1

We've got a web application which is 99% complete prior to public beta, were currenlty securing the site from security perspective, locking down the server, db etc, one thing I'm concerned about but not really sure of the best way to test is for authentication loop holes.

For instance there a 3 user types - System admin, Staff, Client.

There are urls on the site that I would only want the System admin to be able to access, and there are other pages, that I would want everyone to access, but not view all of the data. System admin would be able to see everything, but Staff and Client would be able to see some content, similarly some pages would be read only for some users.

Is there a workflow for testing this, at the moment I've come up with a script that has the credentials of a each user type and goes to every url on the site trying to access pages and reports if it's able to see a page it's not meant to, similarly it checks for read / write data on the page.

  • Is there anything else I should be checking for to make my authentication tests more robust ?
Tulains Córdova
39.6k13 gold badges102 silver badges157 bronze badges
asked Aug 8, 2014 at 14:06
3
  • 2
    Remember that "I" in english is always capitalized. Commented Aug 8, 2014 at 14:17
  • 2
    You could test the edge case of logging in as admin, logging out and logging in as client to make sure the permissions of admin don't carry forward. You might also want to check if a not logged in user is re-directed back to the login page if they visit a page that is not available to a guest. Commented Aug 8, 2014 at 15:36
  • If securing your web application is 1%, I'd hate to see the other 99%. Commented Sep 4, 2014 at 17:39

1 Answer 1

1

Sounds like you have the ordinary stuff covered. If you know all the root entry points to the site, a simple spider can easily retrieve the set of pages reached by each of 4 kinds of users (don't forget anonymous), and determine whether the page retrieved has the extra sensitive content.

You don't have to worry too much about mistakes that wrongly block access. Your users will find those for you, and no harm is done. You need something extra for the admin pages and sensitive content that might be accessible when they shouldn't.

At some point you have to switch hats and try to break into your own site. The rules are: you get full access to the source code and a set of user names, but not the passwords. Can you retrieve any sensitive data or do any damage? If there are such vulnerabilities, you won't find them by dumb pounding on the keyboard. You have to think like a hacker.

answered Aug 9, 2014 at 4:04
1
  • Better yet, hire one. It's often harder to break your own code. Commented Aug 9, 2014 at 6:43

Your Answer

Draft saved
Draft discarded

Sign up or log in

Sign up using Google
Sign up using Email and Password

Post as a guest

Required, but never shown

Post as a guest

Required, but never shown

By clicking "Post Your Answer", you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.