When providing security training, we have often been asked for a cheat sheet for the security test cases that should be performed. The main problem with such a list is that testers then generally tend to use only the security test cases on the list to determine whether a feature is secure. This is a huge mistake because no list can include all the test cases needed to guarantee your application is secure. On the other hand, having a cheat sheet is a great starting point to help you generate ideas when security testing. At a minimum, use the following test cases for the different security vulnerabilities that are covered throughout this book. You can then refer back to the chapter in which the test cases are discussed for more in-depth information.
Network requests and responses are an entry point into the application. Bugs in other categories should be tested in the request and response. In addition, the following test cases attempt to send data the client or server might not expect. Refer to Chapters 4 and 5.
Sample Test Cases | |
---|---|
Test Case | Description |
Send requests/responses out of order | The client/server might not maintain proper state, might allow certain validation to be bypassed, or might crash the client/server. |
Modify a packet s contents to slightly different values. Example: Change the price value from 100 to 1 | Abuse the logic of the client/server with valid datatypes. |
Remove fields from the network request/ response | Crash the parser or bypass any checks performed on the field. |
Modify the query string values, POST data, and cookie values | Obtain or modify data not normally accessible. |
Send invalid, illegal, or malformed for the values of the fields in the request/response | Crash the parser. |
Save HTML forms to another site and submit the form as a different user from the one who requested it | Cross-site request forgery (CSRF) attack. |