

for encryption

Do not store secrets (passwords/ keys) in

code

Use the aspnet_regiis tool to encrypt

configuration settings


10/22

Authorization Issues

Direct Object Reference (Normal execution)


11/22


12/22

Countermeasure to authorization issue

Perform server side authorization

Use a platform provided authorization mechanism

URL Authorization Declarative checks

Implement authorization controls in middle tiers like

gateways


13/22

SQL Injection

User input without sufficient validation is used

to create and execute a dynamic SQL statement.

User can manipulate the SQL statement that gets

executed.


14/22

SQL Injection

Normal execution


15/22

SQL Injection

What attacker does


16/22

Countermeasures to SQL Injection

* Constrain and sanitize input data:

Check for known good data by validating for type, length, format,and range.

* Use safe SQL parameters for data access:

If you use a parameters collection, input is treated as a literal

value, and SQL Server does not treat it as executable code.* Use an account that has restricted permissions in the database:

Ideally, you should only grant execute permissions to selected

stored procedures in the database and provide no direct

table access.* Avoid disclosing database error information:

In the event of database errors, make sure you do not disclose

detailed error messages to the user.


17/22

Verbose Error messages

Leads to


18/22

Countermeasures to Verbose Errors

You can display other message in the case of an exception or a

particular scenario when the verbose message is displayed

as a crash


19/22

Other Bugs

Range Check

The range of all the similar fields should be

uniform. e.g. the phone/mobile number

Back button

Sometimes the Back Button present in the

page causes the user data to be revealed or

altered which is very serious in the case on

Transactions or user information.


20/22

Bug RepetitionSuppose a bug-type has been resolved, then

the same bug should not be repeated. For

e.g. the hotel rule was not being properlyupdated at an earlier time but after some

patch the issue was noticed again.

Session expiry

The session expiry time is also non- uniform.


21/22

Uniformity of the Error messagesThe error message displayed should be

uniform is terms of the displayed location

and type. Scrollbar

Suppose the input value for a particular field

is large, then there should be a scrollbarpresent so that the UI of the page does not

gets affected.


22/22

Feedback / QnA

Documents

Software Testing Best Pratices