Académique Documents
Professionnel Documents
Culture Documents
Krishna Kishore K
VALIDATE IF LEADING SPACES ARE ENTERED IN A ALPHANUMERIC FIELD, THE SAME IS TRIMMED BEFORE SAVING THE RECORD. VALIDATE IF TRAILING SPACES ARE ENTERED IN A ALPHANUMERIC FIELD, THE SAME IS TRIMMED BEFORE SAVING THE RECORD. VALIDATE IF ONLY SPACES ARE ENTERED THE SAME IS NOT ALLOWED TO BE SAVED VALIDATE IF ANY PRIMARY KEY FIELD THAT IS GOING TO BE DISPLAYED IS NOT CASE SENSITIVE VALIDATE IF FIELD LENGTH IS 20 AND DATA ENTERED IS 12 SPACES + 12 CHARACTERS. THE RECORD IS NOT SAVED. ENTER VALID DATA WITHIN THE SPECIFIED RANGE ENTER THE LEAST NUMBER OF CHARACTERS AS DEFINED BY THE WIDTH ENTER THE MAXIMUM NUMBER OF CHARACTERS AS DEFINED BY THE WIDTH ENTER NUMBER OF CHARACTERS WHICH EXCEEDS THE WIDTH ENTER DATA SURROUNDED BY SINGLE QUOTES ENTER DATA SURROUNDED BY DOUBLE QUOTES VALIDATE IF MORE SPACES ARE ENTERED BETWEEN TWO STRINGS IN A ALPHANUMERIC FIELD, THE SAME IS TRIMMED BEFORE SAVING THE RECORD. ENTER VALUE WITH SINGLE QUOTE AND '&' AND VALUES LIKE ~!@#$%^&*()_ VERIFY CUT/COPY/PASTE IS SUPPORTED IN THE TEXT FIELD
VALIDATE FOR BOUNDARY CONDITIONS IN NUMERIC FIELDS. VALIDATE IF NEGATIVE NUMBERS IS NOT ACCEPTABLE IN NUMERIC FIELDS WHICH SHOULD EXPECT POSITIVE NUMBERS. VALIDATE IF ANY VALUE IS BEING DISPLAYED FOR NUMERIC DATA, THE SAME IS DISPLAYED ALONG WITH TWO DECIMAL PLACES UNLESS IT IS SYSTEM SPECIFIC. FOR E.G.: RS. 147 SHOULD BE DISPLAYED AS RS. 147.00 ENTER A VALID NUMBER WITHIN THE SPECIFIED RANGE ENTER THE LOWEST NUMBER ENTER THE HIGHEST NUMBER ENTER A RATIONAL NUMBER (FRACTION) E.G., 2/5 ENTER A NEGATIVE RATIONAL NUMBER (FRACTION) E.G. -2/5 ENTER A SPACE IN THE FIRST POSITION AND THEN THE NUMBER ENTER A SPACE IN THE LAST POSITION AND THEN THE NUMBER ENTER NON NUMERIC VALUES LIKE !@#$%^&*()_
VALIDATE IF THE DATE DISPLAYED IS IN STANDARD FORMAT OF THE SYSTEM. FOR EG:DD/MM/YYYY DATE FIELDS SHOULD CONTAIN A CALENDAR POPUP. DATE FIELDS SHOULD TAKE THE FORMAT BASED ON THE LOCALIZATION. DATE FIELD WILL CONTAIN AN ICON THAT IS UNIQUELY IDENTIFIED THROUGH OUT THE DATE FIELDS. ASSURE THAT LEAP YEARS ARE VALIDATED ASSURE THAT OLD VALUE IS RETAINED WHEN MONTH VALUE IS 0 AND ABOVE 12 ASSURE THAT DAY VALUES 0 AND ABOVE THE LAST DAY OF THE MONTH ARE UPDATED WITH THE LAST DAY OF THE MONTH IF THERE ARE OTHER DATES ON THE SAME RECORD, CHECK IF THEY ACCEPT THE VALUES WHICH DOESNT BREAK THE FUNCTIONALITY. EXAMPLE END DATE SHOULD BE >= START DATE ASSURE THAT OUT OF CYCLE DATES ARE VALIDATED CORRECTLY & DO NOT CAUSE ERRORS/MISCALCULATIONS. VERIFY THAT THE OLD VALUE IS RETAINED WHEN USER ACTION/INPUT IS INVALID VALIDATE WITH ALL POSSIBLE DATE FORMATS. VALIDATE WITH ALL POSSIBLE TIME FORMATS
