Login Security Cases:-
Some Security Test Cases should be executed to test login security:
- No one should be able to login with invalid Username/password.
- Password should always be encrypted.
- Minimum length for password field should be implemented and If it is not showing then it is better than good.
- Password should not be copy-pasted.
- Number of invalid attempts should be specified.
- Captcha Code verification will be an advantage for Login page.
Automation Process:- Need to stop attacker from automation process.
Should not permit to enter detail with automation process completely at least one or more manual entry should be there for human verification process and this may be like captcha code and OTP verification
- There should be verified with validation messages like, enough information should not appeared in validation messages.
- Validation messages should be related to what is restricted only not exact details.
SQL Injection:- The goal of this action can be for trying to bypass login system, get users detail, secured services info etc.
If attacker creates the following input for getting login like:
Enter firstname.lastname@example.org as the email address
Enter xxx’) OR 1 = 1 — ] as the password
Click on Submit button
Output Result:- If it is working to the dashboard then means generated SQL statement will be like:-
SELECT * FROM users WHERE email = ‘email@example.com’ AND password = md5(‘xxx’) OR 1 = 1 — ]’);
The another condition should be checked like:
Enter a single quote (‘) in any text box (Email, password, etc) and should be rejected by the application.
Therefore, if we try a code like ‘ or 1=1;–, I think we should also try the code with double quotes also or 1=1;–.
Brute Force Attack :- This is to break login and get unauthorized access related.
- Should try with some credentials and could be related to name of site, offering services, providing services for products etc to break password.
- Spend an infinite amount of time trying every combination of alphanumeric characters to get in system.
- Number of invalid attempts should be called to make safety from this attack.
Cross Site Scripting (XSS):-
Should be tested with some HTML tags and Script like <HTML> or <SCRIPT> and those should not be accepted by the application. If it is being accepted then it means application may be attacked by Cross Site Scripting.
CSRF (Cross Site Request Forgery):-
Should use methods to generate unique random tokens for every session request. Those should be checked and verified by the server. If duplicate tokens or missing values are there then should be blocked.
Note: More challenges may be there so keep learning about security testing components.