Testing new session ID on privilege elevation
When a user gets elevated privilege in a system, it is important that a new session ID is issued. Basically, a system should issue a new session ID when the user gets higher privileges than before. Here is an example that tests that a user logging in to the Tomcat administration interface gets a new issue. In fact, this test discovers that Tomcat actually has this vulnerability and the test fails:
Example:
| openWindow | foobar | /index.jsp |
| selectWindow | foobar | |
| removeCookie | JSESSIONID | /admin |
| removeCookie | JSESSIONID | / |
| assertTitle | Apache Tomcat/4.1.31 | |
| clickAndWait | link=Tomcat Administration | |
| assertTitle | Tomcat Server Administration | |
| storeValue | cookie=JSESSIONID | oldCookie |
| type | username | tomcat |
| type | password | tomcat |
| clickAndWait | //input[@value='Login'] | |
| assertNotValue | cookie=JSESSIONID | ${oldCookie} |
| assertTitle | Tomcat Server Administration | |
| closeWindow | foobar |
Here's a short explanation of what is happening:
- The Tomcat root page is opened in a new window.
- The new window is selected as current window.
- Remove session cookies that might be present from previous tests. (code for 'removeCookies' is here).
- Navigate to the Tomcat admin login page.
- Stores the current session cookie. (code for locating a cookie value is found here).
- Enters username and password, and logs in.
- Compares the current session id cookie with the one stored before. Those should be different!
- Checks that we are logged in by looking for present text in the page.
- Closes the window.
Testing form validation
Testing input validation is important for security. How a system grapples with unexpected input is a part of such testing. Here is an example of how to test whether an application handles being passed a value that is not part of a dropdown. For this scenario, I created a Selenium function that adds a new option to a dropdown box and selects it. After submitting the form, we can test that the system acts properly.
Example:
| open | / | |
| selectNew | EU Country | Isengard |
| clickAndWait | ButtonCountrySelect | |
| verifyTextNotPresent | exception |
In this particular case, we add an option 'Isengard' to the countries dropdown box and select it. The form is submitted, and we checked that the system did not expose an exception to the user.
Testing that debug messages are switched off
For debugging of web applications, a common practice is to use a debug parameter in the query string to indicate that the application should show debug information. Far too often, one forgets to remove this functionality before going into production. One way to test whether this is switched off, is to grab a random page, with and without the debug parameter and see if the content changed.
Example:
| open | / | |
| storeBodyText | nodebugbody | |
| open | /?debug=true | |
| verifyBodyText | ${nodebugbody} |
Copyright © 2007 Vidar Kongsli