VERIFY DIFFERENT REGIONAL SETTINGS ENTER LOCALIZED DATA INTO TEXT FIELDS VERIFY DIFFERENT DATE FORMATS VERIFY DIFFERENT CURRENCY FORMATS VERIFY FIELD LENGTHS ARE NOT TRUNCATING VALUES VERIFY FIELD LENGTHS ARE NOT TRUNCATING VALUES VERIFY LOCALIZED FIELD LABELS ARE NOT BEING TRUNCATED ENTER DATA OF DOUBLE BYTE (UTF-16) CHARACTERS WHEN THE DATABASE COLUMN HOLDS DATA IN UNICODE FORMAT. ALSO WHEN THE REQUIREMENT IS OF ONLY UTF-8 VERIFY THE CONTENT BEING DISPLAYED FOR MIXED LANGUAGES IF THE APPLICATION IS INDEPENDENT OF BROWSER SETTINGS
VALIDATE FOR BLANK INPUTS IN THE FROM RANGE FIELD IS ACCEPTABLE. VALIDATE FOR BLANK INPUTS IN BOTH FROM RANGE FIELD AND TO RANGE FIELD IS ACCEPTABLE VALIDATE FOR BLANK INPUTS IN TO RANGE FIELD IS ACCEPTABLE. VALIDATE IF VALUE IN TO RANGE FIELD IS SMALLER THAN FROM FIELD IS NOT ACCEPTABLE. VALIDATE IF VALUE IN TO RANGE FIELD IS SMALLER THAN FROM FIELD IS NOT ACCEPTABLE. VALIDATE IF DATE RANGE FIELD DISPLAYS MAXIMUM VALUE PROVIDED IN SELECTION BOX IN 'TO' DATE FIELD AND MINIMUM VALUE IN THE FROM DATE FIELD. AS PER THE REQUIREMENT OF THE QUERY. VALIDATE IF BLANK SCREEN IS SUBMITTED THEN ALL THE RECORDS ARE DISPLAYED. VALIDATE IF THE RESULT PAGE DISPLAYS THE NO. OF RECORDS FOUND FOR THE QUERY. VALIDATE IF THE RESULT PAGE DISPLAYS NEW QUERY LINK TO GO BACK TO THE QUERY PAGE VALIDATE IF STANDARD NO. OF RECORDS IS DISPLAYED ON A SINGLE RESULT PAGE OF THE REPORT. VALIDATE IF THE BUTTON ON THE PARAMETER SCREEN IS LABELED AS 'SEARCH'. VALIDATE IF NEXT AND PREVIOUS BUTTONS ARE PRESENT ON A PAGE, THE SAME IS LABELED AS 'NEXT' AND 'PREV' AND IS POSITIONED ON THE RIGHT HAND SIDE AND LEFT HAND SIDE OF THE SCREEN RESPECTIVELY. VALIDATE IF THE ALPHANUMERIC DATA & LABELS DISPLAYED IN THE REPORT IS LEFT ALIGNED. VALIDATE IF THE NUMERIC DATA & LABELS DISPLAYED IN THE REPORT IS RIGHT ALIGNED. VALIDATE IF THE NUMERIC DATA & LABELS REPRESENTING ID FIELDS OR LINKS IS DISPLAYED AS LEFT ALIGNED.
SUBMISSION OF A FORM FROM TWO DIFFERENT MACHINES VALIDATE IF THE TWO DIFFERENT USERS ACCESS THE SAME RECORD FROM DIFFERENT MACHINES. VALIDATE IF THE SAME USER IS ALLOWED TO ACCESS THE SAME RECORD FROM DIFFERENT MACHINES. VALIDATE IF IN CASE OF MULTI-USER OPERATIONS, IF ANY UNIQUE KEY OR PRIMARY KEY IS VIOLATED, APPROPRIATE ERROR MESSAGE IS SHOWN TO ONE OF THE USER. VALIDATE FOR THE CHANGES IN MASTER DATA, WHEN THE SAME IS BEING USED IN THE TRANSACTION FROM THE OTHER TERMINAL VALIDATE IF TWO DIFFERENT USERS TRY TO DELETE SAME RECORD FROM DIFFERENT MACHINES. (VALIDATE IF A USER TRY TO DELETE SAME RECORD FROM DIFFERENT BROWSERS.
