Seven Super-Simple Security Scenarios
Test security & business logic flaws like a boss!
So?! Your manager has tasked you with security testing of the site but you don’t have the foggiest clue what to do. You don’t want to disappoint your boss but you don’t want to appear incompetent either.
Fear not! As an avid learner of Security / Pen Testing, I wish to present you a list of security tests you can add to your testing arsenal that won’t require any additional skills, take long to learn, and achieve the goal of checking for potential vulnerabilities.
** DISCLAIMER **— the scenarios listed below are security tests that will not impact the overall operation of the application-under-test. They will help evaluate the security posture of the application to a degree but are not a comprehensive suite of tests by any means.
For a complete assessment of the application’s security posture, a full audit (vulnerability assessment, pen test) is required.
- Reconnaissance — Look for Metafiles
OWASP Testing Guide states “Web Spiders, Robots, or Crawlers retrieve a web page and then recursively traverse hyperlinks to retrieve further web content. Their accepted behavior is specified by the Robots Exclusion Protocol of the robots.txt file in the web root directory.”
- As a tester, the goal of the recon step of a security assessment is to obtain as much information about the target as possible.
- You’ll want to look for
robots.txt,sitemap.xml, andsecurity.txtby appending these to the end of the url, like this:https://www.my-site.com/security.txt(security.txt allows websites to define security policies and contact details. The kind of details that may disclose where the vulnerabilities lie).
2. Web Contents — Inspect the page source for sensitive info
- Use the browser Dev Tools to look through the source code for any comments or sensitive information that might be left behind by Devs.
- Inspect the application javascript pages like,
main.js, for any clues or vulnerabilities.
3. Infrastructure Enumeration — Find the Admin Interface
- Test that the admin portal is NOT found. Search for it by typing
/adminat the end of your url. - If the admin portal IS displayed, you can test that a default login like,
admin/password123, or admin/adminfails. - Test that multiple failed logins lock the user out.
4. Identity Management — Test Registration Process
- Test that you should not be able to create the same user twice.
- The system should check that user exists and block the creation of a duplicate account.
- Test that you cannot create an account with a fake / throwaway email.
- Test that the system prompts you with an email, MFA or CAPTCHA as part of the verification process.
5. Account Enumeration — Valid Username / Password
- Check the response when a valid username and password entered.
- Check the response when a valid username and an invalid password entered.
- Check the response when an invalid username and password entered.
- Check for account lockout if too many login failures occur.
- Check that login fails attempting a SQLInjection —
admin /'OR 1=1'--
6. Authentication — Test For Weak Passwords
- Test for password strength. System should check for the following:
- Password has at least 1 capital letter
- Password has at least 1 special character
- Password has at least 1 number
- Password has a length of 8 characters or more
7. Business Logic Flaws — Input Sanitization
- Test that inputs block/disallow javascript injection by using some of the following:
-<h1>test</h1>start with this. If the site reflects this, try<script>alert(1)</script> - Test that inputs have a max limit to prevent buffer overflows.
- Given a url like
https://www.my-site.com/productId=1, you cannot tamper with the product id to introduce a forced redirect or cross-site script injection (src: parameter tampering attack!).
