Functional testing, security testing, usability testing and other types of checking web, mobile and desktop software products differ due to specificities of web, mobile and desktop technologies.
Carrying out security testing of a web application, one should verify whether it is possible to fish out sensitive data by means of URL manipulations.
It is known that web software products mostly use GET and POST methods of HTTP requests for data exchange between a user machine and the server.
Specialists in manual and automated testing of web software security say that it isn’t recommended to utilize GET requests for work with sensitive data.
Security Drawbacks of GET Request Method Are:
- it is possible to catch a GET request;
- GET requests are saved in the web browser history;
- one can bookmark a GET request.
Cyber-attackers can take advantage of these GET request features and steal or damage users’ financial, personal data or another kind of sensitive business or private data.
Verifying safety of data transferring test engineers should act like hackers. In course of penetration testing one can try to capture and alter data sent to the server and received from the server. If the application behavior during such attacks is unpredictable, it is necessary to report and correct this security defect.