Few testing questions and answers

A notable Indian tester, Santhosh Tuppad has recently asked 18 testing questions to the testers around the world. He also announced prizes (testing books) for the winners (applicable for testers from India). Although the contest is supposed to end by the time this post will be published, I don’t see answering few of them is unworthy.

1. What if you click on something (A hyperlink) and to process or navigate to that webpage you need to be signed in? Currently, you are not signed in. Should you be taken to Sign up form or Sign in form? What is the better solution that you can provide?

Sign in page

When I click on a hyperlink (pointing to a web page) either from another web page or from any other places, I expect my default browser will be opened up and take me to the page directly (few automatic redirection is acceptable but too many is a pain). If authentication is required to view the page, the application can redirect (as I am not signed in currently) me to its login page with a noticeable message. The message should clearly state that I am here because I am not logged in but this page requires to be logged in. After providing my credential and clicking on Login button, the application should take me to the target page directly (without any more clicks). Well, I might not have an account to login to the site. So, I would expect a sign up link in the login page so that I can continue.

What if an application has no special sign in page but the sign in form is embedded into another page e.g. home page? The application can redirect me to the home page in such case. But again I would expect a clear message just around the login block, saying that why I am here and what I need to do.

Sign up page

If someone is really new to the site, it might be helpful for him to go to the sign up page (with proper message) directly. But how the application will detect whether the person is really a first time visitor?  If it could it would be awesome.

Neither sign in nor sign up

I know the link I clicked on is a secure (login required) page. I also know I am logged in as a domain user in my office and the site can authenticate me through active directory services. In such situation, I would expect to land on the requested page directly without login/signup.

 

2. Using “Close” naming convention to go back to the homepage is good or it should be named as “Cancel” or it is not really required because there is a “Home” link which is accessible. What are your thoughts?

Close button/link is generally used to close a window/tab. Cancel button/link is generally used to cancel an in-progress operation or close a modal window. If you think your user might need to go back to home page any time, why would you confuse your user by ‘Close’ or ‘Cancel’ button/link, why not ‘Home’ or ‘Back to Home’ simply?

 

3. Logout should be placed on top right hand side? What if it is on the top left hand side or in the left hand sidebar which is menu widget like “My Profile”, “Change Password” etc. — Is it a problem or what is your thought process?

It is okay to place it in top-right or top-left or any other commonly used places (e.g. at the bottom of left menu). It doesn’t cause much problem once user knows where it is. But if you hide it inside another thing (e.g. under an irrelevant menu, under a collapsible panel, only in a specific page) or move it around, that might cause problem some users.

 

4. Current design of forgot password asks for username and security answer and then sends a link to e-mail inbox to set new password. How does “security answer” increase the cost of operations? Also, what questions do you frame for security questions?

What if I forgot my username too?

Really, I do forget my username sometimes. I think many others like me forget their usernames too. Probably I would never forget it if I could use my first name everywhere. Some applications consider my email address as the username while others give me option to set my own username. Those who allow choosing a username don’t allow duplicate. Hence, I can’t stick to a single username.

What if I can’t remember my security answer?

Those who choose different set of questions and answers among the various applications, they might forget the answer. Typically if someone forgot security answer, she has to contact with customer care and thus it increases cost of operations.

What questions do you frame for security questions?

I don’t care what questions they provide, I just choose one randomly. Whatever question I choose, the answer remains same. I consider it as another password. This way, I try to protect myself from social engineering attack. But I see two problems:

  1. Security answer box is often unmasked. Anyone behind me can see my answer.
  2. Browser remembers what I typed in the answer box.

 

5. If you had to design “Forgot Password” working, how would you do it and why? You are free to give different many functional designs.

https://www.owasp.org/index.php/Forgot_Password_Cheat_Sheet

Another sad story with banglalion wimax

Recently, I have changed my internet provider from Citycell Zoom to Banglalion. Few days ago a girl from Citycell asked me “Why are not you using Zoom internet anymore?” I answered “Why should I?” While I was using zoom internet, I suddenly noticed that I can see the user profile, usage history of other users from their Online Self Care site in a tricky way which means the other user can see my history if they know the trick. It was nothing harmful for users but obviously they are not caring my personal information.

