Archive for the ‘Scecurity Testing’ Category

Some Important Questions on Scecurity Testing :

Questions-Answer:

1. What is Authorization?

a) Authorization means checking permission

b) Authorization means checking credential.

c) Authorization means checking proper navigation

d) Authorization means checking approval

Ans:  a

2. What is Authentication?

a) Authentication means checking permission

b) Authentication means checking credential.

c) Authentication means checking proper navigation

d) Authentication means checking approval

Ans:  b

3. Why we do security testing?

a) To maintain Quality

b) To check authorized activities

c) To make application secure and maintains functionality as intended

d) To remove vulnerabilities

Ans:  d

4. Which methods/techniques are used for security testing?

a) Functional and Risk based  security testing

b) XSS and SQL injection

c) Password cracking and URL Manipulation

d) Get and Post

Ans:  b

 5. What is “Vulnerability”?

a) Bugs in the application

b) Cause in the web application

c) Weakness in the web application

d) Change in the application

Ans:  c

 6. Security Tests are created on the basis of:

a) More faults

b) Approches

c) Methods

d) Roles

Ans:  d

7. Security Testing is a type of:

a) Review Testing

b) Recovery Testing

c) Performance Testing

d) Functionality Testing

Ans:  a

8. Static analysis is best described as:

a) The analysis of batch programs

b) The reviewing of test plans.

c) The analysis of program code.

d) The use of black box testing.

9. Which symbol is used to test SQL injection?

a) Hash

b) Double Quotes

c) Ampersand

d) Single Quote

10. What is the full form of XSS?

a) Cross-Site Scripting

b) Cross-Side Scripting

c) Xml-Site Scripting

d) Xml-Side Scripting

Ans: a

Advertisements

Test Cases for Security Testing:                                                                                                                                               

1. Try to directly access bookmarked web page without login to the system.

2. Verify that system should restrict you to download the file without sign in on the system.

3. Verify that previous accessed pages should not accessible after log out i.e. Sign out and then press the Back button to access the page accessed before.

4. Check the valid and invalid passwords, password rules say cannot be less than 6 characters, user id and password cannot be the same etc.

5. Verified that important i.e. sensitive information such as passwords, ID numbers, credit card numbers, etc should not get displayed in the input box when typing. They should be encrypted and in asterix format.

6 .Check Is bookmarking disabled on secure pages? Bookmarking Should be disabled on secure pages.

7. Check Is Right Click, View, Source disabled? Source code should not be visible to user.

8. Is there an alternative way to access secure pages for browsers under version 3.0, since SSL is not compatible with those browsers?

9. Check does your server lock out an individual who has tried to access your site multiple times with invalid login/password information?

10. Verify the timeout condition, after timeout user should not able to navigate through the site.

11. Check Are you prevented from doing direct searches by editing content in the URL?

12. Verify that relevant information should be written to the log files and that information should be traceable.

13. In SSL verify that the encryption is done correctly and check the integrity of the information.

14. Verify that restricted page should not be accessible by user after session time out.

15. ID / password authentication, the same account on different machines cannot log on at the same time. So at a time only one user can login to the system with a user id.

16. ID / password authentication methods entered the wrong password several times and check if the account gets locked.

17. Add or modify important information (passwords, ID numbers, credit card number, etc.). Check if it gets reflected immediately or caching the old values.

18. Verify that Error Message does not contain malicious info so that hacker will use this information to hack web site.