10
VALIDATE FOR SUBMISSION OF BLANK LOGIN SCREEN. VALIDATE FOR CANCELLATION ON BLANK LOGIN SCREEN. VALIDATE FOR THE FOCUS ON THE FIRST TEXT FIELD IN THE LOGIN SCREEN AFTER INVOKING THE SCREEN VALIDATE FOR THE FOCUS ON THE LOGIN BUTTON IN THE LOGIN SCREEN AFTER INVOKING THE SCREEN VALIDATE FOR SIMULTANEOUS LOGGING OF DIFFERENT TYPES OF USERS WITH THE SAME USER NAME AND PASSWORD. VALIDATE IF THE USER NAME FIELD IS LEFT BLANK AND USER CLICKS ON LOGIN VALIDATE IF THE PASSWORD FIELD IS LEFT BLANK AND USER CLICKS ON LOGIN. VALIDATE IF AFTER CHANGING THE PASSWORD AND SAVING THE RECORD, THE USER IS ALLOWED TO LOGIN. VALIDATE IF THE USER DOES NOT LOG OFF NORMALLY, HE IS ALLOWED RE-LOGIN. VALIDATE IF ONLY THE USER NAME IS ENTERED RIGHT AND THE PASSWORD IS ENTERED WRONG. VALIDATE IF ONLY THE PASSWORD IS ENTERED RIGHT AND THE USER NAME IS ENTERED WRONG. VALIDATE IF PASSWORD IS CASE SENSITIVE. VALIDATE IF USERNAME IS CASE SENSITIVE.
11
FUNCTIONALITY
VALIDATE IF THE BUSINESS REQUIREMENTS ARE BEING MET VALIDATE FOR ACCURACY OF THE CALCULATED FIELD. ALSO WHILE VALIDATING FOR PAGE TOTAL VALIDATE ACROSS PAGES. VALIDATE FOR USAGE OF DATA ACROSS MODULES. ADDRESS BOOK ENTRIES CAN USED IN EMAIL AND APPOINTMENTS MODULE VALIDATE FOR APPROPRIATENESS OF FIELD SIZE FOR STORING THE DATA, I.E. FIELD SIZE OF 12 IS NOT APPROPRIATE FOR STORING NAME LIKE 'BALASUBRAMANIAM VALIDATE FOR COMPLIANCE WITH THE DESIGN DOCUMENTS AND SPECIFIC PROJECT RELATED LEGAL ISSUES AND STANDARDS VALIDATE FOR UNAUTHORIZED ACCESS OF THE SYSTEM. BOTH WITH PASSWORD SECURITY AND ACCESS LEVEL SECURITY IF ANY FIELD HAS MULTIPLE VALIDATION RULE, VALIDATE FOR VALIDITY OF EACH OF THEM VALIDATE FOR INCLUSION OF ZERO'S IN COMPLEX CALCULATIONS VALIDATE FOR HANDLING OF SPECIAL CHARACTERS LIKE SINGLE QUOTES IN SEARCH OPERATIONS VALIDATE FOR APPLICATION ACCESS WHEN THE DATABASE SERVER IS DOWN VALIDATE FOR DIV BY 0, CAN TEST FORCE THIS CONDITION VALIDATE FOR STORING OF PASSWORD IN ENCRYPTED FORMAT VALIDATE FOR VALIDITY OF PASSWORD EXPIRY RULE
12
