Let’s take the same concept from the first part of the article even further.
Let’s say that viewing
/users/id/104/edit
(or some other random numbers) gives a permission denied error.
So, viewing the edit profile page is not allowed. However, that does not necessarily mean it’s not possible to edit anyone’s profile information – it just has to be done without without viewing the edit profile page. You’re going to need a tool for that.
There is a class of dangerous security issues that can be found by .. just looking around. You don’t really need technical knowledge to identify these issues, just the regular exploratory testing skills. Sounds good, right?
Take a look at OWASP Top 10 Application Security risks. Specifically, A8 – Failure to Restrict URL Access.
This is a very simple class of problems. The developers simply forgot to authenticate users properly before letting them do something. (Creating new users with administrative privileges, for example. True story.)
A “classic” software testing exercise usually looks like this (.pdf file, exercise from “The Art of Software testing” by Myers). If you don’t fancy downloading another pdf file, here’s a rundown:
- Imagine a triangle (it’s always a triangle).
- Now test it.
- Using black box testing.
- Using white box testing.
- By drawing a pretty picture.
- Using method X.
Although this kind of approach is good for conveying fundamental testing methods, it often fails to inspire thinking outside the box or creativity – which to me are core testing skills that have to be honed as often as possible.
Open lecture on software testing, by James Bach (www.satisfice.com).
Where: IT Kolledž, auditorium 314 , Tallinn
When : 6. september 2011 at 16:00
The lecture is in english.
Do not miss this !
If you want more then you have missed this Septembers RST courses by him already. Contact Oliver (oliver.vilson(at)hannas.ee) to get info about future courses.
Late post, the event was on 15th of June.
Had a good time, good pizza and great testers. The only thing planned was the Boundary Testing Exercise, which evolved into handling wide range testing problems. Good questions were asked, good bugs found. Specially the security issue of which I was unaware of. Thanks for pointing it out, let see if future testers find it as well.
It was great for me as well, I found several areas where to improve. You see? It goes both ways, we all learn (if we want to).
There will be another even in August or September. See you there.
In the second week on June there is a Testers Event in Skype, Tallinn. What exactly is going on I do not know as of yet, but on the 15th there will be an guest appearance.
That would be myself, doing the Boundary Testing Exercise. So incase you want to have fun, do not read spoilers from my blog.
More info will be up when that arrieves.
To this place. Yes. Isn’t it wonderful.
Recent Comments