principles in software testing and some bugs that … · salesforce, redbull, soundgizmo ......
TRANSCRIPT
PRINCIPLES IN SOFTWARE TESTING AND SOME BUGS THAT OTHERS DID NOT NOTICE
Valeriy “krevetk0” Shevchenko
WHOAMI?- QA Engineer at Delivery Hero- Blogging at Medium/Habr- Pwning web with ‘ since 2016- “Stole” a BelkaCar carsharing car once- Acknowledged in such companies: Amazon, Paypal,
Salesforce, Redbull, SoundGizmo …
2
What does a QA engineer do?
3
QA is the most loved person from Bug Hunters and Pentesters
What should we know before starting testing?
4
• Scope• Technology stack• Business Flow• Testing limitation
What is the main requirement in testing?
5
Testing Methodology “How to shot web” @jhaddix
6
https://youtu.be/Qw1nNPiH_Go
Another testing Methodology OWASP Testing Guide
7
https://www.owasp.org/images/1/19/OTGv4.pdf
How about certifications for testers?
• OSCP, GWAPT, GPEN, GSEC, GCIH, GCIA, CCSP, CISSP, GIAC, CRTOP …
8
How about ISTQB ?
9
How does it help?
10
It can gave you deep understanding in :
• Fundamentals of testing • Testing throughout the software life cycle• Test design techniques• Test management
When do bugs arise?
11
Testing Principles
12
• Testing shows presence of defects / Тестирование показывает наличие дефектов
• Exhaustive testing impossible / Исчерпывающее тестирование невозможно
• Early testing / Раннее тестирование• Defect clustering / Скопление дефектов• Pesticide paradox / Парадокс пестицида• Testing is context dependent / Тестирование зависит от контекста• Absence of errors fallacy / Заблуждение об отсутствии ошибок
Kinds of testing
13
• Usability testing• Documentation testing• Smoke testing• Functional testing• Stress testing• Configuration testing• Regression testing• Installation testing • …
Defect clustering example
14
Information leak through push notification message+Improper access control to the server data through GET parameter+Information leak users sensitive data
Regression testing example
15
Received email from the original report
Reproduced issue after 6 month when it was fixed
And at the end they terminated the contract with agency (which developed that app).
Documentation testing example
17
Mobile stress testing example
18
• Just did a stress test and found out that application behaviourgoing to be strange
• Combined together stress test with users search and boom…
Defect clustering example
19
• Just found a way to delete objects from the application server.
• And Stored XSS • And Reflected XSS• And again Stored XSS• And path traversal• And …
Server connection was terminated 🙅🙅♂
Mistake from design and defect clustering
20
Just found a place where privacy policy doesn’t work.
With understanding that something wrong with Privacy functionality I did some more checks and …
Mistake from design and defect clustering
21
Just found a place where I can set OTP password after expiration time limit
• Found that I can reuse OTP more then once• Found that I can bruteforce OTP• Found that I can bypass validation with making
an interval of bruteforcing• Found another endpoint with the same gateway
of checking OTP with ability to bruteforce
@author
THANKS FOR ATTENTION
t.me/valyaroller