Blog

FFAX VS MERRI – testing oracle mnemonic (zagorski software tester)

On September 12, 2014, in Syndicated, by Association for Software Testing
0
Credit to www.owasp.org

Inspired by FEW HICCUPPS oracle testing mnemonic, created by James Bach and extended by Michael Bolton, I decided to give my contribution to oracle testing mnemonic set.

Oracles are fallible heuristics that helps us to identify problems in product. Mnemonic helps us to remember data. This is very helpful aid for testers, because by memorizing set of testing mnemonics, tester has a powerful set of testing ideas (more important, if not equal to programming skill).

I have been always interested in security testing. Starting point to learn about security testing is Open Web Application Security Project (OWASP) home page.  OWASP Top 10 nicely summarizes top 10 security risks for every product. They are actually starting points for security testing ideas. In order to easily remember them, I created following mnemonic:

FFAX VS MERRI 

Forward. Unvalidated application forwards. User is forwarded to different context. Have you checked if this is safe operation for the user?
Forgery. Cross Site Request Forgery. Application thinks that this request is from valid user but it is not.
Access. Missing function level access control. Junior tester has same application access rights as CEO.
XCross (this one is special because X as sign, not a letter, represents cross).  Cross site scripting. It is possible to execute Javascript code in the context of the application.

Vulnerabilities. Does product is using components with known vulnerabilities?
Session. Broken authentication and session management. Session token is a proof that user entered its application username and password.

Misconfiguration. Product is misconfigured and does what we do not want it to do.
Exposure. Sensitive data exposure. Data is publicly available but it should not be.
Redirect. Unvalidated application redirect.
Reference. Insecure direct object reference. Object is file, database key or directory.
Injection. Application data is interpreted as command and it is automatically executed by the application.

And you thought that you would never use fax ever again!

 

Comments are closed.


Looking for something?

Use the form below to search the site:


Still not finding what you're looking for? Drop a comment on a post or contact us so we can take care of it!