Cross Site Scripting - XSS

Test Scenario Steps to Execute

1. Verify the user (Hacker) is able to get the alert 1. Access the URL.
message, when he enter the script in the address (http://www.flipkart.com/home.aspx)
bar and process the same. 2. Enter the script in the URL and try to access

2. Verify the user (Hacker) is able to get the alert 1. Access the URL, and login to the site.
message, when he/she enter the script in a Text Box (http://www.testsite.com/home.aspx)
and access the URL. 2. Enter the script in any of the Text Box
available and click on Save button.
3. Access the URL.

SQL Injection
Test Scenario Steps to Execute
1. Verify the user (Hacker) is able to retreive the 1. Access the Login Page.
result set from DB, when we inject the SQL query in 2. Inject the SQL query in Username or
Username or Password text box Password Text Box and clcik on Save button.

2. Verify the user (Hacker) is able to delete the table 1. Access the URL, and login to the site with
from DB valid credentials.
Ex: Uname/Pswd - david/test123$
(http://www.sample.com/home.aspx)
2. Inject the SQL query in any of the text box
and click on Save button.

Access the Application pages with Unaut

Test Scenario Steps to Execute
1. Verify the Super User features are accessible by
Account User when the corresponding URLs are
directly accessed by Account User.
Super User Features
1. Able to access Registration, Account, Orders
Pages.
Account Admin Features
1. Able to access Account, Orders pages.
1. Login to website with Super User
credentials.
Ex: http://www.examplesite.com/home.aspx
2. Click on Registration Tab.
3. Registration Page should be displayed with
all fields.
Ex:
https://www.examplesite.com/registration.asp
x
4. Click on Logout button and Super User
should be successfully logged out.
5. Login to site with Account User credentials
and successfully logged in.
6. Try to access the Registration page URL.
Ex:
https://www.examplesite.com/registration.asp
x.

URL manipulation
Test Scenario Steps to Execute
1. Verify the user (Hacker) is able to access the 1. Login into website.
webpage of application, after manipulating the URL (www.flipkart.com/home.aspx).
(URL Rewriting) 2. Place an order and URL should be displayed
as follows:
https://www.flipkart.com/order_details?
order_id=OD205725355365775000&token=3a
7a3fd164085a0cd6c5f7e63a3b2b91&utm_ca
mpaign=order_notification&utm_medium=em
ail&utm_source=order&utm_content=click&c
mpid=email_order_order_notification
3. Manipulate the above URL (URL Rewriting)
as follows and try to access
https://www.flipkart.com/order_details?
order_id=OD3168546978254&token=3a7a3fd1
64085a0cd6c5f7e63a3b2b91&utm_campaign=
order_notification&utm_medium=email&utm_
source=order&utm_content=click&cmpid=ema
il_order_order_notification
 Cross Site Scripting - XSS
Test Data Expected Result
1.http://www.flipkart.com/home.aspx/ User should not get an alert message
?keyword=%22-alert as 2812305977 with Ok button in a pop
%2812305977%29-%22 up and error Page (404) should be
2.http://www.flipkart.com/home.aspx/ displayed.
*123456789*/
Below portion of the code, where the
injection occurred, after URL was
submitted.
<script>
var paramKeyword = ""-
alert(12305977)-"";
if($("#txtKeyword")!=null)
{
$("#txtKeyword").val(paramKeyword);
}
</script>

<Script>alert (Uname) </Script> User should not get alert messages

<Script>alert (Pswd) </Script> with Ok button in pop up's error Page
<Script>alert (dbcon) </Script> (404) should be displayed.

SQL Injection
Test Data Expected Result
SELECT * FROM Users WHERE Name User should not able to retreive the
='" + uName + "' AND Pass ='" + uPass + result set from DB and get an error
"' message.
SELECT * FROM Users WHERE Name
='" + uName + "' OR Pass ='" + uPass +
"'

SELECT * FROM Users WHERE Table should not be deleted from DB

User_Name = ‘david’; DROP table and get an error message.
users_details;’ –‘ AND Password =
‘test123$’;

he Application pages with Unauthorized Users

Test Data Expected Result
 Error page should be displayed or Page
not found message should be displayed
or you don't have the privilage to
access the page

URL manipulation
Test Data Expected Result
User should redirect the error page
Comments

Comments

Comments
Comments
 Cross Site Scripting - XSS
Test Scenario Status
1. Verify the user (Hacker) is able to get the 1. Pass
alert message, when he enter the script in the 2. Pass
address bar and process the same.

2. Verify the user (Hacker) is able to get the 1. Pass

alert message, when he/she enter the script in
a Text Box and access the URL.

SQL Injection
Test Scenario Status
1. Verify the user (Hacker) is able to retreive 1. Pass
the result set from DB, when we inject the SQL
query in Username or Password text box

2. Verify the user (Hacker) is able to delete the 1. Pass

table from DB

Access the Application pages with Unauthorized Users

Test Scenario Status
1. Verify the Super User features are accessible Pass
by Account User, when the corresponding URLs
are directly accessed by Account User.

URL Manipulation
Test Scenario Status
1. Verify the user (Hacker) is able to access the Pass
webpage of application, after manipulating the
URL (URL Rewriting)
ng - XSS
Comments

n
Comments

th Unauthorized Users
Comments

tion
Comments