The latest articles on DEV Community by Cecilia986 (@cecilia986). https://dev.to/cecilia986 https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3839997%2Fb38cff1e-0113-4aeb-a078-621ce59d7f47.png https://dev.to/cecilia986 en Cecilia986 Mon, 23 Mar 2026 11:57:15 +0000 https://dev.to/cecilia986/security-testing-user-login-scenarios-2i4k https://dev.to/cecilia986/security-testing-user-login-scenarios-2i4k <p>*<em>Security Testing Overview *</em></p> <blockquote> <p>Security testing encompasses many areas and utilizes a variety of tools. **AppScan **is the most comprehensive, covering nearly all security vulnerabilities and providing detailed security audit reports.</p> </blockquote> <p><strong>User Login Security:</strong><br> A. Password Issues </p> <ul> <li>Verify if user passwords stored in the backend are encrypted .</li> <li>Verify if passwords are encrypted during network transmission(e.g., using HTTPS/TLS).</li> <li>Verify password expiration policies and ensure the system prompts users to change passwords upon expiry.</li> <li>Verify if the password input field supports copying and pasting (often disabled for higher security).</li> <li>Validate password complexity and strength.</li> </ul> <p>B. User Authentication &amp; Session Management </p> <ul> <li><p>Forced Browsing / Unauthorized Access: Verify if entering a post-login URL directly in the address bar redirects the user back to the login page.</p></li> <li><p>Sensitive Data in Source Code: Ensure that passwords entered in the input field are not visible in the page source code(View Source).</p></li> <li><p>Session Mutex / Concurrent Login: Verify if a user is kicked out (mutually exclusive) when logging in from another device or browser.</p></li> <li><p>Brute Force Protection: Verify if the system triggers a lockout or CAPTCHA after multiple failed login attempts to prevent brute force attacks.</p></li> </ul> <p>C. Common Web Attacks </p> <ul> <li><p>SQL Injection: Input SQL injection strings into the username/password fields to verify system error handling and data protection.</p></li> <li><p>Cross-Site Scripting (XSS): Input XSS scripts to verify if the system's behavior or page content is tampered with.</p></li> </ul> <p>Other details:</p> <p><strong>How Encryption Works During Transmission?</strong></p> <p>Encryption during transmission is handled primarily by HTTPS, which is HTTP running over TLS (Transport Layer Security). Here is the simplified process:</p> <p>Step 1: The TLS Handshake <br> When your browser connects to a bank's server, they perform a "handshake" to agree on how to encrypt the data.</p> <p>The server sends its Digital Certificate and Public Key <br> The browser verifies the certificate's validity.</p> <p>Step 2: Key Exchange <br> The browser generates a temporary Symmetric Key and encrypts it using the server's Public Key. Only the server can decrypt this using its Private Key.</p> <p>Step 3: Encrypted Session<br> Now, both the browser and the server have the same "secret key." All data sent, including the username and password, is encrypted using this key. Even if a hacker intercepts the data packet, they will only see "garbage" text.</p> <p>*<em>How to Verify password encryption? *</em><br> Use tools like Wireshark or Fiddler/Charles Proxy to verify this:</p> <ol> <li><p>Check the Protocol): Ensure the URL starts with https:// and the browser shows a padlock icon.</p></li> <li><p>Check Packet Sniffing: Open Wireshark. Capture traffic while logging in.<br> Result: You should see "TLSv1.2" or "TLSv1.3" packets. If you can see the password in the "Post Data" section, the encryption is failing.</p></li> <li><p>Check Frontend Hashing: Some high-security systems also hash the password on the client-side (using JavaScript/TypeScript) before sending it, so even the "encrypted" transmission doesn't contain the raw password.</p></li> </ol> cybersecurity security testing tutorial