Why do I need security testing? _ Test Career Development
Source: Internet
Author: User
What is in a security test. Simply include skipping permission validation, modifying submissions, and complex, with SQL blinds, cross-site scripting, and more. We don't have a list of these for the time being, just talk about why we're doing security testing. 、
In fact, the information on the security test online is not very much, even if some attention has been just very simple to talk about the department of security factors. Of course, I understand that some of the big companies have their own security testing teams, and this part of the work is not carried out by testers.
Now, let's talk about why we're doing security testing, or what problems and consequences the security will cause.
First, the reference to security. One of our products a website most need to strengthen security precautions is the database. If the lack of security testing, under the expert's SQL blind, your database will gradually show up in front of hackers, whether it is the database type, table structure, field name or detailed user information, there are countless ways to make people "at a glance."
Second, is the authority. Websites generally prescribe what users can do. For example, the moderator can modify all the posts, and your ordinary users can only edit their posts, the same visitors can only see the posts. This is a simple privilege. Without security assurances, it's easy for someone to jump right out of the way and do things he shouldn't.
Simply cite a small example, a login module, let you enter the username password. We will be honest to enter our username password, such as "wind down a few times"-"password." If we deliberately go around the login authentication.
Guess this SQL, the user name, the developer is likely to go to the database in contrast:
Select count (id) from Sys_user where username= ' XXX '
Of course it could be more complicated, let's use that. What happens if we enter a special character in the input box.
' or ' 1=1
This is a magical character, because this SQL becomes:
Select count (id) from Sys_user where username= ' or ' 1=1 '
All right, we'll skip the user name verification ...
Say a good foundation and boring feeling, in fact, this is part of security.
Third, it's about modifying the submission data. Once our company has done an online payment of the mall, in the security testing process, I found that by grasping the bag caught the submission price, after the revision of the contract can be passed. In simple terms is originally 100 dollars to buy things, I grabbed repair to 1 pieces can be successfully purchased. This has become a huge hidden danger.
And four, similar to the security implications of Cross-site scripting. There is a lot of information on the Internet, the specific process is like this:
1.HTML injection. All HTML injection paradigms simply inject a JavaScript pop-up warning box: Alert (1).
2. Do bad things. If you think the warning box is not exciting enough, when the victim clicks on a page link injected into the HTML code, the attacker can do all kinds of malicious things.
3. Trapping the victim may be redirect to another phishing website and so on, causing it to suffer losses.
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.