Test ideas:
Do a simple security test for the web, primarily for URL testing.
In retrospect, the test nature could be classified as a "privilege" test, as follows:
Case 1:
1. Open two browsers and log in to the Web background with two different accounts
2, the first browser, the identity of one account, to view the account itself related pages of sensitive information, data, etc.
3, copy another user's access link to another browser, open as another account, view, if the page has related actions, then try to further related operations
Case 2:
1. Open two browsers and log in to the Web background with two different accounts
2, the first browser, the identity of one account, to view the account's own relevant pages of sensitive information, data, or to perform sensitive operations, such as the change of commodity prices, upper and lower shelves, etc., at the same time, through the capture tool captures access requests
3, to another account, the relevant related pages of the operation, the purpose is to obtain the request header, and then get the login token and other information.
4, through the tool, the request for the first class information in step 2 is replaced with the request header information in step 3, and then send the request captured in step 2, try to modify the account related information in step 2, or the demo account 2 to perform related actions, try to take the logged in step 3 as the "springboard" to perform the operation without permission.
URL security test on the Web