IS THE SPELLING AND GRAMMAR CORRECT? ARE THE NON UPDATEABLE FIELDS HAVING A GRAY BACKGROUND ? IS THE GENERAL SCREEN BACKGROUND THE CORRECT COLOR? ARE THE FIELD PROMPTS THE CORRECT COLOR? ARE THE FIELD BACKGROUNDS THE CORRECT COLOR? ARE ALL THE FIELD PROMPTS SPELT CORRECTLY? IN READ-ONLY MODE, ARE THE FIELD PROMPTS THE CORRECT COLOR? IN READ-ONLY MODE, ARE THE FIELD BACKGROUNDS THE CORRECT COLOR? ARE ALL THE SCREEN PROMPTS SPECIFIED IN THE CORRECT SCREEN FONT? IS THE TEXT IN ALL FIELDS SPECIFIED IN THE CORRECT SCREEN FONT? ARE ALL THE FIELD PROMPTS ALIGNED PERFECTLY ON THE SCREEN? ARE ALL THE FIELD EDIT BOXES ALIGNED PERFECTLY ON THE SCREEN? ARE ALL GROUP BOXES ALIGNED CORRECTLY ON THE SCREEN? IS THE SCREEN RESIZABLE? IS THE SCREEN MINIMIZABLE? ARE ALL THE ERROR MESSAGES SPELT CORRECTLY ON THE SCREEN? ARE THE DIALOG BOXES HAVING A CONSISTENT LOOK AND FEEL VALIDATE FOR SUBMISSION OF BLANK FORM VALIDATE FOR CANCELLATION OF BLANK FORM VALIDATE FOR USER FORM COMPATIBILITY ON DIFFERENT SCREEN RESOLUTIONS VALIDATE FOR DATA LOSS WHEN THE SCREEN IS MINIMIZED BEFORE SAVING THE RECORD
13
VALIDATE FOR DATA LOSS WHEN THE USER SWITCHES FOCUS BETWEEN APPLICATIONS BEFORE SAVING THE RECORD VALIDATE WHETHER ALL MANDATORY FIELDS ARE HIGHLIGHTED VALIDATE WHETHER RECORD IS ALLOWED TO BE SAVED IF DATA IS ENTERED ONLY IN THE OPTIONAL FIELDS. VALIDATE FOR EACH MANDATORY FIELD, IF IT IS LEFT BLANK AND RECORD IS SAVED. VALIDATE FOR UNIQUENESS IN UNIQUE FIELDS DURING ADD. VALIDATE FOR UNIQUENESS IN UNIQUE FIELDS DURING UPDATE. VALIDATE IF RECORD IS ALLOWED TO BE SAVED WITH MAX DATA IN ALL FIELDS VALIDATE FOR DATA RETENTION WHEN THE BROWSER BACK AND FORWARD KEYS ARE PRESSED RE SUBMISSION OF USER FORM AFTER DELETING DATA FROM ALL THE MANDATORY FIELDS IN UPDATE MODE. RE SUBMISSION OF USER FORM AFTER DELETING DATA FROM ALL THE OPTIONAL FIELDS IN UPDATE MODE. VALIDATE FOR SAVING OF DATA IN THE UPDATE MODE. VALIDATE IF NO OF RECORDS IS DISPLAYED ACROSS THE SYSTEM ON A SINGLE PAGE BASED ON THE REQUIREMENTS. VALIDATE IF THE ERROR MESSAGES DISPLAYED TO THE USER IN CASE OF ERROR, USES THE SAME FONT THAT IS USED ACROSS THE SYSTEM VALIDATE IF ABBREVIATIONS USED IN CASE OF INTERNAL CODIFICATION IS NOT DISPLAYED AS A CODE TO THE USER BUT AS FULL DESCRIPTION OF THE CODE. (E.G. DESCRIPTION 'CREDIT CARD' INTERNAL CODE 'C') VALIDATE IF STATUS OF AN ENTITY IN THE SYSTEM IS DISPLAYED, THE SAME IS DISPLAYED AS DISABLED/ENABLED OR TRUE/FALSE OR ANY OTHER RELEVANT STATUS AS PER THE STANDARD OF THE SYSTEM.
