Security Testing: User Login Scenarios

*Security Testing Overview *

Security testing encompasses many areas and utilizes a variety of tools. **AppScan **is the most comprehensive, covering nearly all security vulnerabilities and providing detailed security audit reports.

User Login Security:
A. Password Issues

• Verify if user passwords stored in the backend are encrypted .
• Verify if passwords are encrypted during network transmission(e.g., using HTTPS/TLS).
• Verify password expiration policies and ensure the system prompts users to change passwords upon expiry.
• Verify if the password input field supports copying and pasting (often disabled for higher security).
• Validate password complexity and strength.

B. User Authentication & Session Management

• Forced Browsing / Unauthorized Access: Verify if entering a post-login URL directly in the address bar redirects the user back to the login page.

• Sensitive Data in Source Code: Ensure that passwords entered in the input field are not visible in the page source code(View Source).

• Session Mutex / Concurrent Login: Verify if a user is kicked out (mutually exclusive) when logging in from another device or browser.

• Brute Force Protection: Verify if the system triggers a lockout or CAPTCHA after multiple failed login attempts to prevent brute force attacks.

C. Common Web Attacks

• SQL Injection: Input SQL injection strings into the username/password fields to verify system error handling and data protection.

• Cross-Site Scripting (XSS): Input XSS scripts to verify if the system's behavior or page content is tampered with.

Other details:

How Encryption Works During Transmission?

Encryption during transmission is handled primarily by HTTPS, which is HTTP running over TLS (Transport Layer Security). Here is the simplified process:

Step 1: The TLS Handshake
When your browser connects to a bank's server, they perform a "handshake" to agree on how to encrypt the data.

The server sends its Digital Certificate and Public Key
The browser verifies the certificate's validity.

Step 2: Key Exchange
The browser generates a temporary Symmetric Key and encrypts it using the server's Public Key. Only the server can decrypt this using its Private Key.

Step 3: Encrypted Session
Now, both the browser and the server have the same "secret key." All data sent, including the username and password, is encrypted using this key. Even if a hacker intercepts the data packet, they will only see "garbage" text.

*How to Verify password encryption? *
Use tools like Wireshark or Fiddler/Charles Proxy to verify this:

1. Check the Protocol): Ensure the URL starts with https:// and the browser shows a padlock icon.

2. Check Packet Sniffing: Open Wireshark. Capture traffic while logging in.
   Result: You should see "TLSv1.2" or "TLSv1.3" packets. If you can see the password in the "Post Data" section, the encryption is failing.

3. Check Frontend Hashing: Some high-security systems also hash the password on the client-side (using JavaScript/TypeScript) before sending it, so even the "encrypted" transmission doesn't contain the raw password.