PRINCIPLES IN SOFTWARE TESTING AND SOME BUGS THAT OTHERS DID NOT NOTICE

Valeriy “krevetk0” Shevchenko

WHOAMI?- QA Engineer at Delivery Hero- Blogging at Medium/Habr- Pwning web with ‘ since 2016- “Stole” a BelkaCar carsharing car once- Acknowledged in such companies: Amazon, Paypal,

Salesforce, Redbull, SoundGizmo …

2

What does a QA engineer do?

3

QA is the most loved person from Bug Hunters and Pentesters

What should we know before starting testing?

4

• Scope• Technology stack• Business Flow• Testing limitation

What is the main requirement in testing?

5

Testing Methodology “How to shot web” @jhaddix

6

https://youtu.be/Qw1nNPiH_Go

Another testing Methodology OWASP Testing Guide

7

https://www.owasp.org/images/1/19/OTGv4.pdf

How about certifications for testers?

• OSCP, GWAPT, GPEN, GSEC, GCIH, GCIA, CCSP, CISSP, GIAC, CRTOP …

8

How about ISTQB ?

9

How does it help?

10

It can gave you deep understanding in :

• Fundamentals of testing • Testing throughout the software life cycle• Test design techniques• Test management

When do bugs arise?

11

Testing Principles

12

• Testing shows presence of defects / Тестирование показывает наличие дефектов

• Exhaustive testing impossible / Исчерпывающее тестирование невозможно

• Early testing / Раннее тестирование• Defect clustering / Скопление дефектов• Pesticide paradox / Парадокс пестицида• Testing is context dependent / Тестирование зависит от контекста• Absence of errors fallacy / Заблуждение об отсутствии ошибок

Kinds of testing

13

• Usability testing• Documentation testing• Smoke testing• Functional testing• Stress testing• Configuration testing• Regression testing• Installation testing • …

Defect clustering example

14

Information leak through push notification message+Improper access control to the server data through GET parameter+Information leak users sensitive data

Regression testing example

15

Received email from the original report

Reproduced issue after 6 month when it was fixed

And at the end they terminated the contract with agency (which developed that app).

Documentation testing example

17

Mobile stress testing example

18

• Just did a stress test and found out that application behaviourgoing to be strange

• Combined together stress test with users search and boom…

Defect clustering example

19

• Just found a way to delete objects from the application server.

• And Stored XSS • And Reflected XSS• And again Stored XSS• And path traversal• And …

Server connection was terminated 🙅🙅♂

Mistake from design and defect clustering

20

Just found a place where privacy policy doesn’t work.

With understanding that something wrong with Privacy functionality I did some more checks and …

Mistake from design and defect clustering

21

Just found a place where I can set OTP password after expiration time limit

• Found that I can reuse OTP more then once• Found that I can bruteforce OTP• Found that I can bypass validation with making

an interval of bruteforcing• Found another endpoint with the same gateway

of checking OTP with ability to bruteforce

@author

THANKS FOR ATTENTION

t.me/valyaroller