Like, testing for :
- invalid inputs (strings containing "'"s)
- giving random id's in url parameters to access "unauthorized" pages
- prevent sql injection
- ...
views:
562answers:
4
+1
A:
I would recommend reading this brilliant book to learn more about the test plans.
In particular a test plan is much more than a list of techniques like you mentioned (these should most likely go into the details for the security testing)
It should at least contain:
- The answers to the main questions:
- why bother (what is gained by testing)
- who cares (who are we working for)
- how much (..testing will be done)
You would not go wrong providing also:
- Platforms
- Methods (positive testing, load testing etc)
- Functionality you're planning to test
- Acceptance criteria
And there is plenty more things to talk about in the plan.
Ilya Kochetov
2008-10-09 14:18:02
A:
If you want to make a list, you can add "Trying simple javascripts within a textarea field to see if the site saves and executes them"
Ólafur Waage
2008-10-09 14:20:22
A:
Test responses for: For integers - strings, null, values more than those allowed, negative, zero.. For strings - strings of lengths longer than that allowed
For invalid values, you can check if the response being returned is informative enough.
Test to see that your application logs these errors. If it doesn't you won't be able to identify and debug problems easily when they occur in production.
Also fuzz testing is a must for web applications.
A:
this is what i use
its very simple, straight-forward. covers many common web flaws (e.g. broken links, etc)
you might think its too basic, but im always surprised how many bugs it reveals
--LM
louism
2010-06-08 08:55:12