tags:

views:

19

answers:

1
Q: 

able to cause an exception on webportal server after setting webbrowser's javascript to disable

(i am a software tester, not a software developer. i am testing a software developer's webportal (tomcat) / database (mysql) software)

In the client webbroswer, I have to have cookies enabled (default) and javascript enabled (default) in order to log-in. I am using FF3.5.5.

Once successfully logged in, I then disable the javascript setting on the webbrowser.

I am logged into the webportal in order to tail the log -- in order to monitor for exceptions. I am also logged into the database (mysql) -- in order to see any changes in the database.

pwd
/usr/local/tomcat/logs

The webportal provides to the user, four "add/edit form pages" that the user can navigate into and enter data into and then click on the submit button (to write to the database)... AND each of these four "add/edit form pages" are designed with "client side javascript field checking" -- to make sure that the user fills out the 'required' fields (Note: In this case, I am only interested in the case where there is error checking upon clicking on the submit button).

Two of the four "add/edit form pages" do not display when navigated to. I would say that this is a pass -- SINCE javascript is disabled on the client.

  • Though, there is no message "bubbled up to the user" explaining why the webportal has choosen not to display the "add/edit form" to the user (fail).

The other two allow me to navigate into them. I would say that this is a fail.

  • One of these "add form pages" -- that I am able to navigate to, allows me to then "submit" the form (with all of the required fields intentionally left in the null state -- upon submit) (fail). This then causes the webportal to throw an exception (fail). The database table is not changed (pass).

  • One of these "add form pages" -- that I am able to navigate to, allows me to then "submit" the form (with all of the required fields intentionally left in the null state -- upon submit) (fail). This then does NOT cause the webportal to throw an exception (pass). The user is able to write the info to the database table (if it was the first submission using this form for the account) (fail).

I believe that my assessments of the passes and fails above are correct.

I am curious to know what the proposed fix would be in actual code.

A: 

it looks to me like the portal is lacking server-side validation and relies on javascript for validating. This is a major security flaw and should be fixed. So i guess the following should pass with javascript turned off

  • user is able to view the form
  • user is able to submit the form with valid data
  • user is able to submit invalid data and gets an exception (or better, a friendly message) from the server
stereofrog  2009-12-13 10:58:17

related questions

Language Conversion Testing
How to Test Numerical Analysis Routines?
Getting the subversion repository number into code...
Firefox extension for website interaction recording and repetition
How to gauge the quality of a software product
Developer testing vs. QA team testing - What is the right division of work?
Anyone Using Executable Requirements?
Rigor in capturing test cases for unit testing
Tools for automating mouse and keyboard events sent to a windows application.
Do you or your company hire testers?
What types of software testing are there?
Best mock framework that can do both WebForms and MVC?
Test Distribution
How to make junior programmers write tests?
Junit vs TestNG
Verifying files for testing
What is Object Mocking and when do I need it?
Why should I practice Test Driven Development and how should I start?
How to set up unit testing for Visual Studio C++
How to Test Web Code?
Choosing a static code analysis tool
What's the best way to implement BDD/TDD in .NET 2.0?
How to get started "writing" a code coverage tool?
.NET Unit Testing packages?
Using combinations of sets as test data