Few testing questions and answers

A notable Indian tester, Santhosh Tuppad has recently asked 18 testing questions to the testers around the world. He also announced prizes (testing books) for the winners (applicable for testers from India). Although the contest is supposed to end by the time this post will be published, I don’t see answering few of them is unworthy.

1. What if you click on something (A hyperlink) and to process or navigate to that webpage you need to be signed in? Currently, you are not signed in. Should you be taken to Sign up form or Sign in form? What is the better solution that you can provide?

Sign in page

When I click on a hyperlink (pointing to a web page) either from another web page or from any other places, I expect my default browser will be opened up and take me to the page directly (few automatic redirection is acceptable but too many is a pain). If authentication is required to view the page, the application can redirect (as I am not signed in currently) me to its login page with a noticeable message. The message should clearly state that I am here because I am not logged in but this page requires to be logged in. After providing my credential and clicking on Login button, the application should take me to the target page directly (without any more clicks). Well, I might not have an account to login to the site. So, I would expect a sign up link in the login page so that I can continue.

What if an application has no special sign in page but the sign in form is embedded into another page e.g. home page? The application can redirect me to the home page in such case. But again I would expect a clear message just around the login block, saying that why I am here and what I need to do.

Sign up page

If someone is really new to the site, it might be helpful for him to go to the sign up page (with proper message) directly. But how the application will detect whether the person is really a first time visitor?  If it could it would be awesome.

Neither sign in nor sign up

I know the link I clicked on is a secure (login required) page. I also know I am logged in as a domain user in my office and the site can authenticate me through active directory services. In such situation, I would expect to land on the requested page directly without login/signup.

 

2. Using “Close” naming convention to go back to the homepage is good or it should be named as “Cancel” or it is not really required because there is a “Home” link which is accessible. What are your thoughts?

Close button/link is generally used to close a window/tab. Cancel button/link is generally used to cancel an in-progress operation or close a modal window. If you think your user might need to go back to home page any time, why would you confuse your user by ‘Close’ or ‘Cancel’ button/link, why not ‘Home’ or ‘Back to Home’ simply?

 

3. Logout should be placed on top right hand side? What if it is on the top left hand side or in the left hand sidebar which is menu widget like “My Profile”, “Change Password” etc. — Is it a problem or what is your thought process?

It is okay to place it in top-right or top-left or any other commonly used places (e.g. at the bottom of left menu). It doesn’t cause much problem once user knows where it is. But if you hide it inside another thing (e.g. under an irrelevant menu, under a collapsible panel, only in a specific page) or move it around, that might cause problem some users.

 

4. Current design of forgot password asks for username and security answer and then sends a link to e-mail inbox to set new password. How does “security answer” increase the cost of operations? Also, what questions do you frame for security questions?

What if I forgot my username too?

Really, I do forget my username sometimes. I think many others like me forget their usernames too. Probably I would never forget it if I could use my first name everywhere. Some applications consider my email address as the username while others give me option to set my own username. Those who allow choosing a username don’t allow duplicate. Hence, I can’t stick to a single username.

What if I can’t remember my security answer?

Those who choose different set of questions and answers among the various applications, they might forget the answer. Typically if someone forgot security answer, she has to contact with customer care and thus it increases cost of operations.

What questions do you frame for security questions?

I don’t care what questions they provide, I just choose one randomly. Whatever question I choose, the answer remains same. I consider it as another password. This way, I try to protect myself from social engineering attack. But I see two problems:

  1. Security answer box is often unmasked. Anyone behind me can see my answer.
  2. Browser remembers what I typed in the answer box.