14
USABILITY
VERTICAL SCROLL DOES NOT GO BEYOND TWO PAGES. PREFERABLY, THERE SHOULD BE NO HORIZONTAL SCROLLING. PAGE SIZE SHOULD NOT EXCEED 65KB.IN EXCEPTIONAL CASES IT CAN GET TO 100K.REDUCING PAGE SIZE GIVES BETTER PERFORMANCE ON THE WEB. TRANSACTIONAL BUTTONS SHOULD BE PLACED AT THE BOTTOM OF THE SCREEN ALSO IF THE SCREEN HAS VERTICAL SCROLL BAR. (DEPENDS ON BUSINESS REQUIREMENT THOUGH) THERE SHOULD BE GAP BETWEEN THE LABEL AND CONTROLS. (SINGLE ) THERE SHOULD BE GAP BETWEEN CONTROL AND CALENDAR. (SINGLE ) CALENDAR IMAGE SHOULD BE MIDDLE ALIGNED TO THE CONTROL. MAX. LENGTH OF THE CONTROLS SHOULD MATCH WITH THE DATABASE FIELD LENGTH. VALIDATE FOR DISPLAY OF SYSTEM STATUS, IF BUSY THEN THE HOUR GLASS SHOULD BE DISPLAYED VALIDATE FOR CONSISTENCY ACROSS THE MODULE VALIDATE FOR THE DISPLAY OF CHARACTERS AS LEFT ALIGNED AND NUMERIC FIELD RIGHT ALIGNED VALIDATE FOR ACCESSIBILITY OF THE SCREEN FROM ALL THE OPTIONS PROVIDED I.E. MENUS, TOOLBAR
15
USABILITY
VALIDATE FOR THE CONTROL GOING BACK TO THE ERROR FIELD AFTER THE DISPLAY OF ERROR MESSAGE VALIDATE FOR TOOL TIPS ON COMMAND BUTTONS VALIDATE FOR USER BEING IN CONTROL OF THE OPERATIONS BEING PERFORMED DOES THE TAB ORDER SPECIFIED ON THE SCREEN GO IN SEQUENCE FROM TOP LEFT TO BOTTOM RIGHT? THIS IS THE DEFAULT UNLESS OTHERWISE SPECIFIED. ARE ALL READ-ONLY FIELDS AVOIDED IN THE TAB SEQUENCE? ARE ALL DISABLED FIELDS AVOIDED IN THE TAB SEQUENCE? IS THE CURSOR POSITIONED IN THE FIRST INPUT FIELD OR CONTROL WHEN THE SCREEN IS OPENED? WHEN AN ERROR MESSAGE OCCURS DOES THE FOCUS RETURN TO THE FIELD IN ERROR WHEN THE USER CANCELS IT? DOES THE SCREEN HAVE A CANCEL OPERATION FOR THE USER TO CANCEL THE TRANSACTION IS THE SCREEN MODAL. i.e. IS THE USER PREVENTED FROM ACCESSING OTHER FUNCTIONS WHEN THIS SCREEN IS ACTIVE AND IS THIS CORRECT? CAN A NUMBER OF INSTANCES OF THIS SCREEN BE OPENED AT THE SAME TIME AND IS THIS CORRECT? CLICK A LINK BEFORE A PAGE IS DOWNLOADED COMPLETELY. VERIFY WHETHER A PAGE IS DISPLAYED PROPERLY UPON CLICKING A LINK FOR CERTAIN NUMBER OF TIMES CONTINOUSLY. VERIFY WHETHER LOGGING AND VERSION CHECKING IS HAPPENED FOR NON-WEB BASED UI. VERIFY WHETHER ALL UIS ADHERE TO CORPORATE SECURITY SITE GUIDELINES. THE GUIDELINES CAN BE FOUND AT http://itweb/polices/app_dev_host.htm. VERIFY WHETHER USER FRIENDLY ERROR MESSAGE IS DISPLAYED.
