So here I go with my test ideas,
1.Check what is the maximum size set for the input
2.Check what kind of characters does it allow
3.Check if the database is vulnerable to SQL Injection
4.Check if there is any way that you can know the credentials from the code
5.Check if the URL shows the entries of the inputs in encrypted or normal way
6.Check what happens when you give different combinations of inputs
Example combinations can be –
a.Wrong username – wrong password
b.Wrong username – correct password
c.Correct username – wrong password
d.Correct username – correct password
e.Special characters in both the fields
f.Username with special characters – Password with alphanumeric
g.Much more combinations that your mind can think of
7.Check if you can crash the database by entering more characters than maximum size from any of the browser that doesn’t support “size” variable to be processed
8.Check if the validation is done on client as well as server side
9.Check if there is any cookie that is going to be stored during login
10.Check if there is any session time out for idling for certain period of time
11.Check if HTML code or Javascript code can be inserted through the text fields
12.Check if username can be copy pasted – Why do I need to check copy paste for username? (Password copy paste check is fine but why username?) Most of the people use usernames which are hard to remember (Note that usernames can be even complex as password so most of the people copy it and paste it in the username field to save time)
13.Check if password is showing asterisk or anything but not the password
14.Check if “Remember Me” feature is functioning properly – Check in the browsers which are widely used)
15.Check how is the password getting stored and where is it getting stored and any user have access to that area to steal the password in absence of the real owner of that account
16.Check if there are minimum characters that has to be entered to process the login – if “YES” how many?
Do some scenario testing,
17.A & B are two users who use cyber computer. A comes to cyber and logs in to his/her account and suddenly the power goes off & there is no UPS. Now A has not logged out & A waits for some time for the power to come and after a long wait A leaves the cyber. Now when the power comes user B logs into the same computer that A used and in IE or Mozilla Firefox he/she types the URL of the account that A used.
From the above scenario,
a.Check if “A” has been logged out as there was no activity for certain period of time.
b.Check if even after “A” went to another cyber where there was power and then logged out & still B is able to access the privileges of user A?
18.A & B are two users who are using cyber computer, A is currently logged in. A gets a call on his/her phone & goes out for some time to talk his/her friend. Now B has access to A’s machine and he/she tries to change the password of A.
a.From the above scenario, you need to check if the product has security enabled like, it asks for Current Password and then new password.
b.If it doesn’t ask for current password and allows B to change the password by just entering new password then it is a potential problem.
Note that these are not "THE IDEAS" but few ideas that I came up with. You can try different scenarios and add your ideas to this list.
[ Download the PDF version ]
Posts
No comments:
Post a Comment