Sample Security Test Cases For A Shopping Cart Application

Functional Tests
    * Customer Order File
      * Ensure that ‘orders.txt’ file permissions are as restrictive as possible. If these permissions are loosely defined then this as a severity 1 security issue.
      * Ensure that sensitive data within the ‘orders.txt’ file is encrypted using a known strong algorithm. This is a severity 1 security issue.
    * Customer Data Stored in a SQL Database
      * Ensure that sensitive data within the SQL Database is encrypted using a known strong algorithm. This is a severity 1 security issue.
    * Registration Form
      * For each user input perform common security related input validation tests. See The Web Application Security Consortium’s Threat Classification for a list of common input vulnerability types. For each input perform each vulnerability type. The severity level of a vulnerability will be determined by the vulnerability type, and probability.
      * (If SQL is Used) Perform both standard SQL Injection, and Blind SQL Injection tests as outlined by http://www.spidynamics.com/whitepapers/Blind_SQLInjection.pdf and http://www.securiteam.com/securityreviews/5DP0N1P76E.html. If SQL Injection is present file this as a severity 1 issue.
    * Login
      * For each user input perform common security related input validation tests. See The Web Application Security Consortium’s Threat Classification for a list of common input vulnerability types. For each input perform each vulnerability type. The severity level of a vulnerability will be determined by the vulnerability type, and probability.
      * (If SQL is Used) Perform both standard SQL Injection, and Blind SQL Injection tests as outlined by http://www.spidynamics.com/whitepapers/Blind_SQLInjection.pdf and http://www.securiteam.com/securityreviews/5DP0N1P76E.html. If SQL Injection is present file this as a severity 1 issue.
    * Buying Items
      * Ensure that the user is unable to modify the price for a given item. Ensure that the price is not exposed in a web form, cookie, query string, or POST data. If the price is exposed through one of these vectors ensure that if changed, the application detects the modification on the server side and refuses to sell the item for anything other than the stated price.
      * For each user input perform common security related input validation tests. See The Web Application Security Consortium’s Threat Classification for a list of common input vulnerability types. For each input perform each vulnerability type.
    * Search Engine
      * For each user input perform common security related input validation tests. See The Web Application Security Consortium’s Threat Classification for a list of common input vulnerability types. For each input perform each vulnerability type.
      * (If user text is echo’d back) Test for Cross site scripting vulnerabilities. If discovered file a severity 2 issue.

Advertisements