16
DATABASE-IMPORTING DATA
IMPORTING DATA FROM A FILE
VERIFY BY PASSING MORE NUMBER OF COLUMNS THEN SPECIFIED. VERIFY BY NOT PASSING THE MANDATORY FIELDS. VERIFY BY PASSING MORE NUMBER OF CHARACTERS THEN SPECIFIED IN THE DESTINATION DATABASE FOR A PARTICULAR COLUMN. VALIDATE DATA FOR LEADING AND TRAILING SPACES FOR THE ALPHANUMERIC COLUMNS. VERIFY DATA BY PASSING CHARACTERS FOR A COLUMN OF DATATYPE INTEGER. ALSO VERIFY BY PASSING VALUES MORE THEN 2,147,483,647 VALIDATE FOR DIFFERENT DATE FORMATS ALONG WITH TIME VALIDATE FOR THE FILE FORMATS VALIDATE FOR DIFFERENT DELIMITERS
VERIFY WHETHER SOURCE AND DESTINATION COLUMNS HAVE SAME COLUMN SIZE AND DATATYPE. VERIFY WHETHER DESTINATION TABLE IS EXISTING WITH THE SPECIFIED COLUMNS. VERIFY WHEN A JOB IS STOPPED WHILE IT IS EXECUTING WHETHER IT IS ROLLED BACK OR IT IS STARTING FROM THAT POINT VALIDATE DATA AGAINST THE RULES SPECIFIED FOR EACH COLUMN/TABLE VERIFY WHETHER PROPER ERROR MESSAGE IS DISPLAYED WHEN DATABASE SERVER (DESTINATION SERVER) GOES DOWN WHEN SOURCE DATABASE SERVER IS HAVING ACTIVE CONNECTION.
17
18
Security Testing
Buffer overflow Extraneous access to users Extraneous ports/services Error Message Risk SQL Injection Authentication/Authorization Path Traversal Techniques Renaming File Extensions General SQL Cross Site Scripting Mail Relay risk Hidden Fields Sequential Numbering Cookie Manipulation/ Encryption
19
Buffer overflow
Buffer overflow happens when something very large is placed in an input box far too small for it to fit in. Buffer overflows are used to crash the system, or to gain complete control over it by having it execute an attacker's malicious code. Test cases: 1) Verify App doesn't crash/break when you cut and paste huge documents into every input field of the application. 2) Verify all input fields have boundary checking.
20
21
Extraneous ports/services
Hackers use the easiest and most convenient way to exploit well-known computer and Internet flaws. In most cases the fewer ports/services you have open/enabled, the fewer avenues an attacker can use to compromise your network.
Test cases: 1) Verify that all unused ports at the firewall or external packet-filtering device are blocked, disabled, closed and the unnecessary ports from Internet facing NIC's are unbound. 2) Verify that unnecessary protocols remain disabled. 3) Verify that services that are not required are not running and services that must run should be given access to only those who absolutely require it.
22
23
SQL Injection
SQL Injection is simply a term describing the act of passing SQL code into an application that was not intended by the developer. SQL injection is usually caused by developers who use "string-building" techniques in order to execute SQL code. Test cases: 1) Verify that there is no obvious SQL Injection Vulnerability by passing a , --, OR, OR, ANDin an input field. Eg. Enter in UserName field of your application. The application should not throw an error or if an error is thrown, it should be generic and not provide any information to the user/hacker. An example of a bad error is: [Microsoft][ODBC SQL Server Driver][SQL Server]Unclosed quotation mark before the character string '' AND UPPER(LTRIM(RTRIM(customer.password))) =''. /sqltraining/ExampleCheck.asp, line 34
24
25
Authentication/Authorization
Improper validation of the users authentication, results in application being vulnerable for unauthorized access/bypass Logins. Test Cases: 1) Verify bypassing of the login procedure by using a bookmark, history entry, or a captured URL. 2) Verify that the unauthorized users are blocked from the system. 3) Verify that the expiration user accounts expire as expected. 4) Verify that the user is not able to view/update unauthorized information. 5) Verify that the application implements and enforces frequent password changing. Ensure the new password works and the old password is deactivated. 6) Ensure only limited number of consecutive failed logins are allowed in the application. Verify if this feature is configurable by a user in a configuration file or a registry key? If yes, ensure only Admin has privileges to make the change. 7) Verify the application allows only strong passwords. 8) Verify that the user names and passwords are stored in the encrypted format either in the database or configuration files, such as .INI files).
