Quality Testing

Quality is delighting customers

what things to test while testing password field.if anybody have any idea plz share...

Views: 5850

Reply to This

Replies to This Discussion

1. While typing the password should be displayed as stars (****), no characters should be displayed
2. Copy paste of typed password in the text field should not be allowed
3. Need to verify boundary conditions
4. Login successfully and make logout Click the back button on browser page
the page should not be displayed

Many more cases are there…
You have to tell us a lot more:

1) Nowadays, we have virtual keyboard, Is your password fields uses that?
2) Is it case sensitive?
3) Boundary value conditions?
4) Can be empty?
5) Can Copy paste can work?
6) What is the requirement say: Special characters inclusion etc?
... So, unless you have a specific requirement, it is very tough to answer this question.Please be more specific if you want the real answer....
- make sure the letters added should be in *
- when you paste the password, it should not allow( it depends on requirement specification)
- Should be case sensitive
- should allow all special characteres and numbers in the password
- successful login to the application
- after login browser back should not keep the password details
- should allow spaces?
- better to have confirm password field also (depends on RS -Requirement specification)
- do not enter password and try login - (expect to see error message)
- do not enter login name just enter password - (expect to see error message)
- After valid login details, close the browser and open it. Try this time with wrong password (expect to see error mesage)
Rest of the testing depends on requirements.
If we need to test the password field as per security point of view so how many types of Sql injection attacks we can check in password field?if anybody has new attacks to test that?and from how many ways a hacker can break our website without password?how to stop them?
Instead of example tests let me share some tricks for executing the tests.

Forms with User and Password fields need to restrict what can be entered into those fields and validate what is entered. As a hacker I need to get around the controls for what I can enter and then subvert the validation.
Validation may happen within the page itself or server side. Restricting what data I can enter and the validation that occurs in the page is obviously the easiest to get around so let’s look at that.

Once the page has loaded save the HTML page locally (right click > save page as) this should save the HTML page and images that are needed. Now open it for editing.

In the page source search for the password field, it should look something like this: input type="password" size="20" with a few other attributes such as name or ID. This means we’ll see *** when we enter characters and we can only enter a maximum of 20. Let’s change this, change it's type from 'password' to 'text' so that when you type passwords you can see the characters and then change the size to 200. Our password field now looks like this input type="text" length="200"

Out of interest this is the way to break other form elements such as checkboxes or drop-down menu options. Just change them in the local copy of the HTML page you have and see what you can break by doing so. The thing to watch is the names or IDs of the fields as these are most important when you submit the form. Another thing here is form element names and IDs are often exactly the same as the name of columns the data will go into in a database. This alone is a security risk and a route for your more elaborate hacking attempts, now you just need to guess the table name, which might be the name of the form (see that before) and you're away with SQL fun.

Meanwhile...save the HTML page locally that you just edited and try running your tests.

The next issue you may encounter is that the validation is being handled by a JavaScript that gets loaded with the page. Look at the top of the HTML source for a line similar to this:
script type="text/javascript" src="login_validation.js” which tells you there’s a file being loaded to validate the log in details. If there is this script then you’ll most likely see a function from it being called when you click submit.

Look back at the source for the HTML page and find the submit button. If it’s written something like onSubmit=”login_validation();” then we know that script is being called. The simplest way to get around this is to delete the reference to the script and see if you can still submit the form but this time knowing there’s no validation running.

An alternative is to save the JavaScript locally and change it. To do this enter the base URL plus the location of the JavaScript into a web browser. For example on my website of www.cyreath.co.uk I have a JavaScript loaded into the HTML home page called mydayfunction.js so if you go to www.cyreath.co.uk/mydayfunction.js you can download it, save it locally and edit it. Do this for whatever script is managing form validation on your passwords and user names. You need to place the locally saved JavaScript file into the same location as your HTML file. If in the script you see a function such as form_validation you could delete everything except the function declaration and close and just add a comment or change the script to allow you to do what you want.

That’s the easy stuff. With these two approaches you get around HTML and JavaScript validation and limitations. There may be server side validation going on that’s trickier to work around and get’s more into the realms of ‘proper’ hacking.

Have fun.

Mark.
Hi Mark,

Totally I agree with your answer. Thanks for your good explanation.

Regards,
Anil
Thank u so much Mr.Mark for sharing knowledge..:)
Thanks Mark.It's too good..Can i apply this to evey website? and is it require any tools or we can do manually?
Thanks - glad it's of help.

You can do all of this manually. If you don't have them consider getting one the following free tools for editing the HTML page and JavaScript:

* SciTE - http://www.scintilla.org/SciTE.html
* Eclipse - http://www.eclipse.org/
* Visual Web Developer Express - http://www.microsoft.com/express/vwd/

Mark.

RSS

TTWT Magazine


Advertisement

Advertisement

Advertisement

Advertisement

© 2020   Created by Quality Testing.   Powered by

Badges  |  Report an Issue  |  Terms of Service