Data Tampering is good for Testers
This is a guest post by Huma *.
Secure web applications are critical in today’s world where everyone has an extensive online presence; thus, it is vital to protect these applications from external threats and malicious attacks. A large number of web applications offer a wide range of services including personal banking, retail and shopping, social media, access to medical services and patient records, social security services and document repositories. Majority of the web applications require some sort of data security, so that unauthorized access to the application and unintended use of the data can be restricted. In such a scenario, security testing of a web application becomes vital as it not only helps in validating an application’s security services but also in identifying potential security flaws. Programmers do their job by writing secure applications, however software testers also need to be well aware and equipped with the tools, which can help them in exposing the security vulnerabilities of these applications.
(the original photo is here)
Security breach to a web application can be tested in a number of ways, including tampering with data. Data tampering is mostly viewed as a hacking technique, however, it can be equally useful for security testing of a web application. I have found this to be a very useful and interesting technique, so I thought that I should share it with my fellow software test engineers who are not yet aware of the usefulness of this powerful but simple technique.
Since, a large number of online applications use HTTP Protocol for communicating on the web, and parameters can be conveyed as requests (using the GET and POST methods) from a client application to a remote server. Data tampering can reveal the data being sent from a client to a server and from a server to a client; thus, making it possible to manipulate and alter the values entered into the web form, by completely ignoring the restrictions and constraints imposed by a web interface.
In order to manipulate these GET and POST methods, a data-tampering tool would be required which would serve as a proxy, placed between the client and the server. This tool would allow a tester to completely bypass the web interface and send altered values directly to the server side applications. These altered values can mess with the backend application in a number of ways (violating boundary values and character ranges) and can be very helpful in revealing security loopholes in an application’s design.
Data Tampering Examples
As mentioned earlier, a good example for using the data tampering technique could be testing of the boundary values and character ranges for a field given on the web interface. Let’s say that an input field on the web form allows only 1-20 characters for a text field. For an invalid partitioning test, sending 0 and 21 numbers of characters through the web interface would be a good test. But to make sure that it is not just the web interface, which enforces the validation rule, try sending the tampered data directly through the POST parameter. If database or the backend application doesn’t enforce a similar validation rule, you might end up crashing the application.
One of my favorite examples is of an online book selling application where a hacker made money by ordering a negative number of books. The web interface for the bookstore asked its users to select the purchase quantity for the books using a drop-down list. A hacker altered the entered value using a data-tampering tool, and entered a quantity of “-1”. The developer had only enforced the range validation at the web interface level and not at the backend application level. The price for the order was calculated to be –x USD and the hacker actually ended up receiving a refund on his credit card. Imagine the damage that could have been caused if a value other than -1 was entered.
This technique can also be helpful in inserting SQL, XML, or command line injections to test an application’s defense mechanism against malicious data revealing and corruption attacks.
Data Tampering Tools
So far, I know about the following tools that can be helpful in exposing an application’s robustness again data tampering attacks. These are free and easy to use.
It is a Firefox Add-on, which can be used to view and modify HTTP/HTTPS headers and post parameters.
It is a utility that enables tampering of HTTP requests using an Internet Explorer.
It is a web debugging proxy that enables manipulation and editing of web sessions. It not only permits viewing and alteration of requests but also their responses. It also supports multiple browsers like Internet Explorer, Chrome, Safari and Firefox. It is much more flexible and powerful than the first two and also my personal favorite
Since, possibilities of damaging a web application through data tampering are endless, therefore, it is my recommendation that data tampering techniques should be used by software testers to ensure that their application is resilient to such attacks.
* Huma Hamid is one of the driving forces behind this blog and it is her second guest post. Where as the first one was related to a discussion on wasting time in testing, this one details a web testing technique. She has an excellent view of the general systems in action and then relates how software testing fits in it. Thanks for your thoughts Huma and I hope that Knowledge Testers would like this post.