Unfortunately one actually worked so I immediately raised this to my boss but it has been swept under the rug as a “Well it hasn’t been a problem for the last ten years, so we will fix it eventually”… That worries me and I feel they don’t understand the full gravity of the situation.
Now, I’m not one to let this drop just yet so is there a string I could input that will highlight the vulnerability of the site in a way they may understand? I have shown them <plaintext> (remove the *'s of course) is there a way of capturing the data on the page and downloading it into a text file or something similar to show this is serious?
Apologies, I only know Python surrounding Selenium so I have no idea where to start with JavaScript in order to do this…
Just to clarify, I’m not looking to break the site, I am the sole tester on the site and this is an isolated test site contained on my local machine so will not impact live or other users. I am just wanting to highlight this as a more serious issue.
If you have gotten this far through my essay, thank you.
One approach might be to phrase the issue (and it is a serious issue) in business terms.
Your description above tells me that a vulnerability exists when a certain string is submitted to a page. What might happen if you phrased the same issue as (I’m making this up!):
“When a user submits this string to the site, they have direct access to the database where they can read data from other users. This compromises our agreement with our users to maintain their privacy, and the information could be used to steal identities. Lastly, news of this could damage our reputation.”
Believe me I have tried… The initial response was that you have to physically login to the site to be able to do it… True yes, but what if the end user was deliberately trying to be malicious and then the following was the one I put above.
I think they need to see physical evidence of it dumping information out of the platform, I have attempted a simple SQL dump tables but fortunately for them it does stop this because that could have been a “biggie”.
I thought you might have pursued the suggestion already - good job!
As you know, we (the Testers we) find many defects in products that we dutifully log. In that log, we present the information as objectively as possible and record possible business impact. We have no influence past the record of the defect which, in this case, is frustrating (possibly profoundly frustrating). We can raise awareness to project managers and product owners as respectfully as we can. For all that, someone else decides what is a priority.
It seems like you might eventually succeed in finding damaging evidence which becomes part of the defect and could raise its priority. I encourage you to do so! I’ve found Pen testing to be complex and I have appreciated working with people skilled in that area. Perhaps consulting with someone in Pen testing could speed your quest?
Fingers crossed i do find something that makes the priority go up, unfortunately we don’t have any in house pen testers here (only a small company) so can’t consult anyone internally on this. Fingers crossed someone with experience see’s this post and may be able to shed some light on how I can proceed with this
totally understand your frustration.
I am not a security tester, but a test manager and a person who wants to help to get dangerous/expensive bugs fixed.
As far as I understood:
You detected an issue, which can occur only if the user is logged in (enter the string and edit/steal data).
A few questions for your further research (no need to answer them here):
How easy is it, to hack yourself into this application? Is there a standard password for the admin? Does customer service/IT department of the customer know this? Written in manuals/instructions? Credentials in log files? And so on.
Does your company sell the software to customers? Or does the company operate it?
Does the software store PII data?
If yes: PII issues might get expensive (penalties and loss of reputation).
What would be the worst scenario, in case the application would be hacked? How could we misuse the stolen data? Or is the damage bigger, if data were edited?
You can search the internet for articles about Hackers being very successful and about IT-Admins who “hack” the systems of their former companies. Try to convince them, that the last ten years are over…
If they decide not to fix, then it is at least a decision.
In today’s era, security of an application’s is a big concern for every client. If we talk about security attacks on web application, script injection attacks are a major concern for any leading software testing company. These types of attacks are termed as Cross Site Script attacks (XSS).
Cross-site Scripting (XSS) is basically the client-side code injection attack. In this attack, attackers targets to execute the different malicious scripts in a web browser of the victim by including malicious code in a legitimate web page or web application. The XSS attacks are possible in VBScript, ActiveX, Flash, and even CSS.
However, most of such attacks are in JavaScript, primarily because it is fundamental to most browsing experiences. If we talk about java-script errors, most of the web browsers like Chrome and Firefox runs JavaScript in a very limited environment. Also, JavaScript has very specific rights to access the user’s operating system and the user’s files. However, JavaScript can still be dangerous if misused as part of malicious content on any web-application.
Many software testing companies are concerned about the threat on security of the web application because if application got XSS attack, then attacker can use injected scripts to change the content of the website or even redirect the browser to another web page which poses a huge loss to any client or a company. For example, one that contains malicious code can change content of the site/application and redirect the user to any other website which may not be safe. Most commonly Identifying Special Characters for XSS content are: “<”, “&”, “>”.
An application’s security against XSS attacks can be tested using some available security testing tools like below:
