Performing security testing is very important in the world of software development and it is often left to be done by security professionals. But, even if you do not consider yourself a security professional, you can still do some things that will contribute to checking and improving the overall security of the product.
By understanding some key principles about security testing and checking certain things in your product, you can discover security issues and protect the app from potential vulnerabilities. You can verify that the app you are testing is resistant to vulnerabilities that could lead to unauthorized access, data breaches, or system failures.
Make Simple Authentication Tests
One of the first things you can do is test the authentication process.
During this testing, you can check how the system reacts if you try to set a very simple password for the user, like “123”. The app needs to have some rules for setting the password, like a minimum of 8 letters, at least one number, at least one special character, the new password should not be the same as the previous passwords, etc.
The second thing that you can check when making this tests is “account locking”. Try to log in with an invalid password multiple times and see how the app will react. The system should lock the account in some way. There are different ways to do this, for example, the app can prevent the user from trying to log in for a certain amount of time, it may lock your account and you will need to contact the administrator to unlock it, etc. There are different approaches to this, but the main goal is to prevent brute-force attacks.
The third thing that you can test is the session expiration. Log in with one user and stay inactive for a certain amount of time. The app should automatically log the user out of the app after a certain time. The goal of this is to prevent hijacking. If you see that the user is logged out, log in with the same user, but you can also log in with another user, to see if the app behaves correctly.
Testing for SQL Injection
SQL injection works in a way that when you enter something in the application input fields, an application accepts that and directly includes it in a SQL query without making any validation or sanitization. The attackers can exploit the data by injecting SQL code in the fields.
Let’s say we have the following query:
SELECT * FROM users WHERE username = 'user' AND password = 'password';The attacker can enter ‘ OR ‘1’=’1 in the username login field. That will change the query from the above into a query like this:
SELECT * FROM users WHERE username = '' OR '1'='1' AND password = 'password';This will always be true because 1 = 1 is always true. The attacker might gain unauthorized access to the system without knowing the correct username and password to access the system.
What you can do as a QA is to insert special characters or SQL keywords into input fields like login forms, search boxes, or URL parameters, and see how the application reacts.
Some things that you can enter are:
' OR '1'='1
'; DROP TABLE users --
' OR 'x'='x
' AND 1=2 UNION SELECT NULL --If you get a SQL error or the application behaves unexpectedly (e.g., logging in without valid credentials), it’s a sign of vulnerability.
Check for Cross-Site Scripting (XSS)
Cross-site scripting (XSS) is a type of security vulnerability that allows attackers to inject malicious scripts into web pages. These scripts can manipulate the page, steal sensitive data, or perform actions on behalf of the user without their consent.
We can test if our app is vulnerable to XSS by injecting simple scripts into input fields such as login forms, comment sections, search boxes, or any place that takes user input and displays it back on the page.
Some scripts that you can enter are:
<script>alert('XSS')</script>
<img src=x onerror=alert('XSS')>
<iframe src=javascript:alert('XSS')>You can also modify the URL and insert the script there:
http://example.com/search?query=<script>alert('XSS')</script>If you see that these scripts are executed within the page, it indicates that is app is vulnerable to XSS.
Check for Unsecure HTTP Traffic
HTTP (Hypertext Transfer Protocol) and HTTPS (Hypertext Transfer Protocol Secure) are protocols used for transmitting data over the Internet, but they are different in terms of security and encryption.
Differences Between HTTP and HTTPS
| Feature | HTTP | HTTPS |
|---|---|---|
| Security | No encryption; data is sent in plain text. | Encrypted using SSL/TLS for secure communication. |
| SSL/TLS | Not used | Uses SSL/TLS for encryption and server authentication. |
| URL Prefix | http:// | https:// |
| Speed | Faster, as there’s no encryption overhead. | Slightly slower due to encryption overhead. |
Make sure that your app is using HTTPS. The data that is sent by HTTP is unencrypted and can be intercepted by attackers.
Open the browser’s developer tools and check that every request is sent over HTTPS.
Test The File Uploads
A lot of apps allow users to upload files, but if this is not handled correctly, the uploaded apps can harm the system.
The first thing that you can check is that there is a limitation for what kind of file type and file size you can upload. If you can upload any kind of file with any size, that could be a potential problem for the security of the app.
Look for Sensitive Information Exposure
As QAs, we can check error logs, console, URL parameters, error messages, and API calls for potential exposure of sensitive information.
If sensitive data such as API keys, passwords, or credit card information is exposed, that is a very serious security issue.
Check Permissions and Role-Based Access
Login with different user roles and make sure that every user is seeing the features that are allowed. For example, login with the admin user role and verify that every admin feature is accessible. After that log in with a regular user and verify that the user is not able to access some features that should be only accessible to the admin user.
Use the authentication token of a regular user and try to access admin functionalities by trying to access certain URLs or API endpoints directly.
Modify the URL and try to access some admin-specific endpoints while logged in as a regular user.
Use User-Friendly Automated Tools
Even though you are not a security professional, there are still some user-friendly automated tools that can help you discover app vulnerabilities. These tools can scan your web application and give you a detailed report on security issues that you have on the app.
Some tools that you can try are:
OWASP ZAP (Zed Attack Proxy): Open-source tool that is great for scanning for various security vulnerabilities like XSS, SQL Injection, and more.
Burp Suite (Community Edition): A powerful tool for scanning and testing web security vulnerabilities.
As you can see, even though you are not a security expert, by doing the test cases that we mentioned, you can contribute to improving the app security, and find some security vulnerabilities.
