Security Vulnerabilities Usability Testing
A web application may contain many security vulnerabilities that can be exploited. Information can be read and databases corrupted if the vulnerabilities are not addressed. The following information shows examples of testing EPRI SET will perform.
- Examples of SQL Injection testing:
- In the querystring, enter a SQL Statement, such as " ‘; Delete from users --’ ", into a querystring variable
- Enter in " ' OR 1=1 " into a form field or querystring variable
- See the following for more information and testing examples: http://www.owasp.org/index.php/SQL_Injection
- An example of Cross-Site Scripting:
- Examples of Username Enumeration:
- Using default or general usernames and passwords such as admin/admin and test/test
- Supplying specific error messages at the login screen, such as when a user enters in a wrong username, the error message states "Username is not valid". The message should state "Login information is incorrect".
- See the following for more information: http://www.owasp.org/index.php/Testing_for_Default_or_Guessable_User_Account
These are just three examples of many vulnerabilities and how a hacker can exploit a site to retrieve information or corrupt a database. The developer is expected to address security vulnerabilities when developing an application. For more information, please visit the following website: http://www.owasp.org/index.php/Main_Page.
|
