Thursday, 3 November 2011

How to Test

How to Test Overview


Testing a software application will require you to think about various ways of attempting to break the software. A quality assurance engineer typically will be able to come up with all sorts of methods to verify the functionality of the feature or component. But you need to go deeper. Think like a malicious user, consider the cases that shouldn't be allowed, input things that no one would ever really put in, try to twist and break that application in any way you possibly can.
Take for example a web based form that has a textbox asking for the user to input a number
Even though the textbox is informing the user to enter the age, think how could I break this. As the QA tester you are attempting to validate the textbox actually works. As the security tester you are verifying that the developer has coded and validated the input as it is being recieved. Think of ways to break this. You are not verifying that the feature works, you are verifying that nothing bad could occur if invalid data is entered. Try to think like a malicious user would. This requires time and experience to be good at this, but anyone can learn and become more proficient with security testing. Try entering some of the following combinations.
  • Try letters instead of numbers
  • Try special characters
  • Try double byte chars
  • Try encoded characters
  • Try to determine the boundaries; Can you enter an age of 0? Can you enter an age of 1024
  • Try entering nothing. Null character
  • Try entering an enourmous entry
  • Try entering a SQL backtick ' if the application is fronted by a database
  • Try entering a ldap search query if the application is fronted by an ldap server
As you can see typically to verify the functionality of the textbox is only the start. The input must be verified and validated before the developer should even begin to use the input. Just because the textbox provides you with help to determine what should be entered in the textbox, does not mean a malicious user will also obey those suggestions.
Security testing takes a different mindset than QA testing. As a security tester you must think how to break and abuse this application as a black hat hacker or malicious user would. Be mean to the application, try to do something that will cause problems to the underlying code. Just thinking out of the box will considerably help you on your way to become more security oriented.
To really understand how a black hat hacker or malicious user could break and abuse your software, you need to understand some of the techniques that he/she would use. The next few sections example some of the attack techniques that are being used to break into software. Each section will describe some how each of the attack methods are performed, how you can test for them, and how to block, protect, and code security protection.
Reading all of this can be a daunting task and requires a large amount of learning. To start the process, create testcases for limit and boundary conditions, test negative input, try special characters. This alone is much more than the typical feature testing that occurs within the normal software development lifecycle.
If a lot of this is over your head, don't worry, everyone started out as a beginner. Because you are here at this site means you are striving to learn. Read, learn, and digest as much information at this site and others to become more proficient at security testing.

1 comment: