Beware of the man who won’t be bothered with details.
At the most basic level, a test case is just a series of inputs and expected outputs. Security testing requires tweaking input in ways normally prohibited by well-behaved, normal web browsers. This chapter lays the foundation for security tests. Together with the ability to observe output (discussed in Chapter 3), these make up the fundamentals for designing security test cases for any web application.
Security vulnerabilities can be exploited from any type of input. We intend to take you beyond functional testing, and help you tamper with forms, files, GET, POST, AJAX, cookies, headers, and more.
This chapter suggests many ways of tampering with input and may even include common attack patterns, but does not go into detail on the most famous of web security flaws such as XSS, CSRF, and SQL Injection. These will be covered in Chapter 12.
Depending on the environment you are given, you might be executing your tests against development servers, staging (i.e., pre-production ), or separate QA/testing servers. We would discourage testing against production web applications, unless you really have no alternative. Depending on which environment you’re using, you have a few pitfalls to be aware of and avoid.
If you test against development, be aware that your test environment probably does not map well to your production environment. Web servers, application servers, and the application itself ...