26
1a) For example if the url is http://www.unknownserver.com/pictures/august/index.htm Try to access different URLs by changing the name of the months from January through December. 1b) Given the URL: http://www.unknownserver.com/users/4858567 It is quite possible that there are millions of other users on this system. A user could write a program that checks each of these URLs starting from this URL: http://www.unknownserver.com/users/1 and then possibly find a directory that didn't give an access-denied message. b) Reverse Directory Traversal Reverse directory traversal is the process of editing the URL in your web browser to attempt to access areas of the web server that were not secured. By adding ../'s to existing URLs, and adjusting the amount of directories to traverse, an attacker might gain access to a system files.
27
28
29
General SQL
Here are some general SQL related security test cases that testers should keep in mind. Test cases: 1) Try the following userids and passwords to login into sql server Userid : sa Password: blank Userid : sa Password: sa Userid : sa Password: Password 2) Verify that the sa passwords in the database are not easily-guessable. 3) Verify that no login Ids have passwords that are the same as the login. 4) Drop master..Xp_cmdshell if you can do without it. If it has to be used, permission should be granted only to people who absolutely need it. 5) Take the time to audit for logins with null passwords. Use the following code to check for null passwords: Use master Select name, Password from syslogins where password is null order by name
31
7)
32
33
1) 2) 3)
Verify that Mail relay is disabled if not required. Disable SQL Mail capability unless absolutely necessary. If Mail relay is required, by the application, verify that the service is configured so that the "MAIL FROM" can not be different than the domain in which the server resides.
Hidden Fields Hidden fields are fields that are used to store state information as data is passed back and forth between the client and server. Test Cases:
1)
Ensure that secure information like userids, passwords and any other sensitive information are not stored in the hidden fields by looking at view source on the web application.
34
Sequential Numbering
Sequential numbering is when an application increments numbers for any of its key fields which, can be easily discovered and exploited by hackers. Test Cases: 1) Make sure that Authentication/Authorization are not based on unmasked sequential number only (example: UserID = 1, 2, 3) Not only hackers but also users with access to the site may guess and enter the numbers to retrieve information they are not supposed to see. For example: Given the URL http://www.unknownserver.com/users/userInfo.aspx?userID=5 It is quite possible that there are millions of other users on this system. Try changing the url by incrementing the UserID value and see if it can be accessed.
35
36
References
37
INSTALLATION TESTING
VALIDATE FOR FUNCTIONING OF THE SYSTEM WITH DIFFERENT OPERATING SYSTEM AS STATED IN THE REQUIREMENT DOCUMENT VALIDATE FOR INSTALLATION ON A CLEAN MACHINE VALIDATE FOR PROMPTING, IN CASE OF INSUFFICIENT SPACE FOR INSTALLATION VALIDATE THAT UNINSTALL OPERATION REMOVES ALL TRACES OF THE PROGRAM VALIDATE FOR CANCELLATION OF INSTALLATION OPERATION MIDWAY. RE-INSTALL THE INSTALLATION PROCESS SHOULD COMPLETE SMOOTHLY VALIDATE FOR INSTALLATION IN THE DEFAULT DIRECTORY VALIDATE FOR INSTALLATION IN THE USER DEFINED DIRECTORY AND WORKING OF ALL MAIN OPERATION VALIDATE FOR INSTALLATION WITH LOGIN FILE PATH, PATH'S WITH SPACES VALIDATE FOR MIGRATION OF DATA FROM THE OLD SYSTEM VALIDATE FOR INSTALLATION OF APPLICATION ON ONE MACHINE AND DATABASE ON ANOTHER MACHINE VALIDATE FOR PRINTING ON DIFFERENT TYPE OF PRINTERS VERIFY WHETHER ALL THE TABLES/VIEWS HAS BEEN CREATED WELL BEFORE AS SPECIFIED IN THE FUNCTIONAL SPEC'S VERIFY WHETHER ALL THE CONSTRAINTS AND INDEXES HAS BEEN CREATED AS SPECIFIED IN THE FUNCTIONAL SPEC'S VERIFY WHETHER ALL THE COMMAND LINES PROCESSES INCLUDED AS A SERVER CHECK. THE SERVER CHECK SHOULD BE CUSTOMIZABLE. VERIFY WHETHER THE BUILD PROCESS ABLE TO RESTART FROM THE FAILURE MODE. VERIFY WHETHER THE LONG BUILD PROCESS ARE MONITORED AND LOGGED EXACTLY.
38