I then left Zoom and planned to buy Banglalion wimax connection. It took more than 24 hours to activate my account, but usually they take 3-4 hours as I heard. I had to spend at least 4-5 hours in the sales centre. They were providing me a wrong password again and again. I had to contact with their customer care to get the correct password, but unfortunately the representative was also giving me the same wrong password. After calling to their customer care several times, talking with a senior person several times, finally I was able to activate my connection after passing more than a day on it.

Even after all these harassment I was happy enough to use this new connection because it was too fast but cheap. One day, while I was refilling my account from online I noticed that I can pay my bill without buying any prepaid card, entering serial number and pin number. I was shocked again. There were some hidden menus which were functional. Developers often think their user won’t see that they don’t see. So, when manager ask to get rid of a feature, they simply hide it. Hiding is not similar to remove. If you really need to hide something, better to remove it entirely.

Before playing with self care site, I tried some basic SQL injection in their admin site. The question is how did I get the admin site URL? It’s not public one and there is no link given in their public site. I got it from the sales centre.  As I said, I had to spent long hours in one of their authorised dealers shop. I remembered the URL when they were struggling activating my account. Still there are some developers who consider their users are dumb. They think their admin site is protected, as no one will find it to attack. I have seen some site owners as well who want their admin URL hard to remember for the same reason. They think it increases security. Does it really? Where do we keep our money, in locker or in a cave? However, here is how the admin site was vulnerable to simple SQL injection attack:

Readers don’t try the above tricks at home. I reported these issues to banglalion before disclosing publicly. They have confirmed me that the problems have been fixed.

Smartphones are increasing security risk

Do you think?

  • Your cell phone calls are very secure and private.
  • Messaging is more private than voice calls.
  • No one knows where you are.
  • No one around you is seeing your private photos and videos.

If you are using a smartphone with internet access, you are probably wrong. A spy application can do all the above unwanted things silently. Not necessarily such an app needs to be installed deliberately on your phone. They can get in your phone in various ways just like a spyware gets in your computer.

Smartphones, reasonably increases the risk of being hacked. It has opened another door for the hackers to steal our data in addition to computer. Today our personal data is not only computer centric, we are carrying our data through our phones wherever we go. We access our mail accounts, bank accounts, official sites, business apps, messengers, facebook, twitter, and other apps directly from our phones. While accessing those apps, many of us advisedly allow mobile devices to remember our credentials to avoid re-entering username-password every time we log in. “Remember me” in mobile phone is similarly risky like computer. If someone gets your phone for few moments she can check your personal mails secretly even she is in front of you.

For many years, physical access was the only way to steal data from simple phones as they were not connected with internet. At the time when vendors started making internet enable phones, they are making us more potential victim of internet based attacks. Now we are living in the world of smartphone, internet is the heart of it. It’s unthinkable that you have a smartphone but you don’t use internet. Along with internet access, today’s smartphones have a platform to host third party applications just like computer. Those apps can access private data stored in your phone and communicate with server to store them. Now anyone can access your data through an app even she lives in another country.

Hackers are thinking about our phone. They are researching on mobile attack. Mobile could be the primary focus for attacking us someday. For instance, nowadays many applications give option to reset password via a mobile phone. Here is how the password recovery/reset process works:

  • User enters a phone number in password recovery page.
  • System detects associated user account and sends a code through SMS in the corresponding phone.
  • Either that code is the new password or used to reset password.

The process is similar like resetting password via email. Instead of sending email, a SMS is sent. Although the process is very similar, I think mobile phone is less secure in this purpose. Anyone around you has access your personal phone, can compromise your account within a minute silently. You might think if someone has access my email account he can do the same. Yes, that’s true but there is another thing that makes the mobile phone less secure.

The entire attack can be simplified by an app that has access to your SMS. The app can silently put your phone number in password recovery page, read the code from your inbox and reset your account. It’s just a way your phone can be used as a weapon against you.