20 Days Of Web Testing > Multiple tabs and windows

Why?

Opening the application in more than one tab or window can often lead to interesting security bugs, data refresh issues or multiple cookie confusion.

An often-overlooked test is the multiple tabs/windows in the same session test.

What you are doing here is essentially seeing how the application copes with the same and/or different user operating under the same session token, but on different pages or tabs.

Many sites use Cookies (a small file stored on your computer) to store session IDs and other supporting data, hence it is often possible to find bugs around confused data, sessions or security access.

This can manifest itself as incorrect data display issues, security loopholes and actions not being performed as expected.

 

How?

Here’s a simple example to seek out security flaws.

 

Open Firefox and in one tab log in to your secure application.

Then right click on a page in your site and open that new page in a new tab.

Both tabs are now considered to be in the same session.

 

Now log out of the application in Tab 2 and try to perform some actions in Tab 1.

 

Has it logged you out or let you perform an action?

In most situations it should have logged you out.

 

In many instances it is possible to log in to two different accounts in the same browser and end up sharing data across both tabs because of cross authentication issues.

 

It’s not just about authentication though.

What about adding things to a shopping basket in multiple tabs – do they persist in the basket?

What about state changes in your application across several tabs?

Can I login across several browsers in different sessions?

Can I trick browser side validation and restrictions by performing actions across a number of tabs?

 

The best way to test in multiple browser tabs and sessions is to explore the application with multiple tabs open, checking what effect a change in one tab can have on the other.

As you explore around look for data, states and actions that might be confused by bad cookie management, session management and cross tab problems.

Always have some developer tools open so you can see what requests and responses are being communicated and what the content of these is. A tool to show your cookies and their contents will be undoubtedly useful too, something like Firecookie (a Firefox extension).

Burpsuite security tool is especially useful if you want to start hijacking the session and manipulating stuff.

 

Useful Hint

In several of the modern tabbed browsers it is possible to open up multiple tabs and then drag a tab out of the main browser “window” to create two ‘Windows” operating under one session. This makes it easier to switch and view the two tabs whilst testing using CTRL and Tab (or CMD and Tab on Mac)

Not all browsers may treat a new “window” as the same session.

 

Useful Links

Good site about cookies and sessions – http://www.allaboutcookies.org/cookies/session-cookies-used-for.html

Session Hijacking – http://en.wikipedia.org/wiki/Session_hijacking

Security implications of cookies – http://it.toolbox.com/blogs/securitymonkey/successful-hacking-with-xss-cookies-session-ids-11098

Burpsuite – http://portswigger.net/burp/

Firecookie – https://addons.mozilla.org/en-us/firefox/addon/firecookie/

—-

If you want to talk Testing – catch me later this year at EuroSTAR conference.