20 Days Of Web Testing > Back to the beginning again

Why?

The security of an application/site doesn’t just concern the usual suspects of cross-site scripting, SQL injections and man in the middle attacks.

Something as simple as hitting the back arrow on a browser and seeing the previous persons information is a low key but effective security breach.

Say for example that you are in an Internet Cafe and you log in to your banking application. You log out, but leave the browser window open on the home page and you leave the cafe. It *could* be entirely possible that the next person to use the computer can see your details by simply clicking “back” on the browser.

Believe me this does happen.

 

How?

A very simple test would be to authenticate and enter your application. Then log out and hit the back button on the browser to see what happens.

Browsers often offer the ability to skip back a number of pages in one go. Try this and see what pages you can open.

 

Here are some examples of how this bug could cause problems:

  • You might be able to vote online for a candidate or topic. Then hit back and vote again. And again. And again. And again. And again.
  • You might be able to use a “one time only” coupon to discount a price over and over again by using the back button.
  • You might be able to see someone else’s personal data by going back through their browsing session.
  • You might be using a site where some client side JavaScript fires on page load even if the authentication fails. So although you have logged out, when the page reloads (and doesn’t let you back in) it might still fire some logic to perform an action.

 

Useful Hint

Holding down the back button often gives you a list of several previous pages to visit.

 

Useful Links

Stack Overflow question on disabling back capability (which you cannot by the way) – http://stackoverflow.com/questions/7816195/how-to-disable-back-button-in-browser-when-user-logout-in-classic-asp

IE security problem with the Back Button – http://www.wired.com/science/discoveries/news/2002/04/51899?currentPage=all

—-

If you want to talk Testing – catch me later this year at EuroSTAR conference.