 

5. If you had to design “Forgot Password” working, how would you do it and why? You are free to give different many functional designs.

https://www.owasp.org/index.php/Forgot_Password_Cheat_Sheet

Twitter – Sorry! You’ve hit your hourly usage limit. Try again soon

While playing with twitter search for few minutes, suddenly a message popped up saying that “Sorry! You’ve hit your hourly usage limit. Try again soon”. I was sure that it was because of my last few minutes excessive search requests. I also noticed that my searches were failing at that moment. So I waited just a couple of minutes and tried again. Mysteriously the search was working fine just after 2 minutes wait. Somehow my belief was that twitter doesn’t block for an hour, it may be less than that. I was curious to see what’s the maximum number of search request is required to reach the limit. So I started to search again. This time I was searching with all good words and I noticed that even after 50+ requests it’s not blocking me. Then I started to use bad words like my first attempt (mixing up with special character, XSS attack, missing word etc.) and interestingly just after few tries, the message again came up. But interestingly this time search was not blocked. The search result was coming nicely but the message was appearing with every request. I tried with changing browser, re-login, changing IP etc. But the result was same. Funny bug! from twitter.


Video: Sorry! You’ve hit your hourly usage limit. Try again soon. – A fake message from twitter.

Basic Security Testing – Many sites including bracbank.com, softexpo.com, abcreal.com.bd are in danger.

When a hacker is determined to break a website, the first thing he does is go for gathering information about the target site as much as possible. Usually the information gathering phase is done in three steps.

Step1:
Navigate through the whole site to understand the files and folders structure, to know the programming language used to build the site, to know the type of web server is using to run the site, to get an idea about the volume of the site, to find the publicly accessible pages, to guess the areas that are protected, to be sure is there any framework/cms are used to build the site, to find the software company name who built the site and many more.

During the navigation seeing the HTML source code to look for comments, sensitive information, hidden variables, form tags, javascripts, image source etc. are an effective approach to understand the target application. The developers often make comments their code instead of deleting as they think they may need the code in future or in other places. Sometimes they write file name, db name, db credentials, login credentials etc. in the code and often forget to remove those before release.

While browsing the site if any forms are found, hit the submit button with valid/invalid data to see the error message returned by the application. Sometimes developers provide very helpful information to the users like “The password is incorrect”. That helpful information becomes dangerous when the user is a bad guy because it informs him that his username is correct but the password is not. Now he can try the dictionary attack in the password field only. Submitting invalid/malicious input may result server error, hackers read them very attentively because reading them gives an idea about the internal architecture of the application, database related information etc. Also monitoring what requests are made and what responses come from the server is a good advance to get a detail idea of the target. When monitoring the requests and responses hackers also try to know/experiment with GET and POST variables that help them to identify the weakness of the target.

Step2:
When the files and folder structure is revealed it’s now time to guess the other files and folders names and structures which is not publicly accessible. In this step hackers try to find the pattern of the file and folder name. Usually every software development company follows a strict naming convention which varies company to company or application to application but maintaining the same naming convention throughout the individual application is very common practice. Hackers take the chance, they look for files like adduser.php, edituser.php, deleteuser.php when he sees viewuser.php is used. If he find view_user.php then he tries add_user.php, edit_user.php etc. It really works whether the product is developed by an individual or by a standard software development company. The attackers not only tries the files name they also try some basic folder names like www.example.com/admin, /administrator, /adminpanel, /workarea, /cp, /cpanel, /controlpanel, /secure, /securesite, /scripts, /css, /images, /classes, /private, /db, /content, /pages and many more. They also tries for sub domain in the similar fashion.

Step3:
It is quite often that software companies reuse their own components in various sites where applicable. To reduce the development hour/cost sometimes they use free/open source solutions. Sometimes they buy some components from other companies and use them regularly in their applications. When such third-party tools/partial codes/snippets/components/controls are used, the developers rely on those, trust those. They think those are tested, those are functional and those are secured. And this helps the hackers to find a common hole once they get to know that particular vulnerable components are used in their target site. So they try to find out what third party things are used in the information gathering phase.

Today I will show how the above things helped me to find a basic security hole in few sites built by eVista Technologies. Basically many sites including brac bank, soft expo, abc real state sites built by eVista Technologies are in danger. I communicated with them about the vulns, they thanked me and promised to fix them as soon as possible. After a month of reporting the issues when I requested to let me know the status of the fix, they did not reply I waited for another fifteen days. In all of my communications, I mentioned that I am going to do a blog post on this matter. But they did not hear. I also informed the corresponding companies but did not hear back.

Note: eVista informed me that the security leak is fixed.