Beruflich Dokumente
Kultur Dokumente
2. Verify the user (Hacker) is able to get the alert 1. Access the URL, and login to the site.
message, when he/she enter the script in a Text Box (http://www.testsite.com/home.aspx)
and access the URL. 2. Enter the script in any of the Text Box
available and click on Save button.
3. Access the URL.
SQL Injection
Test Scenario Steps to Execute
1. Verify the user (Hacker) is able to retreive the 1. Access the Login Page.
result set from DB, when we inject the SQL query in 2. Inject the SQL query in Username or
Username or Password text box Password Text Box and clcik on Save button.
2. Verify the user (Hacker) is able to delete the table 1. Access the URL, and login to the site with
from DB valid credentials.
Ex: Uname/Pswd - david/test123$
(http://www.sample.com/home.aspx)
2. Inject the SQL query in any of the text box
and click on Save button.
URL manipulation
Test Scenario Steps to Execute
1. Verify the user (Hacker) is able to access the 1. Login into website.
webpage of application, after manipulating the URL (www.flipkart.com/home.aspx).
(URL Rewriting) 2. Place an order and URL should be displayed
as follows:
https://www.flipkart.com/order_details?
order_id=OD205725355365775000&token=3a
7a3fd164085a0cd6c5f7e63a3b2b91&utm_ca
mpaign=order_notification&utm_medium=em
ail&utm_source=order&utm_content=click&c
mpid=email_order_order_notification
3. Manipulate the above URL (URL Rewriting)
as follows and try to access
https://www.flipkart.com/order_details?
order_id=OD3168546978254&token=3a7a3fd1
64085a0cd6c5f7e63a3b2b91&utm_campaign=
order_notification&utm_medium=email&utm_
source=order&utm_content=click&cmpid=ema
il_order_order_notification
Cross Site Scripting - XSS
Test Data Expected Result
1.http://www.flipkart.com/home.aspx/ User should not get an alert message
?keyword=%22-alert as 2812305977 with Ok button in a pop
%2812305977%29-%22 up and error Page (404) should be
2.http://www.flipkart.com/home.aspx/ displayed.
*123456789*/
Below portion of the code, where the
injection occurred, after URL was
submitted.
<script>
var paramKeyword = ""-
alert(12305977)-"";
if($("#txtKeyword")!=null)
{
$("#txtKeyword").val(paramKeyword);
}
</script>
SQL Injection
Test Data Expected Result
SELECT * FROM Users WHERE Name User should not able to retreive the
='" + uName + "' AND Pass ='" + uPass + result set from DB and get an error
"' message.
SELECT * FROM Users WHERE Name
='" + uName + "' OR Pass ='" + uPass +
"'
URL manipulation
Test Data Expected Result
User should redirect the error page
Comments
Comments
Comments
Comments
Cross Site Scripting - XSS
Test Scenario Status
1. Verify the user (Hacker) is able to get the 1. Pass
alert message, when he enter the script in the 2. Pass
address bar and process the same.
SQL Injection
Test Scenario Status
1. Verify the user (Hacker) is able to retreive 1. Pass
the result set from DB, when we inject the SQL
query in Username or Password text box
URL Manipulation
Test Scenario Status
1. Verify the user (Hacker) is able to access the Pass
webpage of application, after manipulating the
URL (URL Rewriting)
ng - XSS
Comments
n
Comments
th Unauthorized Users
Comments
tion
Comments